Fast monitoring of traffic subpopulations

TitleFast monitoring of traffic subpopulations
Publication TypeConference Papers
Year of Publication2008
AuthorsRamachandran A, Seetharaman S, Feamster N, Vazirani V
Conference NameProceedings of the 8th ACM SIGCOMM conference on Internet measurement
Date Published2008///
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-60558-334-1
Keywordscounters, flexsample, sampling, traffic statistics, traffic subpopulations
Abstract

Network accounting, forensics, security, and performance monitoring applications often need to examine detailed traces from subsets of flows ("subpopulations"), where the application desires flexibility in specifying the subpopulation (e.g., to detect a portscan, the application must observe many packets between a source and a destination with one packet to each port). However, the dynamism and volume of network traffic on many high-speed links necessitates traffic sampling, which adversely affects subpopulation monitoring: because many subpopulations of interest to operators are low-volume flows, conventional sampling schemes (e.g., uniform random sampling) miss much of the subpopulation's traffic. Today's routers and network devices provide scant support for monitoring specific traffic subpopulations. This paper presents the design, implementation, and evaluation of FlexSample, a traffic monitoring engine that dynamically extracts traffic from subpopulations that operators define using conditions on packet header fields. FlexSample uses a fast, flexible counter array to provide rough estimates of packets' membership in respective subpopulations. Based on these coarse estimates, FlexSample then makes per-packet sampling decisions to sample proportionately from each subpopulation (as specified by a network operator), subject to an overall sampling constraint. We apply FlexSample to extract subpopulations such as port scans and traffic to high-degree nodes and find that it is able to capture significantly more packets from these subpopulations than conventional approaches.

URLhttp://doi.acm.org/10.1145/1452520.1452551
DOI10.1145/1452520.1452551