Fast monitoring of traffic subpopulations

  • Authors:
  • Anirudh Ramachandran;Srinivasan Seetharaman;Nick Feamster;Vijay Vazirani

  • Affiliations:
  • Georgia Tech, Atlanta, GA, USA;Georgia Tech, Atanta, GA, USA;Georgia Tech, Atlanta, GA, USA;Georgia Tech, Atlanta, GA, USA

  • Venue:
  • Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

Network accounting, forensics, security, and performance monitoring applications often need to examine detailed traces from subsets of flows ("subpopulations"), where the application desires flexibility in specifying the subpopulation (e.g., to detect a portscan, the application must observe many packets between a source and a destination with one packet to each port). However, the dynamism and volume of network traffic on many high-speed links necessitates traffic sampling, which adversely affects subpopulation monitoring: because many subpopulations of interest to operators are low-volume flows, conventional sampling schemes (e.g., uniform random sampling) miss much of the subpopulation's traffic. Today's routers and network devices provide scant support for monitoring specific traffic subpopulations. This paper presents the design, implementation, and evaluation of FlexSample, a traffic monitoring engine that dynamically extracts traffic from subpopulations that operators define using conditions on packet header fields. FlexSample uses a fast, flexible counter array to provide rough estimates of packets' membership in respective subpopulations. Based on these coarse estimates, FlexSample then makes per-packet sampling decisions to sample proportionately from each subpopulation (as specified by a network operator), subject to an overall sampling constraint. We apply FlexSample to extract subpopulations such as port scans and traffic to high-degree nodes and find that it is able to capture significantly more packets from these subpopulations than conventional approaches.