Efficient detection of flow anomalies with limited monitoring resources

Real time detection of flow anomalies is a critical part of wide range of management and security applications in many Cloud and NFV systems. Solutions based on per-flow records have become impossible due to the increasing traffic volumes and the limited available resources such as TCAM entries and fast counters. In this paper we study a novel dynamic control mechanism that allows detecting flow anomalies using only a limited number of counters. Starting from the simple observation that it is impossible to guarantee instantaneous detection of flow anomalies with a limited amount of counters, we study the trade-off between the time required to detect the anomaly and the number of available counters. We implemented the scheme in an OpenFlow enabled switch, where the logic is implemented in the controller, and demonstrate that it can be used to detect a single flow anomaly within large real traffic volume. To further reduce the detection time, we also implemented the scheme logic inside the switch and used the controller only for configuration. This implementation indeed yielded a faster detection and lower monitoring communication overhead while not introducing any significant observable costs at the switch itself.

[1]  Piotr Indyk,et al.  Maintaining stream statistics over sliding windows: (extended abstract) , 2002, SODA '02.

[2]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[3]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4]  Gerhard Münz,et al.  Flexible Flow Aggregation for Adaptive Network Monitoring , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[5]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[6]  Chen-Nee Chuah,et al.  ProgME: Towards Programmable Network MEasurement , 2007, IEEE/ACM Transactions on Networking.

[7]  Ramesh Govindan,et al.  DREAM: dynamic resource allocation for software-defined measurement , 2015, SIGCOMM 2015.

[8]  Isaac Keslassy,et al.  Palette: Distributing tables in software-defined networks , 2013, 2013 Proceedings IEEE INFOCOM.

[9]  Piotr Indyk,et al.  Maintaining Stream Statistics over Sliding Windows , 2002, SIAM J. Comput..

[10]  Ramesh Govindan,et al.  Resource/accuracy tradeoffs in software-defined measurement , 2013, HotSDN '13.

[11]  Radu State,et al.  Game theory driven monitoring of spatial-aggregated IP-Flow records , 2010, 2010 International Conference on Network and Service Management.

[12]  Danny Raz,et al.  Efficient reactive monitoring , 2002, IEEE J. Sel. Areas Commun..

[13]  Danny Raz,et al.  Toward efficient monitoring , 2000, IEEE Journal on Selected Areas in Communications.

[14]  Dominique Gaïti,et al.  Towards self-adaptive management frameworks: The case of aggregated information monitoring , 2011, 2011 7th International Conference on Network and Service Management.

[15]  Sandip Nemade,et al.  EARLY DETECTION OF SYN FLOODING ATTACK BY ADAPTIVE THRESHOLDING (EDSAT): A NOVEL METHOD FOR DETECTING SYN FLOODING BASED DOS ATTACK IN MOBILE AD HOC NETWORK , 2014 .

[16]  Sonia Fahmy,et al.  Pegasus: Precision hunting for icebergs and anomalies in network flows , 2013, 2013 Proceedings IEEE INFOCOM.

[17]  Shicong Meng,et al.  State Monitoring in Cloud Datacenters , 2011, IEEE Transactions on Knowledge and Data Engineering.

[18]  Moraney Jalil,et al.  Efficient detection of flow anomalies with limited monitoring resources , 2016 .