Fast Filtered Sampling

Authors:
Jianning Mai;Ashwin Sridharan;Hui Zang;Chen-Nee Chuah
Affiliations:
ECE Department, UC Davis, One Shields Avenue, Kemper Hall, Davis, CA 95616, United States;Sprint Nextel, One Adrian Court, Burlingame, CA 94010, United States;Sprint Nextel, One Adrian Court, Burlingame, CA 94010, United States;ECE Department, UC Davis, One Shields Avenue, Kemper Hall, Davis, CA 95616, United States
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2010

Citing 24
Cited 1

Summary cache: a scalable wide-area web cache sharing protocol

IEEE/ACM Transactions on Networking (TON)
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Trajectory sampling for direct traffic observation

IEEE/ACM Transactions on Networking (TON)
New directions in traffic measurement and accounting

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Properties and prediction of flow statistics from sampled packet streams

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice

ACM Transactions on Computer Systems (TOCS)
Space-code bloom filter for efficient traffic flow measurement

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Inverting sampled traffic

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Flow sampling under hard resource constraints

Proceedings of the joint international conference on Measurement and modeling of computer systems
Data streaming algorithms for efficient and accurate estimation of flow size distribution

Proceedings of the joint international conference on Measurement and modeling of computer systems
Building a better NetFlow

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Payload attribution via hierarchical bloom filters

Proceedings of the 11th ACM conference on Computer and communications security
FlowScan: A Network Traffic Flow Reporting and Visualization Tool

LISA '00 Proceedings of the 14th USENIX conference on System administration
A data streaming algorithm for estimating subpopulation flow size distribution

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Design of a novel statistics counter architecture with optimal space and time efficiency

SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Is sampled data sufficient for anomaly detection?

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Joint data streaming and sampling techniques for detection of super sources and destinations

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
ProgME: towards programmable network measurement

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
A generic language for application-specific flow sampling

ACM SIGCOMM Computer Communication Review
Counter braids: a novel counter architecture for per-flow measurement

SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Fast monitoring of traffic subpopulations

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Impact of Packet Sampling on Portscan Detection

IEEE Journal on Selected Areas in Communications

Virtual indexing based methods for estimating node connection degrees

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Traffic sampled from the network backbone using uniform packet sampling is commonly utilized to detect heavy hitters, estimate flow level statistics, as well as identify anomalies like DDoS attacks and worm scans. Previous work has shown however that this technique introduces flow bias and truncation which yields inaccurate flow statistics and ''drowns out'' information from small flows, leading to large false positives in anomaly detection. In this paper, we present a new sampling design: Fast Filtered Sampling (FFS), which is comprised of an independent low-complexity filter, concatenated with any sampling scheme at choice. FFS ensures the integrity of small flows for anomaly detection, while still providing acceptable identification of heavy hitters. This is achieved through a filter design which suppresses packets from flows as a function of their size, ''boosting'' small flows relative to medium and large flows. FFS design requires only one update operation per packet, has two simple control parameters and can work in conjunction with existing sampling mechanisms without any additional changes. Therefore, it accomplishes a lightweight online implementation of the ''flow-size dependent'' sampling method. Through extensive evaluation on traffic traces, we show the efficacy of FFS for applications such as portscan detection and traffic estimation.