TY - GEN
T1 - Carpe Elephants
T2 - 1st ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure, SPIN 2020
AU - Harrison, Rob
AU - Feibish, Shir Landau
AU - Gupta, Arpit
AU - Teixeira, Ross
AU - Muthukrishnan, S.
AU - Rexford, Jennifer
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/8/10
Y1 - 2020/8/10
N2 - Detecting "heavy hitter"flows is the core of many network security applications. While past work shows how to measure heavy hitters on a single switch, network operators often need to identify network-wide heavy hitters on a small timescale to react quickly to distributed attacks. Detecting network-wide heavy hitters efficiently requires striking a careful balance between the memory and processing resources required on each switch and the network-wide coordination protocol. We present Carpe, a distributed system for detecting network-wide heavy hitters with high accuracy under communication and state constraints. Our solution combines probabilistic counting techniques on the switches with probabilistic reporting to a central coordinator. Based on these reports, the coordinator adapts the reporting threshold and probability at each switch to the spatial locality of the flows. Simulations using traffic traces show that our prototype can detect network-wide heavy hitters with 97% accuracy, while reducing the communication overhead by 17% and switch state by 38%, compared to existing approaches.
AB - Detecting "heavy hitter"flows is the core of many network security applications. While past work shows how to measure heavy hitters on a single switch, network operators often need to identify network-wide heavy hitters on a small timescale to react quickly to distributed attacks. Detecting network-wide heavy hitters efficiently requires striking a careful balance between the memory and processing resources required on each switch and the network-wide coordination protocol. We present Carpe, a distributed system for detecting network-wide heavy hitters with high accuracy under communication and state constraints. Our solution combines probabilistic counting techniques on the switches with probabilistic reporting to a central coordinator. Based on these reports, the coordinator adapts the reporting threshold and probability at each switch to the spatial locality of the flows. Simulations using traffic traces show that our prototype can detect network-wide heavy hitters with 97% accuracy, while reducing the communication overhead by 17% and switch state by 38%, compared to existing approaches.
KW - Heavy hitters
KW - Network-wide monitoring
UR - http://www.scopus.com/inward/record.url?scp=85094972312&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85094972312&partnerID=8YFLogxK
U2 - 10.1145/3405669.3405820
DO - 10.1145/3405669.3405820
M3 - Conference contribution
AN - SCOPUS:85094972312
T3 - Proceedings of the 2020 ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure, SPIN 2020
SP - 15
EP - 21
BT - Proceedings of the 2020 ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure, SPIN 2020
PB - Association for Computing Machinery
Y2 - 14 August 2020
ER -