Article

A robust system for accurate real-time summaries of internet traffic

Authors:

Cristian EstanAuthors Info & Claims

SIGMETRICS '05: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Pages 85 - 96

https://doi.org/10.1145/1064212.1064223

Published: 06 June 2005 Publication History

Abstract

Good performance under extreme workloads and isolation between the resource consumption of concurrent jobs are perennial design goals of computer systems ranging from multitasking servers to network routers. In this paper we present a specialized system that computes multiple summaries of IP traffic in real time and achieves robustness and isolation between tasks in a novel way: by automatically adapting the parameters of the summarization algorithms. In traditional systems, anomalous network behavior such as denial of service attacks or worms can overwhelm the memory or CPU, making the system produce meaningless results exactly when measurement is needed most. In contrast, our measurement system reacts by gracefully degrading the accuracy of the affected summaries.The types of summaries we compute are widely used by network administrators monitoring the workloads of their networks: the ports sending the most traffic, the IP addresses sending or receiving the most traffic or opening the most connections, etc. We evaluate and compare many existing algorithmic solutions for computing these summaries, as well as two new solutions we propose here: "flow sample and hold" and "Bloom filter tuple set counting". Compared to previous solutions, these new solutions offer better memory versus accuracy tradeoffs and have more predictable resource consumption. Finally, we evaluate the actual implementation of a complete system that combines the best of these algorithms.

References

[1]

IPMON - packet trace analysis. http://ipmon.sprintlabs.com/packstat/packetoverview.php.

[2]

PSAMP working group. http://www.ietf.org/html.charters/psamp-charter.html.

[3]

Z. Bar-Yossef, T. Jayram, R. Kumar, D. Sivakumar, and L. Trevisan. Counting distinct elements in a data stream. In Proc. of the 6th International Workshop on Randomization and Approximation Techniques in Computer Science, 2003.

Digital Library

[4]

B. Bloom. Space/time trade-offs in hash coding with allowable errors. In Commun. ACM, volume 13, pages 422--426, July 1970.

Digital Library

[5]

J. L. Carter and M. N. Wegman. Universal classes of hash functions. In Journal of Computer and System Sciences, volume 18, Apr. 1979.

[6]

S. Chaudhuri, R. Motwani, and V. Narasayya. Random sampling for histogram construction: How much is enough? pages 436--447, June 1998.

Digital Library

[7]

G. Cormode and S. Muthukrishnan. What's hot and what's not: Tracking most frequent items dynamically. In In Proceedings of PODS, June 2003.

Digital Library

[8]

C. Cranor, T. Johnson, O. Spatschek, and V. Shkapenyuk. Gigascope: A stream database for network applications. In p-sigmod, June 2003.

Digital Library

[9]

S. A. Crosby and D. S. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Usenix Security. Usenix, Aug. 2003.

Digital Library

[10]

N. Duffield, C. Lund, and M. Thorup. Charging from sampled network usage. In SIGCOMM Internet Measurement Workshop, Nov. 2001.

Digital Library

[11]

N. Duffield, C. Lund, and M. Thorup. Estimating flow distributions from sampled flow statistics. In SIGCOMM, pages 325--336, Aug. 2003.

Digital Library

[12]

M. Durand and P. Flajolet. Loglog counting of large cardinalities. In ESA, Sept. 2003.

[13]

C. Estan, K. Keys, D. Moore, and G. Varghese. Building a better NetFlow. In SIGCOMM, Aug. 2004.

Digital Library

[14]

C. Estan and G. Varghese. New directions in traffic measurement and accounting. In SIGCOMM, Aug. 2002.

Digital Library

[15]

C. Estan, G. Varghese, and M. Fisk. Bitmap algorithms for counting active flows on high speed links. In Internet Measurement Conference, Oct. 2003.

Digital Library

[16]

M. Fang, N. Shivakumar, H. Garcia-Molina, R. Motwani, and J. D. Ullman. Computing iceberg queries efficiently. In International Conference on Very Large Data Bases, pages 307--317, Aug. 1998.

Digital Library

[17]

A. Feldmann, A. Greenberg, C. Lund, N. Reingold, J. Rexford, and F. True. Deriving traffic demands for operational IP networks: Methodology and experience. In SIGCOMM, pages 257--270, Aug. 2000.

Digital Library

[18]

P. Flajolet and G. N. Martin. Probabilistic counting algorithms for data base applications. Journal of Computer and System Sciences, 31(2):182--209, Oct. 1985.

Digital Library

[19]

P. B. Gibbons and Y. Matias. New sampling-based summary statistics for improving approximate query answers. pages 331--342, June 1998.

Digital Library

[20]

Intel Corporation. E7505 Chipset. http://www.intel.com/design/chipsets/e7505/.

[21]

Intel Corporation. E8870 Chipset. http://www.intel.com/design/chipsets/e8870/.

[22]

K. Keys, D. Moore, and C. Estan. A robust system for accurate real-time summaries of Internet traffic: Technical report. http://www.caida.org/outreach/papers/2005/tr-2005-01/.

[23]

K. Keys, D. Moore, R. Koga, E. Lagache, M. Tesch, and k claffy. The architecture of CoralReef: an Internet traffic monitoring software suite. In PAM2001 (Passive and Active Measurement Workshop), Apr. 2001.

[24]

A. Kumar, J. Xu, J. Wang, O. Spatschek, and L. Li. Space-code bloom filter for efficient per-flow traffic measurement. In Proc. of IEEE INFOCOM, Mar. 2004.

[25]

D. Moore, K. Keys, R. Koga, E. Lagache, and k. claffy. CoralReef software suite as a tool for system and network administrators. In Usenix LISA, San Diego, CA, 4-7 Dec 2001. Usenix.

Digital Library

[26]

Cisco NetFlow. http://www.cisco.com/warp/public/732/Tech/netflow.

[27]

Sampled NetFlow. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s11/12s_sanf.htm.

[28]

ServerWorks, Inc. GC-LE Chipset. http://www.serverworks.com/products/GCLE.html.

[29]

S. Venkataraman, D. Song, P. B. Gibbons, and A. Blum. New streaming algorithms for fast detection of superspreaders. In NDSS, Feb. 2005.

[30]

Waikato Applied Network Dynamics group. The DAG project. http://dag.cs.waikato.ac.nz/.

[31]

K.-Y. Whang, B. T. Vander-Zanden, and H. M. Taylor. A linear-time probabilistic counting algorithm for database applications. ACM Transactions on Database Systems, 15(2):208--229, 1990.

Digital Library

Cited By

Ahmed NDuffield NRossi R(2021)Online Sampling of Temporal NetworksACM Transactions on Knowledge Discovery from Data10.1145/344220215:4(1-27)Online publication date: 18-Apr-2021
https://dl.acm.org/doi/10.1145/3442202
Xu KXu K(2021)Real-Time Network Behavior AnalysisNetwork Behavior Analysis10.1007/978-981-16-8325-1_6(71-92)Online publication date: 16-Dec-2021
https://doi.org/10.1007/978-981-16-8325-1_6
Duffield NXu YXia LAhmed NYu MLim EWinslett MSanderson MFu ASun JCulpepper SLo EHo JDonato DAgrawal RZheng YCastillo CSun ATseng VLi C(2017)Stream Aggregation Through Order SamplingProceedings of the 2017 ACM on Conference on Information and Knowledge Management10.1145/3132847.3133042(909-918)Online publication date: 6-Nov-2017
https://dl.acm.org/doi/10.1145/3132847.3133042
Show More Cited By

Index Terms

A robust system for accurate real-time summaries of internet traffic
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

A robust system for accurate real-time summaries of internet traffic
Performance evaluation review

Good performance under extreme workloads and isolation between the resource consumption of concurrent jobs are perennial design goals of computer systems ranging from multitasking servers to network routers. In this paper we present a specialized system ...
Real-Time Traffic Transmission Over the Internet
Execution Time Compensation for Cloud Applications by Subtracting Steal Time based on Host-Level Sampling
ICPE '16 Companion: Companion Publication for ACM/SPEC on International Conference on Performance Engineering

Accurate measurement of program execution time is indispensable to time-based charge systems and performance debugging in all computer systems. However, cloud application execution time cannot be measured properly because measurement in a virtual ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGMETRICS '05: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

June 2005

428 pages

ISBN:1595930221

DOI:10.1145/1064212

General Chairs:
Derek Eager
University of Saskatchewan, Canada
,
Carey Williamson
University of Calgary, Canada
,
Program Chairs:
Sem Borst
Bell Labs, USA & CWI, The Netherlands
,
John C. S. Lui
Chinese University of Hong Kong, China

ACM SIGMETRICS Performance Evaluation Review Volume 33, Issue 1
Performance evaluation review
June 2005
417 pages
ISSN:0163-5999
DOI:10.1145/1071690
Issue’s Table of Contents

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGMETRICS05

Sponsor:

SIGMETRICS05: 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

June 6 - 10, 2005

Alberta, Banff, Canada

Acceptance Rates

Overall Acceptance Rate 459 of 2,691 submissions, 17%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
682
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ahmed NDuffield NRossi R(2021)Online Sampling of Temporal NetworksACM Transactions on Knowledge Discovery from Data10.1145/344220215:4(1-27)Online publication date: 18-Apr-2021
https://dl.acm.org/doi/10.1145/3442202
Xu KXu K(2021)Real-Time Network Behavior AnalysisNetwork Behavior Analysis10.1007/978-981-16-8325-1_6(71-92)Online publication date: 16-Dec-2021
https://doi.org/10.1007/978-981-16-8325-1_6
Duffield NXu YXia LAhmed NYu MLim EWinslett MSanderson MFu ASun JCulpepper SLo EHo JDonato DAgrawal RZheng YCastillo CSun ATseng VLi C(2017)Stream Aggregation Through Order SamplingProceedings of the 2017 ACM on Conference on Information and Knowledge Management10.1145/3132847.3133042(909-918)Online publication date: 6-Nov-2017
https://dl.acm.org/doi/10.1145/3132847.3133042
Horalek JNeradova SKaramazov SHolik FMarik OZitta S(2015)Proposal to Centralize Operational Data Outputs of Airport FacilitiesComputational Collective Intelligence10.1007/978-3-319-24306-1_34(346-354)Online publication date: 24-Oct-2015
https://doi.org/10.1007/978-3-319-24306-1_34
Ahmed MMahmood AMaher M(2015)A Novel Approach for Network Traffic SummarizationScalable Information Systems10.1007/978-3-319-16868-5_5(51-60)Online publication date: 7-Apr-2015
https://doi.org/10.1007/978-3-319-16868-5_5
Amann JHall SSommer R(2014)Count Me In: Viable Distributed Summary Statistics for Securing High-Speed NetworksResearch in Attacks, Intrusions and Defenses10.1007/978-3-319-11379-1_16(320-340)Online publication date: 2014
https://doi.org/10.1007/978-3-319-11379-1_16
KAMIYAMA NMORI TKAWAHARA RHARADA S(2013)Optimally Identifying Worm-Infected HostsIEICE Transactions on Communications10.1587/transcom.E96.B.2084E96.B:8(2084-2094)Online publication date: 2013
https://doi.org/10.1587/transcom.E96.B.2084
Kuai Xu Lin Gu Feng Wang (2013)Monitoring home network traffic via programmable routers2013 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOCOM.2013.6831138(605-610)Online publication date: Dec-2013
https://doi.org/10.1109/GLOCOM.2013.6831138
Kamiyama NMori TKawahara R(2013)Autonomic load balancing of flow monitorsComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2012.10.01857:3(741-761)Online publication date: 1-Feb-2013
https://dl.acm.org/doi/10.1016/j.comnet.2012.10.018
Mitamura TYoshida K(2012)Viewers' Side Analysis of Social InterestsProceedings of the 2012 IEEE 12th International Conference on Data Mining Workshops10.1109/ICDMW.2012.28(301-308)Online publication date: 10-Dec-2012
https://dl.acm.org/doi/10.1109/ICDMW.2012.28
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents