Deriving traffic demands for operational IP networks: methodology and experience
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Charging from sampled network usage
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
New directions in traffic measurement and accounting
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Gigascope: a stream database for network applications
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Data streaming algorithms for efficient and accurate estimation of flow size distribution
Proceedings of the joint international conference on Measurement and modeling of computer systems
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Worm Origin Identification Using Random Moonwalks
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A robust system for accurate real-time summaries of internet traffic
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
An improved data stream summary: the count-min sketch and its applications
Journal of Algorithms
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Fast hash table lookup using extended bloom filter: an aid to network processing
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Segmented hash: an efficient hash table implementation for high performance networking subsystems
Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
Data streaming algorithms for estimating entropy of network traffic
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Design of a novel statistics counter architecture with optimal space and time efficiency
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Fisher information of sampled packets: an application to flow size estimation
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The power of slicing in internet flow measurement
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
LADS: large-scale automated DDOS detection system
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
ProgME: towards programmable network measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
A generic language for application-specific flow sampling
ACM SIGCOMM Computer Communication Review
Reformulating the monitor placement problem: optimal network-wide sampling
CoNEXT '06 Proceedings of the 2006 ACM CoNEXT conference
Counter braids: a novel counter architecture for per-flow measurement
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
CSAMP: a system for network-wide flow monitoring
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Fast monitoring of traffic subpopulations
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
PLUG: flexible lookup modules for rapid deployment of new protocols in high-speed routers
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Hit-list worm detection and bot identification in large networks using protocol graphs
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Coordinated sampling sans origin-destination identifiers: algorithms and analysis
COMSNETS'10 Proceedings of the 2nd international conference on COMmunication systems and NETworks
Finding peer-to-peer file-sharing using coarse network behaviors
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
A multi-task adaptive monitoring system combining different sampling primitives
Proceedings of the 23rd International Teletraffic Congress
A Passive Network Appliance for Real-Time Network Monitoring
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Proceedings of the 13th International Middleware Conference
Software defined traffic measurement with OpenSketch
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
Network management applications require accurate estimates of a wide range of flow-level traffic metrics. Given the inadequacy of current packet-sampling-based solutions, several application-specific monitoring algorithms have emerged. While these provide better accuracy for the specific applications they target, they increase router complexity and require vendors to commit to hardware primitives without knowing how useful they will be to meet the needs of future applications. In this paper, we show using trace-driven evaluations that such complexity and early commitment may not be necessary. We revisit the case for a "minimalist" approach in which a small number of simple yet generic router primitives collect flow-level data from which different traffic metrics can be estimated. We demonstrate the feasibility and promise of such a minimalist approach using flow sampling and sample-and-hold as sampling primitives and configuring these in a network-wide coordinated fashion using cSamp. We show that this proposal yields better accuracy across a collection of application-level metrics than dividing the same memory resources across metric-specific algorithms. Moreover, because a minimalist approach enables late binding to what application level metrics are important, it better insulates router implementations and deployments from changing monitoring needs.