Pegasus: Precision hunting for icebergs and anomalies in network flows

Accurate online network monitoring is crucial for detecting attacks, faults, and anomalies, and determining traffic properties across the network. With high bandwidth links and consequently increasing traffic volumes, it is difficult to collect and analyze detailed flow records in an online manner. Traditional solutions that decouple data collection from analysis resort to sampling and sketching to handle large monitoring traffic volumes. We propose a new system, Pegasus, to leverage commercially available co-located compute and storage devices near routers and switches. Pegasus adaptively manages data transfers between monitors and aggregators based on traffic patterns and user queries. We use Pegasus to detect global icebergs or global heavy-hitters. Icebergs are flows with a common property that contribute a significant fraction of network traffic. For example, DDoS attack detection is an iceberg detection problem with a common destination IP. Other applications include identification of “top talkers,” top destinations, and detection of worms and port scans. Experiments with Abilene traces, sFlow traces from an enterprise network, and deployment of Pegasus as a live monitoring service on PlanetLab show that our system is accurate and scales well with increasing traffic and number of monitors.

[1]  Graham Cormode,et al.  Algorithms for distributed functional monitoring , 2008, SODA '08.

[2]  Jennifer Widom,et al.  Adaptive filters for continuous queries over distributed data streams , 2003, SIGMOD '03.

[3]  Janez Zerovnik,et al.  2-local 4/3-competitive Algorithm for Multicoloring Hexagonal Graphs , 2005, J. Algorithms.

[4]  Richard M. Karp,et al.  A simple algorithm for finding frequent elements in streams and bags , 2003, TODS.

[5]  Ling Huang,et al.  Communication-Efficient Online Detection of Network-Wide Anomalies , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[6]  Gurmeet Singh Manku,et al.  Approximate counts and quantiles over sliding windows , 2004, PODS.

[7]  Moses Charikar,et al.  Finding frequent items in data streams , 2004, Theor. Comput. Sci..

[8]  Qin Zhang,et al.  Optimal sampling from distributed streams , 2010, PODS '10.

[9]  Vyas Sekar,et al.  LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[10]  Larry L. Peterson,et al.  PlanetFlow: maintaining accountability for network services , 2006, OPSR.

[11]  Christopher Olston,et al.  Distributed top-k monitoring , 2003, SIGMOD '03.

[12]  Walter Willinger,et al.  cSamp: A System for Network-Wide Flow Monitoring , 2008, NSDI.

[13]  Qi Zhao,et al.  Finding global icebergs over distributed data sets , 2006, PODS.

[14]  Ashwin Lall,et al.  Global iceberg detection over distributed data streams , 2010, 2010 IEEE 26th International Conference on Data Engineering (ICDE 2010).

[15]  Chen-Nee Chuah,et al.  Uncovering Global Icebergs in Distributed Streams: Results and Implications , 2011, Journal of Network and Systems Management.

[16]  Yunhao Liu,et al.  Optimal sampling algorithms for frequency estimation in distributed data , 2011, 2011 Proceedings IEEE INFOCOM.

[17]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[18]  Moni Naor,et al.  Optimal aggregation algorithms for middleware , 2001, PODS.

[19]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[20]  Odysseas Papapetrou,et al.  Sketch-based Querying of Distributed Sliding-Window Data Streams , 2012, Proc. VLDB Endow..

[21]  Graham Cormode,et al.  Continuous distributed monitoring: a short survey , 2011, AlMoDEP '11.

[22]  Lap-Kei Lee,et al.  Continuous Monitoring of Distributed Data Streams over a Time-Based Sliding Window , 2011, Algorithmica.

[23]  Ramesh Govindan,et al.  MIND: A Distributed Multi-Dimensional Indexing System for Network Diagnosis , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[24]  Hua-Gang Li,et al.  Efficient Processing of Distributed Top-k Queries , 2005, DEXA.

[25]  Graham Cormode,et al.  Communication-efficient distributed monitoring of thresholded counts , 2006, SIGMOD Conference.

[26]  Zhe Wang,et al.  Efficient top-K query calculation in distributed networks , 2004, PODC '04.

[27]  Qin Zhang,et al.  Optimal tracking of distributed heavy hitters and quantiles , 2009, PODS.

[28]  Graham Cormode,et al.  Tracking Distributed Aggregates over Time-Based Sliding Windows , 2012, SSDBM.

[29]  Qin Zhang,et al.  Randomized algorithms for tracking distributed count, frequencies, and ranks , 2012, PODS '12.

[30]  Chen-Nee Chuah,et al.  ProgME: Towards Programmable Network MEasurement , 2007, IEEE/ACM Transactions on Networking.

[31]  Frederic Raspall,et al.  Shared-state sampling , 2006, IMC '06.