Automatic Inference of High-Level Network Intents by Mining - - PowerPoint PPT Presentation

automatic inference of high level network intents by
SMART_READER_LITE
LIVE PREVIEW

Automatic Inference of High-Level Network Intents by Mining - - PowerPoint PPT Presentation

Jan 06, 2024 406 likes •667 views

Automatic Inference of High-Level Network Intents by Mining Forwarding Patterns Ali Kheradmand University of Illinois at Urbana-Champaign 1 SOSR, March 2020 Typical network configuration procedure Mostly manual in todays networks

slide-1
SLIDE 1

Automatic Inference of High-Level Network Intents by Mining Forwarding Patterns

Ali Kheradmand University of Illinois at Urbana-Champaign

SOSR, March 2020

1

slide-2
SLIDE 2

Typical network configuration procedure

  • Mostly manual in today’s networks
  • Alas, the semantic gap!

???

High-level Intents (informal) Operator Configurations Network

2

slide-3
SLIDE 3

3

slide-4
SLIDE 4

How to bridge the gap?

High-level Intents (informal) Operator Configurations Network

4

slide-5
SLIDE 5

Current approaches

Model of system S Property Ψ Verifier Does S satisfy Ψ? Configured network High-level intents Formal specification Compiler Configurations Network High-level intents Formal specification Verification Synthesis/Compilation

5

slide-6
SLIDE 6

Reality

  • Formal specifications not existing / maybe not even known
  • Operator is given an informal description of networking objectives
  • Intents are implicit
  • Operators inherit legacy networks
  • Asked to maintain it
  • 82% concerned that changes would cause problems with existing functionality [Kim et al, NSDI’15]

6

slide-7
SLIDE 7
  • Idea: automatically infer high-level intents by looking at the low-level

network forwarding behavior

A new approach

Operator Configurations Network How about going this way? High-level Intents

7

slide-8
SLIDE 8

Automatic Network Intent Miner (Anime)

8

Anime Observed behavior (low-level) Inferred intents (high-level) Observed Possible Inferred Data plane/control plane/configuration analysis Live traffic monitoring …

slide-9
SLIDE 9

Applications

  • Streamline “Intent Based Networking”
  • Verification/Synthesis
  • Automatic migration from legacy networks to cloud, SDN, …
  • Transparent optimizations, automatic repair, etc.
  • Network behavior summarization
  • Debugging and management
  • Anomaly analysis
  • Misconfiguration detection

9

slide-10
SLIDE 10

Example

dstIP: 10.0.1.2, start: U1, waypoint: F1, end: S1

U1 U2 U3 FW1 FW2 S1 S2

10.0.1.2 10.0.1.3

dstIP: 10.0.1.2, start: U2, waypoint: F1, end: S1 dstIP: 10.0.1.2, start: U3, waypoint: F2, end: S1 dstIP: 10.0.1.2, start: User, waypoint: Firewall, end: S1 dstIP: 10.0.1.3, start: U1, waypoint: F1, end: S2 dstIP: 10.0.1.3, start: U2, waypoint: F2, end: S2 dstIP: 10.0.1.3, start: U3, waypoint: F2, end: S2 dstIP: 10.0.1.3, start: User, waypoint: Firewall, end: S2 dstIP: 10.0.1.2/31, start: User, waypoint: Firewall, end: Server

10

User Firewall Server Observed low-level behavior Inferred high-level intent Inferred higher-level intent

slide-11
SLIDE 11

Expressing behavior and intents

  • Using features
  • Each corresponding to one aspect of an observed behavior
  • Devices: e.g. start, waypoint, end, entire forwarding path
  • Header information: e.g. source/destination address or port
  • Conditions/state, e.g. temporal (snapshot timestamp), topological

(link failures). device (connection state)

  • Each has a set of labelsassociated with it:
  • Device: U1, U2, U3, S1, S2, FW1, FW2, User, Firewall, Server, Any
  • IP: 10.0.1.2, 10.0.1.2/31, 10.0.0.0/8, ...

dstIP: 10.0.1.2, start: U1, waypoint: F1, end: S1

11

slide-12
SLIDE 12

Insight

  • Networks are hierarchical
  • E.g. IP hierarchy (CIDR), device role hierarchy
  • Idea: use hierarchical labels

12

Device IP

coverage specifity

Any:7 Server:2 S2:1 S1:1 Firewall:2 F2:1 F1:1 User:3 U3:1 U2:1 U1:1

0.0.0.0/0 : 232 ... 10.0.1.2/31 : 2 10.0.1.3/32 : 1 10.0.1.2/32 : 1

slide-13
SLIDE 13

Library of feature templates

DAG <V,E> Set<{L1,L2,…,Ln}, b> Flat<{L1,L2,…,Ln}>

13

Any:7 Server:2 S2:1 S1:1 Firewall:2 F2:1 F1:1 User:3 U3:1 U2:1 U1:1 Any:n Ln:1 ... L2:1 L1:1 [0, 255] : 256 [100, 255] : 156 255 : 1 ... 100 : 1 ... [0, 1] : 2 1 : 1 0 : 1 0.0.0.0/0 : 232 ... 10.0.1.2/31 : 2 10.0.1.3/32 : 1 10.0.1.2/32 : 1

Hierarchical Reduced Regex (HRE)

AS1.R1.Internal+.R5.AS2 AS1.R1.Internal.R5.AS2 AS1.R1.Internal.Internal.R5.AS2 AS1.R1.R2.R5.AS2 AS1.R1.R3.R4.R5.AS2

Any:n {Ln−b+1, ..., Ln} : b ... {Ln−1, Ln} : 2 Ln:1 Ln−1:1 ... {L1, ..., Lb} : b ... {L1, L2} : 2 L2:1 L1:1

xx : 4 1x : 2 11 : 1 10 : 1 ... 0x : 2 01 : 1 00 : 1

TBV<n> Range IP Prefix

slide-14
SLIDE 14
  • Combine multiple features (Tuple<F1,...,Fn>) to express behavior and intents
  • E.g. Tuple<dstIP, start, waypoint, end>

Expressing behavior and intents

10.0.1.2,U1,F1,S1 10.0.1.2,U2,F1,S1 10.0.1.2, U3,F2,S1 10.0.1.3,U1,F1,S2 10.0.1.2,U2,F2,S2

10.0.1.2,User,F1,S1 10.0.1.2,User,Firewall,S1 10.0.1.3,User,Firewall,S2 0.0.0.0/0,Any,Any,Any 10.0.1.2/31,User,Firewall,Server …

14

10.0.1.3,U3,F2,S2

10.0.1.3,User,F2,S2

cost

Expressible low-level behavior Potential high-level intents … … … … …

… … … … …

slide-15
SLIDE 15

Problem definition

  • Given
  • A set of observed behavior ! = {$%, … , $(}
  • Limit * on the number of inferred intents
  • Find
  • Intents + = ,%, … , ,-. (*0 ≤ *)
  • Such that
  • Each behavior in ! is represented by at least
  • ne intent from +
  • Minimizes ∑

4567(,)

8∈:

15

$% $; $( ,< ,% ,-0

NP-Hard cost

slide-16
SLIDE 16

Heuristic solution

{$%,…,$(} =5,> ?1 =5,> ?2 =5,> ?3 … =5,> ? : Single best intent representing all behavior in g

?1 $8 $; cost(=5,>(p1,p2)) Insight: cost of =5,> ? inversely related to similarity of behavior in ? =5,> I1, I2 = I6KL (cost: 3) =5,> I1, MN1 = O>P (cost: 7)

Any:7 Server:2 S2:1 S1:1 Firewall:2 F2:1 F1:1 User:3 U3:1 U2:1 U1:1

?3 ?2 Least cost common ancestor Efficient Clustering methods

slide-17
SLIDE 17

Evaluation

17

Quality of inferred intents Performance

Refer to the paper

slide-18
SLIDE 18

Evaluation (objective quality metrics)

Whitelist assumption: any behavior not explicitly allowed by any intent in a set of intents is disallowed by that set

Precision:

[\ [\]^\

Recall:

[\ [\]^_ TP FN FP TN P Predicted N P N Actual Specificity (exclusion of impossible behavior) Coverage (inclusion of possible behavior)

18

Possible Inferred

slide-19
SLIDE 19

Evaluation (comparison with Net2Text)

  • Re-implemented Compass algorithm

from Net2Text [Birkner et al, NSDI18]

  • Summarize forwarding traffic
  • “as much as possible”
  • No use of hierarchy
  • Net2Text dataset
  • Simplified ISP

, Real-world topologies, IPv4 RIB, and AS-to-organization information

  • No hierarchy (to be fair)
  • AT&T topology, 25 nodes, 5 egresses, 100

prefixes, 2500 paths

  • Perfect observation (possible = observed)
  • Goal: summarization

19

500 1000 1500 2000 2500 Limit on length of description (k) 0.0 0.2 0.4 0.6 0.8 1.0 Precision Net2Text, Recall: 0.26 Anime, Recall: 1

slide-20
SLIDE 20

Evaluation (effect of hierarchical values)

  • Multiple groups of servers
  • Synthetic access control policies
  • “group/server A can communicate

with group/server B”

  • 100 nodes, 5 groups of size bw 5-

30, 10 intents, 435 paths

  • Perfect observation (possible = observed)
  • Goal: summarization

100 200 300 400 Limit on length of description (k) 0.0 0.2 0.4 0.6 0.8 1.0 Precision Anime w/o hierarchy, Recall: 1 Anime with hierarchy, Recall: 1

20

slide-21
SLIDE 21

100 200 300 400 Limit on length of description (k) 0.2 0.4 0.6 0.8 1.0 F-score Anime w/o hierarchy Anime with hierarchy

Evaluation (partial observation)

Net2Text dataset Access control dataset

“train” on observed (60% of possible), evaluate on possible

Near perfect F-score (1 FN, 0 FP) 9/10 actual intents correctly inferred F-score =

<\`abac8d(×fabghh \`abac8d(]fabghh

21 0.0 0.2 0.4 0.6 0.8 1.0 Precision 0.0 0.2 0.4 0.6 0.8 1.0 Recall Compass Anime 0.0 0.2 0.4 0.6 0.8 1.0 Precision 0.0 0.2 0.4 0.6 0.8 1.0 Recall Net2Text Anime

slide-22
SLIDE 22

Concluding remarks

  • A new approach towards bridging the semantic gap
  • Anime, a framework to express network behavior and infer intents
  • Fits the hierarchical nature of networks
  • Enables application of ML-toolbox to network intent inference
  • Prototype produces (objectively) high-quality results
  • Acceptable performance
  • Future
  • Incorporating user feedback
  • Automatic anomaly detection
  • User study with real-world network operators
  • Interested?
  • Let’s get in touch kheradm2@illinois.edu

22

slide-23
SLIDE 23

Backup slides

23

slide-24
SLIDE 24

Related work

  • Network behavior summarization
  • Net2Text [Birkner et al, NSDI18]
  • Network invariant inference
  • Network analysis [US patent 15/860,558]
  • Config2Spec [Birkner et al, NSDI20]

24

X A B Y X A B Y X A B Y ∩ = snapshot: 1, path: X.A.Y snapshot: 2, path: X.B.Y snapshot: Any, path: X.{A,B}.Y Anime:

slide-25
SLIDE 25

Example 2

R1 R3 R4 R5 AS2 AS1 R2

time: morning, failed links: 0, dstIP: 128.174.0.0/16, path: AS1.R1.R2.R5.AS2 time: evening, failed links 1, dstIP: 128.174.0.0/16, path: AS1.R1.R3.R4.R5.AS2 time: Any, failed links: [0-1], dstIP: 128.174.0.0/16, path: AS1.R1.Internal+.R5.AS2

25