Enabling Event-Triggered Data Plane Monitoring

We propose a push-based approach to network monitoring that allows the detection, within the dataplane, of traffic aggregates. Notifications from the switch to the controller are sent only if required, avoiding the transmission or processing of unnecessary data. Furthermore, the dataplane iteratively refines the responsible IP prefixes, allowing the controller to receive information with a flexible granularity. We implemented our solution, Elastic Trie, in P4 and for two different FPGA devices. We evaluated it with packet traces from an ISP backbone. Our approach can spot changes in the traffic patterns and detect (with 95% of accuracy) either hierarchical heavy hitters with less than 8KB or superspreaders with less than 300KB of memory, respectively. Additionally, it reduces controller-dataplane communication overheads by up to two orders of magnitude with respect to state-of-the-art solutions.

[1]  Patrick P. C. Lee,et al.  Sketchlearn: relieving user burdens in approximate measurement with automated statistical inference , 2018, SIGCOMM.

[2]  Zhi-Li Zhang,et al.  Adaptive random sampling for traffic load measurement , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[3]  Ming Zhang,et al.  MicroTE: fine grained traffic engineering for data centers , 2011, CoNEXT '11.

[4]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM.

[5]  Peng Liu,et al.  Elastic sketch: adaptive and fast network-wide measurements , 2018, SIGCOMM.

[6]  Lukas Kencl,et al.  Efficient statistics gathering from tree-search methods in packet processing systems , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[7]  Soheil Ghiasi,et al.  Streaming Solutions for Fine-Grained Network Traffic Measurements and Analysis , 2011, IEEE/ACM Transactions on Networking.

[8]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[9]  Dawn Xiaodong Song,et al.  New Streaming Algorithms for Fast Detection of Superspreaders , 2005, NDSS.

[10]  Qi Zhao,et al.  Finding global icebergs over distributed data sets , 2006, PODS.

[11]  Nick McKeown,et al.  Programmable Packet Scheduling at Line Rate , 2016, SIGCOMM.

[12]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[13]  Anja Feldmann,et al.  Deriving traffic demands for operational IP networks: methodology and experience , 2000, SIGCOMM.

[14]  Chen-Nee Chuah,et al.  ProgME: Towards Programmable Network MEasurement , 2007, IEEE/ACM Transactions on Networking.

[15]  Walter Willinger,et al.  Sonata: query-driven streaming network telemetry , 2018, SIGCOMM.

[16]  Monia Ghobadi,et al.  OpenTM: Traffic Matrix Estimator for OpenFlow Networks , 2010, PAM.

[17]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[18]  Carsten Lund,et al.  Charging from sampled network usage , 2001, IMW '01.

[19]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[20]  Raouf Boutaba,et al.  PayLess: A low cost network monitoring framework for Software Defined Networks , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[21]  Christian Callegari,et al.  Detecting anomalies in backbone network traffic: a performance comparison among several change detection methods , 2012, Int. J. Sens. Networks.

[22]  Ori Rottenstreich,et al.  Efficient Measurement on Programmable Switches Using Probabilistic Recirculation , 2018, 2018 IEEE 26th International Conference on Network Protocols (ICNP).

[23]  Amin Vahdat,et al.  Hedera: Dynamic Flow Scheduling for Data Center Networks , 2010, NSDI.

[24]  Jennifer Rexford,et al.  Catching the Microburst Culprits with Snappy , 2018, SelfDN@SIGCOMM.

[25]  Ying Zhang,et al.  An adaptive flow counting method for anomaly detection in SDN , 2013, CoNEXT.

[26]  Minlan Yu,et al.  FlowRadar: A Better NetFlow for Data Centers , 2016, NSDI.

[27]  Diana Andreea Popescu,et al.  Enabling Fast Hierarchical Heavy Hitter Detection using Programmable Data Planes , 2017, SOSR.

[28]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[29]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[30]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[31]  Divesh Srivastava,et al.  Finding hierarchical heavy hitters in streaming data , 2008, TKDD.

[32]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[33]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[34]  Vyas Sekar,et al.  Revisiting the case for a minimalist approach for network flow monitoring , 2010, IMC '10.

[35]  DiotChristophe,et al.  Mining anomalies using traffic feature distributions , 2005 .

[36]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[37]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[38]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[39]  Harsha V. Madhyastha,et al.  FlowSense: Monitoring Network Utilization with Zero Measurement Cost , 2013, PAM.

[40]  Minlan Yu,et al.  Online Measurement of Large Traffic Aggregates on Commodity Switches , 2011, Hot-ICE.

[41]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[42]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[43]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[44]  Arpit Gupta,et al.  Network-Wide Heavy Hitter Detection with Commodity Switches , 2018, SOSR.

[45]  Rodrigo Fonseca,et al.  Planck , 2014, SIGCOMM.

[46]  Ramesh Govindan,et al.  DREAM , 2014, SIGCOMM.