arpit gupta
play

Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco - PowerPoint PPT Presentation

Mar 06, 2023 •460 likes •854 views

SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger Existing Telemetry Systems Compute Store Analysis Queries Packet Capture

  1. SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger

  2. Existing Telemetry Systems Compute Store Analysis Queries Packet Capture SNMP Collection NetFlow 2

  3. Existing Telemetry Systems Compute Store Analysis Queries Collection Existing Systems are Query-Agnostic! 3

  4. Problems with Status Quo • Expressiveness – Configure collection & analysis stages separately – Static (and often coarse) data collection – Brittle analysis setup---specific to collection tools • Scalability Hard to scale query execution as: • Traffic Volume increases and/or Network Telemetry Systems should be • Number of Queries increases Expressive & Scalable 4

  5. Idea 1: Declarative Query Interface • Extensible Packet-As-Tuple Abstraction Treat packets as tuples carrying header, payload, and meta fields • Expressive Dataflow Operators – Most telemetry applications • Collect aggr. statistics over subset of traffic • Join results of one analysis with the other – Express them as declarative queries composed of dataflow operators, e.g. map , reduce , filter , join etc. 5

  6. Example Queries Detecting Newly Opened TCP Connections Detect hosts for which the number of newly opened TCP connections exceeds threshold (Th) victimIPs = pktStream .filter(p => p.tcp.flag == SYN) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Collect aggr. stats over subset of traffic 6

  7. Example Queries Detecting Traffic Anomalies Detect hosts for which the number of unique source IPs sending DNS response messages exceeds threshold (Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) . distinct () .map((dstIP, srcIP) => (dstIP, 1)) Apply multiple aggregations over the . reduce (keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) packet tuple streams .map((dstIP, count) => dstIP) 7

  8. Example Queries Confirming Reflection Attacks Detect hosts with traffic anomalies that are of type RRSIG victimIPs = pktStream .filter(p => p.udp.sport == 53) . join ( pVictimIPs , key=‘dstIP’) .filter(p => p.dns.rr.type == RRSIG ) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > T2) Join results of one analysis with the other .map((dstIP, count) => dstIP) 8

  9. Changing Status Quo • Expressiveness – Express dataflow queries over packet tuples – Not tied to low-level (3 rd party/platform-specific) APIs – Trivial to add new queries and change collection tools Easier to express network telemetry tasks! 9

  10. Query Execution Use Scalable Stream Processors Process all (or subset of) captured packet tuples using state-of-the-art Stream Processor Stream Processor Queries Packet Tuples Packet Capture Expressive but not Scalable! 10

  11. Idea 2: Query Partitioning • Observation Data plane can process packets at line rate • How it works? Execute subset of dataflow operators in the data plane • Trade-off Trades workload at stream processor at the cost of additional resource usage in the data plane 11

  12. Query Partitioning in Action Stream Processor Queries Runtime Packet Tuples Data Plane Configurations Programmable Data Plane Partition Queries b/w Switches and Stream Processor 12

  13. Query Partitioning in Action pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) Traffic Anomaly Query .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) pktStream .map((dstIP, srcIP)=>(dstIP,1)) .filter(p=>p.srcPort==53) .reduce(keys=(dstIP,), sum) .map(p=>(p.dstIP,p.srcIP)) .filter((dstIP,count)=>count>Th) .distinct() .map((dstIP, count) => dstIP) Stream Processor Programmable Data Plane 13

  14. Compiling Queries for PISA Targets pktStream .filter(p=>p.udp.sport==53) .map(p=>(p.dstIP,p.srcIP)) .distinct() M A M A M A M A Monitoring Pkt out Pkt in Port Register PISA Target See Tutorial 2 for details

  15. Limited Data-Plane Resources • Number of Physical Stages • Number of Actions per Stage M A M A M A M A Pkt out Pkt in Register Physical Stages

  16. Limited Data-Plane Resources Available Memory per Stage M A M A M A M A Pkt out Pkt in Register SRAM for Stateful Operations

  17. Limited Data-Plane Resources Available State for Metadata fields Packet Header Vector M A M A M A M A Pkt out Pkt in Register

  18. Selecting Query (Partitioning) Plans • Given: Queries & Training Data • Objective: Minimize the workload at Stream Processor • Constraints: – Available memory per stage Solve Query Planning Problem as an ILP – Available space for metadata fields – Number of actions per stage – Total number of stages 18

  19. Idea 3: Iterative Refinement • Observation Tiny fraction of traffic or flows satisfy telemetry queries • How it works? – Execute queries at coarser levels – Iteratively zoom-in on interesting traffic over time • Trade-off s Trades workload at stream processor at the cost of additional detection delay 19

  20. Iterative Refinement in Action Iterative Refinement Stream Processor Queries Runtime Packet Tuples Data Plane Configurations Programmable Data Plane Queries’ Output Drives further Processing 20

  21. Iterative Refinement in Action Refinement Key = dstIP pktStream .filter(p => p.udp.sport == 53) .map(p => (p. dstIP , p.srcIP)) Traffic Anomaly Query .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=( dstIP ,), sum) .filter((dstIP, count) => count > Th) à /16 /8 .map((dstIP, count) => dstIP) Q 8 (W) = pktStream Q 16 (W+1) = pktStream .filter(p=>p.udp.sport==53) .filter(p=>p.udp.sport==53) .map( dstIP=>dstIP/8 ) .filter( p=>p.dstIP/8 in Q 8 (W) ) .map(p=>(p.dstIP,p.srcIP)) .map( dstIP=>dstIP/16 ) … .map(p=>(p.dstIP,p.srcIP)) … W + 1 W Query-Driven Network Telemetry! Time 21

  22. Quantify Performance Gains • Realistic Workload – Anonymized packet traces from a large ISP – Processing 20 M packets per second (~100 Gbps) • Typical Telemetry Tasks New TCP, SSH Brute, Super Spreader, Port Scan, DDoS, SYN Flood, Completed Flows, Slow Loris, … • Comparisons All-SP, Filter-DP, Max-DP, Fix-REF 22

  23. Single-Query Performance Reduces workload at stream processor by up to seven orders of magnitude 23

  24. Multi-Query Performance Reduces workload at stream processor by up to three orders of magnitude 24

  25. Sensitivity Analysis Data-Plane Resources Sonata makes the best use of available limited data-plane resources 25

  26. Changing Status Quo • Expressiveness – Express Dataflow queries over packet tuples – Not worry about how and where the query is executed – Adding new queries and collection tools is trivial • Scalability Answers multiple queries for traffic volume as high as 100 Gb/s in real-time Sonata is Expressive & Scalable ! 26

  27. Sonata Implementation Query Interface Q 1 Q 2 Q N Iterative Refinement Output Core Queries Queries Query Partitioning Streaming Driver Data Plane Driver Tuples Stream Processor Packets In Packets Out Programmable Data Plane 27

  28. More Use Cases 28

  29. Performance Monitoring Monitor various performance metrics TCP-Monitoring = pktStream .map(p => ( key , perf-metric )) 5-tuples, nBytes, ingress-egress pairs, loss, src-dst pairs, latency, .. … 29

  30. Performance Monitoring Identify flows for which the traffic volume exceeds threshold (T) Heavy-Hitters = pktStream .map(p => (p.5-tuple,p.nBytes)) .reduce(keys=(5-tuple,), sum) .filter((5-tuple,bytes) => bytes > T) .map((5-tuple,bytes)=> 5-tuple) Use Sonata for Collection & Analysis 30

  31. Detecting Microbursts Detect ports for which the total traffic volume exceeds a threshold (T 1 ) mBursts = pktStream .map(p => (p.port, p.nBytes)) .reduce(keys=(port,), sum) .filter((port, bytes) => bytes > T 1 ) .map((port, bytes) => port) 31

  32. Analyzing Microbursts Analyze which flows contribute to microbursts Top-Contributors = pktStream .map(p => (p.port,p.5-tuple,p.nBytes)) .join( mBursts , key=‘port’) .map((port,5-tuple,nBytes)=>(5-tuple,nBytes)) .reduce(keys=(5-tuples,), sum) .filter((5-tuples,bytes) => bytes > T 2 ) .map((5-tuples,bytes) => 5-tuples) 32

  33. Future Work 33

  34. Extend Packet Tuples victimIPs(t) = pktStream(W) … .filter(p => p.dns.rr.type == RRSIG ) … • Currently, dns.rr.type is parsed in user-space • Possible to parse it in the data plane itself • Layers of Interest: – DNS – SMTP – … 34

  35. Extend Dataflow Operators • Extend existing Operators – Reduce • Currently, only sum function is supported • Implement more complex aggregation functions – Join • Currently, only inner join is supported • Implement full outer, Cartesian, left/right inner/outer joins • Add new Operators – Flat Map – Sample 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn Van Nieuwerburgh (Columbia GSB, NBER, CEPR) Constantine Kontokosta (NYU CUSP, Marron) Baruch, April 7, 2020 1 / 35 Motivation As major urban

958 views • 46 slides
Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta

Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta

Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta Georgia Tech Matt Calder (USC), Nick Feamster (Georgia Tech), Marshini Chetty (Maryland), Enrico Calandro (Research ICT Africa), Ethan

638 views • 25 slides
Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott Shenker + * Internet Exchange Points Global Transit / Hyper Giants National Large Content, Consumer, Hosting CDN

729 views • 20 slides
SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean Donovan, Brandon Schlinker, Nick Feamster, Jennifer Rexford, Scott Shenker, Russ Clark, Ethan Katz-Bassett Georgia Tech, Princeton University, UC

508 views • 33 slides
Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini,

Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini,

SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger Conventional Network Telemetry Compute Store Analysis

692 views • 24 slides
Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS

363 views • 20 slides
Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch

Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch

Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch Ross Teixeira (Princeton) Rob Harrison (United States Military Academy) Arpit Gupta (UC Santa Barbara) Jennifer Rexford (Princeton) Ou Outline

335 views • 18 slides
Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori Rottenstreich*, Arpit Gupta*, Nick Feamster*, Jennifer Rexford* *Princeton University, ETH Zrich Motivation Incoming Flows Classifier

841 views • 82 slides
Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain

Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain

Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax Background Spread of CFC legislation across the world in last 30-40 years US-perhaps first country to

469 views • 19 slides
Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael

Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael

Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael Frongillo, David C. Parkes Nov 3, 2016; HCOMP16 Foundations Workshop 1 Lets talk about crowdsourcing 2 Task: How many cows in this image? 3

780 views • 47 slides
Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain

Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain

Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain Sugam Anand Mentor : Dr . Amitabha Mukerjee Why Wikileaks ? Wikileaks embassy cables revelations covered a huge dataset of official documents

2.82k views • 10 slides
Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April

Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April

Exotic New Patterns of Natalie Wolchover Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April 2019 Synchronization Two or more dynamical systems Adjust some of their properties To a common

392 views • 25 slides
Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan,

Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan,

Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan, Stratis Viglas, Marcelo Cintra NVMW 2018 Summary Non-Volatile Memory (NVM) - on the memory bus enables in-memory persistent data structures

1.12k views • 87 slides
Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit

Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit

Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit Agarwal, Shivani Agarwal, Sanjeev Khanna, Prathamesh Patil ICML 2020 Rank Aggregation from Pairwise Comparisons In many practical applications, the

844 views • 37 slides
Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director

Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director

Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax MFN Principle State A binds itself to State B with respect to favorable treatment afforded by it in future to State C

554 views • 16 slides
DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta

DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta

DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta Kashi V. Vishwanath Amin Vahdat University of California, San Diego High performance Alice filesystem Limited testing infrastructure Diverse

590 views • 29 slides
Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data

Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data

Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data Carpentr y instr u ctor and a u thor of n xv i z package Important nodes Which nodes are important ? Degree centralit y Bet w eenness centralit y

368 views • 25 slides
Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component

Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component

6/7/2020 Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component Systems All developed with some ONR sponsorship Purpose Presenter TweetTracker Capture and visualize large number of tweets Arizona

907 views • 23 slides
jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , (University of Cambridge)

jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , (University of Cambridge)

jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , (University of Cambridge) (Barefoot Networks) , (Brno University of Technology) and (Queen Mary University of London) 1 High-volume traffic clusters The importance of finding

388 views • 24 slides
#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity

#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity

#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity 2018 Presenters Eric Demay Creative Director, GSM Project Patti Reiss Director of Museum Experiences, Mississippi Childrens Museum

732 views • 61 slides
Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References Course 300, Fall, 2008 Prof. Peter Dodds Department of Mathematics & Statistics University of Vermont Licensed under

466 views • 21 slides
Modeling group dispersal of particles with a spatiotemporal point process Samuel Soubeyrand INRA

Modeling group dispersal of particles with a spatiotemporal point process Samuel Soubeyrand INRA

Modeling group dispersal of particles with a spatiotemporal point process Samuel Soubeyrand INRA Biostatistics and Spatial Processes Joint work with L. Roques, J. Coville and J. Fayard 9th SSIAB Workshop, May 10, 2012 Group Dispersal

271 views • 26 slides
Technology Overview Randeep Singh Thermal Technology Division ( ) Fujikura Ltd. Tokyo 1

Technology Overview Randeep Singh Thermal Technology Division ( ) Fujikura Ltd. Tokyo 1

Fujikura Thermal Technology Overview Randeep Singh Thermal Technology Division ( ) Fujikura Ltd. Tokyo 1 Key Technology of Thermal Product Heat Pipe Vapor Chamber Micro-channel Merits: Merits: Merits: Passive system Active

273 views • 25 slides
Directedness of information flow in mobile phone communication networks Fernando Peruani In

Directedness of information flow in mobile phone communication networks Fernando Peruani In

Directedness of information flow in mobile phone communication networks Fernando Peruani In collaboration with: Lionel Tabourier MAPCON Dresden 2012 References: FP, Nicola and Morelli, New J. Phys. (2010) FP and Sibona, PRL (2008) FP

848 views • 46 slides

More recommend