TY - GEN
T1 - Fast monitoring of traffic subpopulations
AU - Ramachandran, Anirudh
AU - Seetharaman, Srinivasan
AU - Feamster, Nick
AU - Vazirani, Vijay
PY - 2008
Y1 - 2008
N2 - Network accounting, forensics, security, and performance monitoring applications often need to examine detailed traces from subsets of flows ("subpopulations"), where the application requires flexibility in specifying the subpopulation (e.g., to detect a portscan, the application must observe many packets between a source and a destination with one packet to each port). Unfortunately, the dynamism and volume of network traffic on many high-speed links requires traffic sampling, which adversely affects subpopulation monitoring: because many subpopulations of interest to operators are low-volume flows, conventional sampling schemes (e.g., uniform random sampling) can miss much of the subpopulation's traffic. Today's routers and network devices provide scant support for monitoring specific traffic subpopulations. This paper presents the design, implementation, and evaluation of FlexSample, a traffic monitoring framework that dynamically extracts traffic from subpopulations that operators define using conditions on packet header fields. FlexSample uses a fast, flexible counter array to provide rough estimates of packets' membership in respective subpopulations. Based on these coarse estimates, FlexSample then makes per-packet sampling decisions to sample proportionately from each subpopulation (as specified by a network operator), subject to an overall sampling constraint. We apply FlexSample to extract subpopulations such as port scans and traffic to high-degree nodes and find that it can capture significantly more packets from these subpopulations than conventional approaches.
AB - Network accounting, forensics, security, and performance monitoring applications often need to examine detailed traces from subsets of flows ("subpopulations"), where the application requires flexibility in specifying the subpopulation (e.g., to detect a portscan, the application must observe many packets between a source and a destination with one packet to each port). Unfortunately, the dynamism and volume of network traffic on many high-speed links requires traffic sampling, which adversely affects subpopulation monitoring: because many subpopulations of interest to operators are low-volume flows, conventional sampling schemes (e.g., uniform random sampling) can miss much of the subpopulation's traffic. Today's routers and network devices provide scant support for monitoring specific traffic subpopulations. This paper presents the design, implementation, and evaluation of FlexSample, a traffic monitoring framework that dynamically extracts traffic from subpopulations that operators define using conditions on packet header fields. FlexSample uses a fast, flexible counter array to provide rough estimates of packets' membership in respective subpopulations. Based on these coarse estimates, FlexSample then makes per-packet sampling decisions to sample proportionately from each subpopulation (as specified by a network operator), subject to an overall sampling constraint. We apply FlexSample to extract subpopulations such as port scans and traffic to high-degree nodes and find that it can capture significantly more packets from these subpopulations than conventional approaches.
KW - Counters
KW - Flexsample
KW - Sampling
KW - Traffic statistics
KW - Traffic subpopulations
UR - http://www.scopus.com/inward/record.url?scp=63049111118&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=63049111118&partnerID=8YFLogxK
U2 - 10.1145/1452520.1452551
DO - 10.1145/1452520.1452551
M3 - Conference contribution
AN - SCOPUS:63049111118
SN - 9781605583341
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 257
EP - 270
BT - IMC'08
T2 - Internet Measurement Conference 2008, IMC'08
Y2 - 20 October 2008 through 22 October 2008
ER -