A cost-effective anomaly detection system using in-DRAM working set of active flows table: poster

In the zettabyte era, per-flow measurement becomes more challenging owing to the growth of both traffic volumes and the number of flows. Also, swiftness of detection of anomalies becomes paramount. For fast and accurate anomaly detection, managing an accurate working set of active flows (WSAF) from massive volumes of packet influxes at line rates is a key challenge. WSAF is usually located in a very fast but expensive memory, such as TCAM or SRAM, and thus the number of entries to be stored is quite limited. To cope with the scalability issue of WSAF, we propose to use In-DRAM WSAF with scales, and put a compact data structure called FlowRegulator in front of WSAF to compensate for DRAM's slow access time by substantially reducing massive influxes to WSAF without compromising measurement accuracy. We evaluated our system in a large scale real-world experiment. As one key application, FlowRegulator detected heavy hitters with 99.8% accuracy.

[1]  Aziz Mohaisen,et al.  Two-level network monitoring and management in WLAN using software-defined networking: poster , 2017, WISEC.

[2]  DaeHun Nyang,et al.  Recyclable Counter With Confinement for Real-Time Per-Flow Measurement , 2016, IEEE/ACM Transactions on Networking.

[3]  Aziz Mohaisen,et al.  InstaMeasure: Instant Per-flow Detection Using Large In-DRAM Working Set of Active Flows , 2019, 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS).

[4]  Xin Jin,et al.  SketchVisor: Robust Network Measurement for Software Packet Processing , 2017, SIGCOMM.

[5]  DaeHun Nyang,et al.  RFlow+: An SDN-based WLAN monitoring and management framework , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.