Intentional Network Monitoring: Finding the Needle without Capturing the Haystack

Monitoring network traffic serves many purposes, from security to accounting, yet current mechanisms for collecting network traffic are typically based on low-level features of network traffic (e.g., IP addresses, port numbers), rather than characteristics that more closely map to intent (e.g., people, applications, or devices). In this paper, we present the case for intentional network monitoring---the practice of capturing the minimal set of traffic that satisfies the operator's monitoring intent or goal---and a preliminary design and implementation for NetAssay, a system that enables intentional monitoring. A significant challenge in developing NetAssay is developing a runtime that can maintain a mapping between stable abstractions that an operator or programmer might use to express intent (e.g., a username) and the dynamic, heterogeneous data that establishes these associations (e.g., information from a login server or DNS record). We present examples that show how the NetAssay runtime can perform late binding between these mappings and network flow space and discuss the research and technical challenges associated with establishing more general late-binding mechanisms.

[1]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[2]  David Walker,et al.  Compiling path queries in software-defined networks , 2014, HotSDN.

[3]  Kurt D. Zeilenga Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map , 2006, RFC.

[4]  Aditya Akella,et al.  Extensible and Scalable Network Monitoring Using OpenSAFE , 2010, INM/WREN.

[5]  Marco Mellia,et al.  DNS to the rescue: discerning content and services in a tangled web , 2012, IMC '12.

[6]  David Walker,et al.  Modular SDN Programming with Pyretic , 2013, login Usenix Mag..

[7]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[8]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[9]  David Walker,et al.  Infinite CacheFlow in software-defined networks , 2014, HotSDN.

[10]  Hari Balakrishnan,et al.  The design and implementation of an intentional naming system , 1999, SOSP.

[11]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[12]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[13]  Virtual Bridged,et al.  IEEE Standards for Local and Metropolitan Area Networks: Specification for 802.3 Full Duplex Operation , 1997, IEEE Std 802.3x-1997 and IEEE Std 802.3y-1997 (Supplement to ISO/IEC 8802-3: 1996/ANSI/IEEE Std 802.3, 1996 Edition).

[14]  Jeff Hodges,et al.  Lightweight Directory Access Protocol (v3): Technical Specification , 2002, RFC.

[15]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[16]  Russell J. Clark,et al.  SDX , 2014 .

[17]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[18]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.