Good Memories : Enhancing Memory Performance for Precise Flow Tracking

Flow tracking is an integral aspect of many network-related applications, including intrusion detection, network administration, per-flow billing, and network engineering. While some applications do not require precise tracking of every packet or flow and successfully employ statistical sampling or approximations to achieve an acceptable level of accuracy, many others, especially in the security domain, do not have such flexibility. Faced with rapidly growing number of networked devices, increasing Internet usage, and rising network bandwidth, precise flow tracking has become a very difficult problem with system memory as the main bottleneck. In this paper, we look at memory performance when tracking a large number of flows, show that finding an existing flow in memory often requires multiple key comparisons, and examine ways to reduce the number of comparisons for existing flows and avoid them altogether for the majority of new flows. Additionally, we propose a novel scheme called Predictive Placement that reduces the number of searches requiring three or more comparisons from 4.87% with a linked list implementation to just 0.0027% of all lookups. These results are based on our simulations with widely used long packet traces from CAIDA. Our approach relies on a Bloom filter derivative that encodes each element’s location using multiple bitmaps. The accuracy of the scheme depends on the number of bitmaps employed and on their load factor.

[1]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[2]  Mark Allen Weiss,et al.  Data structures and algorithm analysis in C , 1991 .

[3]  Kimberly C. Claffy,et al.  OC3MON: Flexible, Affordable, High Performance Staistics Collection , 1996, LISA.

[4]  M. V. Ramakrishna,et al.  Efficient Hardware Hashing Functions for High Performance Computers , 1997, IEEE Trans. Computers.

[5]  Peter Newman,et al.  IP switching and gigabit routers , 1997, IEEE Commun. Mag..

[6]  Mukesh Singhal,et al.  A novel cache architecture to support layer-four packet classification at memory access speeds , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[8]  Nick McKeown,et al.  Monitoring very high speed links , 2001, IMW '01.

[9]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[10]  Abhishek Kumar,et al.  Space-code bloom filter for efficient traffic flow measurement , 2003, IMC '03.

[11]  Yossi Matias,et al.  Spectral bloom filters , 2003, SIGMOD '03.

[12]  George Varghese,et al.  On the difficulty of scalably detecting network attacks , 2004, CCS '04.

[13]  G. Memik,et al.  Flow Monitoring in High-Speed Networks using Two Dimensional Hash Tables , 2004 .

[14]  R. Iyer,et al.  Efficient Caching Techniques for Server Network Acceleration , 2004 .

[15]  Faye A. Briggs,et al.  A study of performance impact of memory controller features in multi-processor server environment , 2004, WMPI '04.

[16]  Kang Li,et al.  Approximate caches for packet classification , 2004, IEEE INFOCOM 2004.

[17]  Nevil Brownlee Some Observations of Internet Stream Lifetimes , 2005, PAM.

[18]  Dawn Xiaodong Song,et al.  New Streaming Algorithms for Fast Detection of Superspreaders , 2005, NDSS.

[19]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.

[20]  George Varghese,et al.  On Scalable Attack Detection in the Network , 2004, IEEE/ACM Transactions on Networking.