AMON: An Open Source Architecture for Online Monitoring, Statistical Analysis, and Forensics of Multi-Gigabit Streams

The Internet, as a global system of interconnected networks, carries an extensive array of information resources and services. Key requirements include good quality-of-service and protection of the infrastructure from nefarious activity [e.g., distributed denial of service (DDoS) attacks]. Network monitoring is essential to network engineering, capacity planning, and prevention/mitigation of threats. We develop an open-source architecture, All-packet MONitor (AMON), for online monitoring and analysis of multi-gigabit network streams. It leverages the high-performance packet monitor PF_RING and is readily deployable on commodity hardware. AMON examines all packets, partitions traffic into sub-streams by using rapid hashing and computes certain real-time data products. The resulting data structures provide views of the intensity and connectivity structure of network traffic at the time-scale of routing. The proposed integrated framework includes modules for the identification of heavy-hitters as well as for visualization and statistical detection at the time-of-onset of high-impact events such as DDoS. This allows operators to quickly visualize and diagnose attacks, and limit offline and time-consuming post-mortem analysis. We demonstrate our system in the context of real-world attack incidents, and validate it against state-of-the-art alternatives. AMON has been deployed and is currently processing multi-gigabit live Internet traffic at Merit Network. It is extensible and allows the addition of further statistical and filtering modules for real-time forensics.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[3]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[4]  Graham Cormode,et al.  What's hot and what's not: tracking most frequent items dynamically , 2003, PODS '03.

[5]  Joel A. Tropp,et al.  Algorithmic linear dimension reduction in the l_1 norm for sparse vectors , 2006, ArXiv.

[6]  Noga Alon,et al.  The space complexity of approximating the frequency moments , 1996, STOC '96.

[7]  Vijayan N. Nair,et al.  Network tomography: A review and recent developments , 2006 .

[8]  George Michailidis,et al.  On the estimation of the heavy-tail exponent in time series using the max-spectrum , 2010, 1005.4329.

[9]  Graham Cormode,et al.  Space efficient mining of multigraph streams , 2005, PODS.

[10]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[11]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[12]  George Michailidis,et al.  Estimating Heavy-Tail Exponents Through Max Self–Similarity , 2006, IEEE Transactions on Information Theory.

[13]  Aiko Pras,et al.  Real-time DDoS attack detection for Cisco IOS using NetFlow , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[14]  Carsten Lund,et al.  Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications , 2004, IMC '04.

[15]  C. Bron,et al.  Algorithm 457: finding all cliques of an undirected graph , 1973 .

[16]  George Michailidis,et al.  Hashing Pursuit for Online Identification of Heavy-Hitters in High-Speed Network Streams , 2014, ArXiv.

[17]  Divesh Srivastava,et al.  Finding Hierarchical Heavy Hitters in Data Streams , 2003, VLDB.

[18]  Vijayan N. Nair,et al.  Estimating Network Loss Rates Using Active Tomography , 2006 .

[19]  P. Young,et al.  Time series analysis, forecasting and control , 1972, IEEE Transactions on Automatic Control.

[20]  Georg Carle,et al.  Comparing and improving current packet capturing solutions based on commodity hardware , 2010, IMC '10.

[21]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[22]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[23]  George Kollios,et al.  Norm, Point, and Distance Estimation Over Multiple Signals Using Max-Stable Distributions , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[24]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1971 .

[25]  Daniel Raumer,et al.  Comparison of frameworks for high-performance packet IO , 2015, 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[26]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[27]  Chuanhai Liu,et al.  Adaptive Thresholds , 2006 .

[28]  D. E. A. Sanders,et al.  The Modelling of Extreme Events , 2005 .

[29]  Piotr Indyk Explicit constructions for compressed sensing of sparse signals , 2008, SODA '08.

[30]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[31]  J. S. Marron,et al.  LASS: a tool for the local analysis of self-similarity , 2006, Comput. Stat. Data Anal..

[32]  S. Muthukrishnan,et al.  Surfing Wavelets on Streams: One-Pass Summaries for Approximate Aggregate Queries , 2001, VLDB.

[33]  Graham Cormode,et al.  What's new: finding significant differences in network data streams , 2004, IEEE/ACM Transactions on Networking.

[34]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[35]  J. S. Marron,et al.  On the wavelet spectrum diagnostic for Hurst parameter estimation in the analysis of Internet traffic , 2005, Comput. Networks.

[36]  Ely Porat,et al.  Sublinear time, measurement-optimal, sparse recovery for all , 2012, SODA.

[37]  Robert S. Boyer,et al.  MJRTY: A Fast Majority Vote Algorithm , 1991, Automated Reasoning: Essays in Honor of Woody Bledsoe.

[38]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .

[39]  Richard M. Karp,et al.  A simple algorithm for finding frequent elements in streams and bags , 2003, TODS.

[40]  S. Muthukrishnan,et al.  Data streams: algorithms and applications , 2005, SODA '03.

[41]  Luca Trevisan,et al.  Counting Distinct Elements in a Data Stream , 2002, RANDOM.

[42]  James M. Lucas,et al.  Exponentially weighted moving average control schemes: Properties and enhancements , 1990 .

[43]  Luca Deri,et al.  High speed network traffic analysis with commodity multi-core systems , 2010, IMC '10.

[44]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[45]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[46]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[47]  C. Klüppelberg,et al.  Modelling Extremal Events , 1997 .

[48]  Ely Porat,et al.  Approximate Sparse Recovery: Optimizing Time and Measurements , 2012, SIAM J. Comput..

[49]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[50]  C HUANHAI Adaptive Thresholds : Monitoring Streams of Network Counts Online , 2006 .

[51]  Steve Harenberg,et al.  Anomaly detection in dynamic networks: a survey , 2015 .

[52]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[53]  Joel A. Tropp,et al.  Signal Recovery From Random Measurements Via Orthogonal Matching Pursuit , 2007, IEEE Transactions on Information Theory.

[54]  R. Vershynin,et al.  One sketch for all: fast algorithms for compressed sensing , 2007, STOC '07.

[55]  Ming-Yang Kao,et al.  Reverse Hashing for High-Speed Network Monitoring: Algorithms, Evaluation, and Applications , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[56]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[57]  S. Frick,et al.  Compressed Sensing , 2014, Computer Vision, A Reference Guide.