jan kucera cesnet cz cesnet a l e
play

jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , - PowerPoint PPT Presentation

Jan 08, 2023 •138 likes •388 views

jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , (University of Cambridge) (Barefoot Networks) , (Brno University of Technology) and (Queen Mary University of London) 1 High-volume traffic clusters The importance of finding

  1. jan.kucera@cesnet.cz CESNET, a.l.e. In collaboration with: , (University of Cambridge) (Barefoot Networks) , (Brno University of Technology) and (Queen Mary University of London) 1

  2. High-volume traffic clusters ■ The importance of finding high-volume traffic clusters ■ Real-time detection is beneficial to many network applications Network event Management task Heavy Hitters accounting, traffic engineering Superspreaders worm, scan, DDoS detection Changes in traffic patterns anomaly detection 2

  3. High-volume traffic cluster definition ■ Traffic cluster (or aggregate) Summary contribution ■ Object exceeding a pre-determined threshold in a time window Threshold T=10 ■ For IP address as a key IP prefixes ■ IP prefixes that contribute with a traffic volume, in terms of bytes, packets or flows, larger that a threshold T during a time interval t Individual hosts / IP addresses Traffic aggregates 3

  4. Traffic clusters events ■ Heavy hitter (HH) ■ A host that sends or receives at least a given number of packets (or bytes) ■ A traffic cluster in terms of packets or bytes per second ■ Superspreader (SS) ■ A source host that contacts at least a given number of distinct destinations ■ A traffic cluster in terms of unique flows per second ■ If applied to distinct sources also known as DDoS victim detection ■ Change detection ■ Identifying changes in the traffic patterns over two consecutive intervals ■ Identifying the traffic that contribute the most for the change ■ A change of traffic clusters in terms of packets, bytes or flows 4

  5. Dataplane programmability ■ In the past, the detection performed outside the dataplane ■ In software collectors, packet sampling employed, using NetFlow or sFlow ■ Today, we can leverage dataplane programmability ! ■ HashPipe [1] ○ Exports the top-k heavy flows counters at fixed time intervals ○ Pipeline of hash tables to retain counters of heavy flows ■ UnivMon [2] , Elastic Sketch [3] ○ Export smart representation of aggregated statistics at fixed time intervals ○ Sketch-based data structures to record network traffic statistics [1] Heavy-Hitter Detection Entirely in the Data Plane . V. Sivaraman, S. Narayana, O. Rottenstreich, S. Muthukrishnan, J. Rexford. In SOSR ’17. [2] One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon . Z. Liu, A. Manousis, G. Vorsanger, et al. In SIGCOMM ’16 . [3] Elastic Sketch: Adaptive and Fast Network-wide Measurements. T. Yang, J. Jiang, P. Liu, Q. Huang, J. Gong, Y. Zhou, et al. In SIGCOMM ’18 . 5

  6. Motivating a new solution (1) ■ What do these solutions have in common ? ■ The dataplane only aggregates statistics -- only assists in the detection ■ Poll-based model -- the controller polls the structures at fixed time intervals ■ The actual detection (processing the structure) performed in the control plane ■ Is this a problem? CDF for HH detection time ■ Reporting time of heavy hitters detection ■ CAIDA packet traces, reporting time 20 s ■ Which HHs could have been detected earlier ? … waiting to be exported ... ■ > 60% could have been detected within 1 second ➢ Reporting time should be as low as possible 6

  7. Motivating a new solution (2) ■ Is it possible ? Time to retrieve HW counters ■ The cost of statistics collection ■ At least 60 k - 150 k counters required ■ At least 2.5 - 5 seconds needed to retrieve 80 k counters when the switch in idle state ➢ Retrieving the structures is time consuming ■ Would a push-based sketch work ? ■ The limited memory access ■ RMT architecture restrictions to guarantee high throughput ➢ Only a few addresses in a memory block can be read or written 7

  8. Our questions (?) ■ Is it possible to design a data structure , well-suited for ■ push-based design , that ■ would access only a small memory block and ■ expose a single entry upon the detection of a network event ? ■ Enabling true in-network event-triggered detection ? ■ Event-based ฀ controller does not have to receive a lot of useless data ■ As soon as detected , take pre-defined actions ฀ better reactiveness ■ Is it possible ? ■ We did it. We designed such a data structure & algorithm ■ We call it Elastic Trie 8

  9. Elastic Trie data structure in a nutshell ■ Prefix tree that grows or collapses ■ Focus on prefixes that account for a large share of the traffic ■ Each node consists of three elements ■ (1) left child counter , ( 2) right child counter , ( 3) node timestamp ■ Starting condition: a single node for the zero-length prefix * ■ For every incoming packet (5 possible cases) ■ Find the most specific node (LPM) and use timeouts to detect clusters ■ Compare packet and node timestamps , node counters and defined threshold ○ (1) expand the node, (2) collapse the node, (3) keep the node ○ (4) invalidate the node, or (5) update the node counter 9

  10. Elastic Trie in action | How does it work? (1) ■ Updating the node counters ■ On the incoming packets basis Starting condition … updates of the left or ** += 1 ** += 1 c 1 c 1 Root node the right child node counter ... Time ** = t P t N ** += 1 c 0 10

  11. Elastic Trie in action | How does it work? (2) ■ Expanding the node ■ Adds a child, resets a counter, generates a report ** ** 0* c 1 threshold T c 0 threshold T … packet reception c 0 threshold T counters updates ... ** = 0 ** = 0 0* = 0 c 1 c 0 c 0 … packet reception Time t N 1* = t P t N 0* = t P t N 00 = t P counters updates ... 1* = c 1 1* = 0 0* = c 1 0* = 0 00 = c 1 00 = 0 c 0 c 0 c 0 11 11

  12. Elastic Trie in action | How does it work? (3) ■ Keeping the node ■ Collapsing the node ■ Resets counters , sends a report ■ Removes the child, resets counters 1* << t P and 0* << t P and t N t N 1* + c 1 1* 0* + c 1 0* threshold T c 0 threshold T c 0 Time Time … packet reception … packet reception t N 1* = t P t N ** = t P counters updates ... counters updates ... 1* = c 1 1* = 0 ** = c 1 ** = 0 c 0 c 0 12

  13. Elastic Trie implications | Other events ■ The dataplane iteratively refines the responsible IP prefixes ■ The controller can receiver flexible granularity information ■ Each prefix tree layer can have a different timeout ■ Trade-off between tree building process and memory consumption ■ Superspreaders (not at the same time, either HH or SS detection ) ■ Bloom filter to identify unique flows ■ Node counters for distinct destinations count of source prefixes ■ Traffic pattern changes (independently, on top of HH or SS detection tree) ■ Identified by looking at the growing rate of the tree ■ Tracking the difference in number of expanded and collapsed nodes 13

  14. Elastic Trie implementation ■ LPM classification ■ The prefix tree structure ■ Bloom filter (SS only) ■ To test if packet belongs to a new unique flow or not ■ Main memory ■ Where all the per-node information are stored ■ Control logic ■ The brain of the algorithm 14

  15. Elastic Trie implementation in P4 (1) ■ LPM match-action tables ■ We cannot use them ■ We cannot modify entries directly from the dataplane ■ Custom LPM implementation ■ Hash table for each prefix length ■ Hash extern API with CRC32 ■ Each hash table implemented as a register array 15

  16. Elastic Trie implementation in P4 (2) ■ Bloom filter ■ To support superspreaders ■ Register-based bit array ■ Set of hash functions ■ Main memory ■ Register array ■ The hash value of the LPM is the address to access a register that stores the node information ■ Two node counters (2x 32-bit) ■ Node timestamp (48-bit) 16

  17. Elastic Trie implementation in P4 (3) ■ Control logic ■ Compares the node timestamp and the packet timestamp ■ Compares the node counters and the threshold ■ Decides what to do: (1) Update the node counter (2) Expand / (3) Collapse the node (4) Keep / (5) Invalidate the node ■ Implements the structure update logic ■ Implements the push-based mechanic with a digest message 17

  18. Experimental evaluation ■ We tested the original P4 implementation running in BMv2 ■ We created FPGA implementation to quantify HW resources ■ Two Xilinx FPGA s LUTs Chip Regs Frequency Throughput Logic Memory ■ Virtex 7, UltraScale + Virtex 7 11 088 2 880 14 104 172.4 MHz 43.10 Mpps Virtex US+ 9 135 2 641 14 103 307.9 MHz 76.97 Mpps ■ We further created C++ model for packet traces simulations ■ Simulation of heavy hitter, superspreader and change detection on ■ Four one-hour packet traces from CAIDA (San Jose 2009 and Chicago 2016) ■ Comparison with other solutions (UnivMon, HashPipe, ElasticSketch) in terms of memory occupancy, detection accuracy and speed and bandwidth utilization 18

  19. Experimental results (1) ■ Heavy hitters detection Detection accuracy vs. memory occupancy ■ Reporting time interval : 20 s ■ Threshold : 5% ( of total traffic amount) ■ Accuracy defined using F1 score F 1 = 2T P / ( 2T P + F P + F N ) T P … true positives, T N … true negatives F P … false positives, F N ... false negatives ■ Average over all the CAIDA traces ■ ElasticTrie outperforms others ○ ElasticTrie > ~20 kB ○ UnivMon > ~ 800 kB ○ HashPipe > ~100 kB ○ ElasticSketch > ~140 kB 19

  20. Experimental results (2) ■ Change detection ■ Scan attack and DoS attack injected into the real traffic trace (at t = 2500 s) On top of HH detection tree On top of SS detection tree 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CESNET storage activities overview Ji Hork (jiri.horky@cesnet.cz) 6th of March, 2013

CESNET storage activities overview Ji Hork (jiri.horky@cesnet.cz) 6th of March, 2013

12 th TF-Storage Meeting - Berlin CESNET storage activities overview Ji Hork (jiri.horky@cesnet.cz) 6th of March, 2013 History Relatively new activity to CESNET started in autumn 2010 with 2FTEs preparation phase continued until

441 views • 22 slides
Why We Should Care About the Photonic Layer Jan Kundr at jan.kundrat@cesnet.cz CESNET,

Why We Should Care About the Photonic Layer Jan Kundr at jan.kundrat@cesnet.cz CESNET,

Why We Should Care About the Photonic Layer Jan Kundr at jan.kundrat@cesnet.cz CESNET, z.s.p.o. Novemeber 13, 2013 Fiber Image courtesy of the US military Attenuation Signal Level Distance Chromatic Dispersion Dispersion Compensation

760 views • 32 slides
SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent B2BUA Server Gateway (UA) registrar MCU (UA) redirect Outbound proxy proxy SIP enabled firewall stateless with NAT

580 views • 13 slides
E2E Provisioning Workshop Dr. Jan Gruntord CEO CESNET, Czech Republic, Member of GN3 Executive

E2E Provisioning Workshop Dr. Jan Gruntord CEO CESNET, Czech Republic, Member of GN3 Executive

E2E Provisioning Workshop Dr. Jan Gruntord CEO CESNET, Czech Republic, Member of GN3 Executive Committee jan.gruntorad@cesnet.cz E2E Provisioning Workshop Prague, November 29 - 30, 2010 Presentation Overview 1. CESNET Basic Data 2.

648 views • 15 slides
CESNET e Infrastructure Storage services vision and plans Storage services vision and

CESNET e Infrastructure Storage services vision and plans Storage services vision and

CESNET e Infrastructure Storage services vision and plans Storage services vision and plans Peter Ver imk (peter.vercimak@cesnet.cz) CESNET, Prague Czech Republic Czech national e Infrastructure projects CESNET CESNET

421 views • 9 slides
Cloud Computing Activities and Contributions by CESNET Zdenk ustr, Miroslav Ruda, Boris

Cloud Computing Activities and Contributions by CESNET Zdenk ustr, Miroslav Ruda, Boris

Cloud Computing Activities and Contributions by CESNET Zdenk ustr, Miroslav Ruda, Boris Park CESNET 25 September 2014 Roles CESNET is an Infrastructure operator NREN NGI National grid &amp; cloud infrastructure EGI

370 views • 10 slides
The CESNET supports telemedicine in Czech Republic Talk focused on live-surgery and

The CESNET supports telemedicine in Czech Republic Talk focused on live-surgery and

Jiri Navratil, CESNET The CESNET supports telemedicine in Czech Republic Talk focused on live-surgery and communication tools used for HD video Jiri Navratil, CESNET a.l.e. Zikova 4, Prague, 16000 Czech Republic 7th Asia Telemedicine

155 views • 14 slides
CESNET and Czech Medical Community as Partners for World Telemedicine 5 th Asian Telemedicine

CESNET and Czech Medical Community as Partners for World Telemedicine 5 th Asian Telemedicine

CESNET and Czech Medical Community as Partners for World Telemedicine 5 th Asian Telemedicine Symposium Fukuoka, Japan, December 16 th -17 th ,2011 Ji Navrtil jiri@cesnet.cz Pavel Pe iva pavel.peciva@kzcr.eu Modern medicine opens wide

458 views • 19 slides
Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3

Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3

Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3 Executive Committee Representative of the CZ in e-IRG Member of the Board for Large Infrastructures for R&amp;D in CZ Prague, October 12th, 2010

481 views • 28 slides
Liberouter: a PC-based IPv6 router Ladislav Lhotka lhotka@cesnet.cz Ji Novotn

Liberouter: a PC-based IPv6 router Ladislav Lhotka lhotka@cesnet.cz Ji Novotn

Liberouter: a PC-based IPv6 router Ladislav Lhotka lhotka@cesnet.cz Ji Novotn novotny@ics.muni.cz Introduction Routers and routing complex technology, interesting algorithms inside the black (blue, violet) boxes

744 views • 16 slides
Backbone Network ACSAT Kuala Lumpur

Backbone Network ACSAT Kuala Lumpur

CEF Approach in CESNET Backbone Network ACSAT Kuala Lumpur 2012 Outline CESNET CEF Approach CZECHLIGHT Future plans ACSAT

270 views • 14 slides
Academic Streaming in Europe: Report on TF-Netcast Dan Mnster TERENA Networking Conference,

Academic Streaming in Europe: Report on TF-Netcast Dan Mnster TERENA Networking Conference,

Academic Streaming in Europe: Report on TF-Netcast Dan Mnster TERENA Networking Conference, Rhodes, June 9 2004 Acknowledgements Co-authors: Alessandro Falaschi, Uni. Roma La Sapienza Michal Krsek, CESNET Ivan Doleal, CESNET

652 views • 50 slides
GPU support in MetaCentrum Miroslav Ruda CESNET April, 2013 GPU support in MetaCentrum I Two

GPU support in MetaCentrum Miroslav Ruda CESNET April, 2013 GPU support in MetaCentrum I Two

GPU support in MetaCentrum Miroslav Ruda CESNET April, 2013 GPU support in MetaCentrum I Two GPU clusters in Czech grid nodes with 2xNVIDIA GeForce GTX 465, 4xTesla M2090 third cluster based on Kepler K20 scheduled this year national grid

416 views • 3 slides
PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

560 views • 35 slides
PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

Everything you never wanted to know about PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007 SAMLized applications HTTPS web browser What about email access network access

141 views • 11 slides
Multi-channel streaming for medical and multimedia industry applications and multimedia industry

Multi-channel streaming for medical and multimedia industry applications and multimedia industry

Multi-channel streaming for medical and multimedia industry applications and multimedia industry applications Ji Halk 1 , Michal Krsek 1 , Pavel Pe iva 2 , Sven Ubik 1 , Petr ejdl 1 1 CESNET 2 MNUL 1 CESNET, 2 MNUL 3rd E2E Workshop

533 views • 22 slides
#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity

#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity

#BetterTogether Navigating partnership challenges May 16, 2018 ACM InterActivity InterActivity 2018 Presenters Eric Demay Creative Director, GSM Project Patti Reiss Director of Museum Experiences, Mississippi Childrens Museum

732 views • 61 slides
Sustainability Workshop Group Philippe Collet, Thomas Degueule,

Sustainability Workshop Group Philippe Collet, Thomas Degueule,

Sustainability Workshop Group Philippe Collet, Thomas Degueule, Bosco Ferreira, Don Matheson, Sbas&lt;en Mosser Sustainability? From our personal experiences

454 views • 7 slides
C H R ONSTRAINT ANDLING ULES Jon Sneyers August 2010 2 CHR summer school 2010

C H R ONSTRAINT ANDLING ULES Jon Sneyers August 2010 2 CHR summer school 2010

1 CHR summer school 2010 Introduction to CHR Jon Sneyers An introduction to An introduction to C ONSTRAINT H ANDLING R ULES C H R ONSTRAINT ANDLING ULES Jon Sneyers August 2010 2 CHR summer school 2010 Introduction to CHR

1.11k views • 64 slides
Activities Caregivers Can Do at Home with Erin Kampbell Attendees are automatically muted when

Activities Caregivers Can Do at Home with Erin Kampbell Attendees are automatically muted when

Activities Caregivers Can Do at Home with Erin Kampbell Attendees are automatically muted when joining Zoom Ask questions using the Zoom chat during the webinar Please complete a brief survey at the end of the webinar 1 Choosing to

792 views • 21 slides
Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component

Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component

6/7/2020 Dynamic Networks and Social Media Prof. Kathleen M. Carley @CMU_CASOS Illustrative Component Systems All developed with some ONR sponsorship Purpose Presenter TweetTracker Capture and visualize large number of tweets Arizona

907 views • 23 slides
Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data

Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data

Degree centralit y IN TR OD U C TION TO N E TW OR K AN ALYSIS IN P YTH ON Eric Ma Data Carpentr y instr u ctor and a u thor of n xv i z package Important nodes Which nodes are important ? Degree centralit y Bet w eenness centralit y

368 views • 25 slides
Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster,

Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster,

SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger Existing Telemetry Systems Compute Store Analysis Queries Packet Capture

854 views • 39 slides
Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References Course 300, Fall, 2008 Prof. Peter Dodds Department of Mathematics &amp; Statistics University of Vermont Licensed under

466 views • 21 slides

More recommend