Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Published byJoseph Flowers Modified over 9 years ago

Similar presentations

Presentation on theme: "SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University."— Presentation transcript:

1 SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University of California, San Diego

2 SIGCOMM 2002 Talk outline Problem definition Sample and hold Multistage filters Validation, measurements Conclusions

3 SIGCOMM 2002 Traffic analysis today Router Fast link Measurement module Sampled packets Workstation Large raw data Collection and analysis software Concise analysis results Offline analysis

4 SIGCOMM 2002 Our research agenda Router Real-time analysis Is it doable? Is it better? Fast link Measurement module Concise analysis results

5 SIGCOMM 2002 What is traffic analysis used for? Network planning: need to know traffic between pairs of networks (traffic matrix) Accounting: usage based billing Detecting DoS attacks: flood attacks Application characterization: breaking up the traffic based on port numbers …

6 SIGCOMM 2002 Common abstractions Packets are grouped together into streams based on header fields  Traffic matrix – by source and destination AS  DoS attacks – by destination IP address Measuring large streams (this paper) Estimating the number of active streams (poster) …

7 SIGCOMM 2002 Why is measuring streams hard? Cheap memories (DRAM) are too slow to count all packets Fast memories (SRAM) are too small to keep counters for all streams Opportunity: elephants matter, mice don’t Problem: usually we don’t know in advance which streams are large

8 SIGCOMM 2002 Problem definition Given a fixed definition for streams, measure large streams accurately  Large = above 1% of link capacity over a 1 minute interval Assumptions  Mice don’t matter  Accuracy of results important

9 SIGCOMM 2002 Talk outline Problem definition Sample and hold Multistage filters Validation, measurements Conclusions

10 SIGCOMM 2002 How does sample and hold work? stream memory stream1 1 Sample Insert

11 SIGCOMM 2002 How does sample and hold work? stream memory stream1 1stream1 2 Update

12 SIGCOMM 2002 How does sample and hold work? stream memory stream1 2 stream2 1 Sample Insert

13 SIGCOMM 2002 Why is sample & hold better? uncertainty Sample and hold Ordinary sampling

14 SIGCOMM 2002 Comparing the relative error of the estimate for a stream at 1/F of the link bandwidth Memory limited to M entries How much better is it? Measure Ordinary sampling Sample and hold Error √ F/MF/M Memory accesses 1/S1

15 SIGCOMM 2002 Talk outline Problem definition Sample and hold Multistage filters Validation, measurements Conclusions

16 SIGCOMM 2002 Multistage filters Characteristics: No large stream is ever omitted Very few entries are used by small streams Better performance but implementation and tuning is more complex

17 SIGCOMM 2002 How do multistage filters work? stream memory Array of counters Hash(Pink)

18 SIGCOMM 2002 How do multistage filters work? stream memory Array of counters Hash(Green)

19 SIGCOMM 2002 How do multistage filters work? stream memory Array of counters Hash(Green)

20 SIGCOMM 2002 How do multistage filters work? stream memory

21 SIGCOMM 2002 How do multistage filters work? stream memory Collisions are OK

22 SIGCOMM 2002 How do multistage filters work? stream memory stream1 1 Insert Reached threshold

23 SIGCOMM 2002 How do multistage filters work? stream memory stream1 1

24 SIGCOMM 2002 How do multistage filters work? stream memory stream1 1 stream2 1

25 SIGCOMM 2002 Stage 2 How do multistage filters work? stream memory stream1 1 Stage 1

26 SIGCOMM 2002 Conservative update Gray = all prior packets

27 SIGCOMM 2002 Conservative update Redundant

28 SIGCOMM 2002 Conservative update

29 SIGCOMM 2002 Talk outline Problem definition Sample and hold Multistage filters Validation, measurements Conclusions

30 SIGCOMM 2002 Validation Analytical evaluation Comparison of analytical results to measured performance Comparison of full measurement devices using different algorithms

31 SIGCOMM 2002 On traces, algorithms much better than analysis predicts Number of stages Percentage of small streamspassingfilter (log scale) TheoryZipfActual Conservativeupdate

32 SIGCOMM 2002 Measurement results Setup: OC48 trace, 100,000 TCP flows, 5 second intervals, ordinary sampling - unlimited memory, sampling 1 in 16 our algorithms - 1Mbit, adapting parameters to keep it around 90% full Large streams (above 0.1%): ordinary sampling has an error of 9% sample and hold 0.075%, multistage filter 0.037%

33 SIGCOMM 2002 Talk outline Problem definition Sample and hold Multistage filters Validation, measurements Conclusions

34 SIGCOMM 2002 Our contributions Abstraction:  Real-time packet analysis abstractions can help systematize router implementations.  While the notion of elephants and mice is inherent in earlier work, we abstracted measurement of large streams - it can be used by many applications.

35 SIGCOMM 2002 Our contributions (2) Algorithms:  Sample and hold is a simple and efficient algorithm for identifying and measuring large streams.  Multistage filters with conservative update perform better but are more complex.  Both can be used for real-time as well as offline analysis.

36 SIGCOMM 2002 Our contributions (3) Validation:  Theoretical results that make no assumptions on traffic distribution  Simulations on traces are orders of magnitude better  Preliminary hardware design (John Huber) indicates feasibility at OC192 speeds

37 SIGCOMM 2002 Thank you!

38 SIGCOMM 2002 Optimizations to sample and hold Preserving entries: Keep large entries from one measurement interval to the next  Reduces error by a factor of 6 Early removal: Quickly remove entries that do not accumulate much traffic  Reduces memory usage by 25%

39 SIGCOMM 2002 Optimizations to multistage filters Preserving entries: Keep large entries from one measurement interval to the next  Reduces error by a factor of 5 Shielding: Large streams identified in previous intervals don’t pass through the filter  Reduces memory usage by up to 70%

Download ppt "SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University."

Similar presentations

New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.

New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.
Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.
New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)

New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
Cisco S3 C5 Routing Protocols. Network Design Characteristics Reliable – provides mechanisms for error detection and correction Connectivity – incorporate.

Cisco S3 C5 Routing Protocols. Network Design Characteristics Reliable – provides mechanisms for error detection and correction Connectivity – incorporate.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.

Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.

Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
A Data Stream Management System for Network Traffic Management Shivnath Babu Stanford University Lakshminarayanan Subramanian Univ. California, Berkeley.

A Data Stream Management System for Network Traffic Management Shivnath Babu Stanford University Lakshminarayanan Subramanian Univ. California, Berkeley.
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.

SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
Measuring Large Traffic Aggregates on Commodity Switches Lavanya Jose, Minlan Yu, Jennifer Rexford Princeton University, NJ 1.

Measuring Large Traffic Aggregates on Commodity Switches Lavanya Jose, Minlan Yu, Jennifer Rexford Princeton University, NJ 1.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.

Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.

Similar presentations

Ads by Google