Multi‐granular, multi‐purpose and multi‐Gb/s monitoring on off‐the‐shelf systems

SUMMARY As an attempt to make network managers’ life easier, we present M3Omon, a system architecture that helps to develop monitoring applications and perform network diagnosis. M3Omon behaves as an intermediate layer between the traffic and monitoring applications that provides advanced features, high performance and low cost. Such advanced features leverage a multi-granular and multi-purpose approach to the monitoring problem. Multi-granular monitoring provides answers to tasks that use traffic aggregates to identify an event, and requires either flow records or packet data or even both to understand it and, eventually, take convenient countermeasures. M3Omon provides a simple API to access traffic simultaneously at several different granularities, i.e. packet-level, flow-level and aggregate statistics. The multi-purposed design of M3Omon allows not only performing tasks in parallel that are specifically targeted to different traffic-related purposes (e.g. traffic classification and intrusion detection) but also sharing granularities between applications, e.g. several concurrent applications fed from flow records that are provided by M3Omon. Finally, the low-cost characteristic is brought by off-the-shelf systems (the combination of open-source software and commodity hardware) and the high performance is achieved thanks to modifications in the standard NIC driver, low-level hardware interaction, efficient memory management and programming optimization. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  José Luis García-Dorado,et al.  Characterization of ISP Traffic: Trends, User Habits, and Access Technology Impact , 2012, IEEE Transactions on Network and Service Management.

[2]  Luigi Rizzo Revisiting Network I/O APIs: The netmap Framework , 2012, ACM Queue.

[3]  Georg Carle,et al.  Comparing and improving current packet capturing solutions based on commodity hardware , 2010, IMC '10.

[4]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[5]  Dario Rossi,et al.  Wire-speed statistical classification of network traffic on commodity hardware , 2012, Internet Measurement Conference.

[6]  José Luis García-Dorado,et al.  Batch to the Future: Analyzing Timestamp Accuracy of High-Performance Packet I/O Engines , 2012, IEEE Communications Letters.

[7]  Vojtěch Krmíček,et al.  HAMOC - Hardware-Accelerated Monitoring Center , 2010 .

[8]  George Bebis,et al.  A survey of network flow applications , 2013, J. Netw. Comput. Appl..

[9]  Brian Trammell,et al.  Toward composable network traffic measurement , 2013, 2013 Proceedings IEEE INFOCOM.

[10]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.

[11]  Víctor Moreno Martínez Development and evaluation of a low-cost scalable architecture for network traffic capture and storage for 10Gbps networks , 2012 .

[12]  Dario Rossi,et al.  Experiences of Internet traffic monitoring with tstat , 2011, IEEE Network.

[13]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[14]  Luca Salgarelli,et al.  MTCLASS: Traffic classification on high-speed links with commodity hardware , 2012, 2012 IEEE International Conference on Communications (ICC).

[15]  José Luis García-Dorado,et al.  High-Performance Network Traffic Processing Systems Using Commodity Hardware , 2013, Data Traffic Monitoring and Analysis.

[16]  Javier Aracil,et al.  Detection of traffic changes in large-scale backbone networks: The case of the Spanish academic network , 2012, Comput. Networks.

[17]  Luca Deri,et al.  High speed network traffic analysis with commodity multi-core systems , 2010, IMC '10.

[18]  Stefano Giordano,et al.  On Multi-gigabit Packet Capturing with Multi-core Commodity Hardware , 2012, PAM.

[19]  Anja Feldmann,et al.  Enriching network security analysis with time travel , 2008, SIGCOMM '08.