research-article

Carpe Elephants: Seize the Global Heavy Hitters

Authors:

Shir Landau Feibish,

S. Muthukrishnan,

Jennifer RexfordAuthors Info & Claims

SPIN '20: Proceedings of the Workshop on Secure Programmable Network Infrastructure

Pages 15 - 21

https://doi.org/10.1145/3405669.3405820

Published: 10 August 2020 Publication History

Abstract

Detecting "heavy hitter" flows is the core of many network security applications. While past work shows how to measure heavy hitters on a single switch, network operators often need to identify network-wide heavy hitters on a small timescale to react quickly to distributed attacks. Detecting network-wide heavy hitters efficiently requires striking a careful balance between the memory and processing resources required on each switch and the network-wide coordination protocol. We present Carpe, a distributed system for detecting network-wide heavy hitters with high accuracy under communication and state constraints. Our solution combines probabilistic counting techniques on the switches with probabilistic reporting to a central coordinator. Based on these reports, the coordinator adapts the reporting threshold and probability at each switch to the spatial locality of the flows. Simulations using traffic traces show that our prototype can detect network-wide heavy hitters with 97% accuracy, while reducing the communication overhead by 17% and switch state by 38%, compared to existing approaches.

References

[1]

Yehuda Afek, Anat Bremler-Barr, Shir Landau Feibish, and Liron Schiff. 2018. Detecting heavy flows in the SDN match and action model. Computer Networks 136 (2018), 1--12.

[2]

Ran Ben-Basat, Xiaoqi Chen, Gil Einziger, Shir Landau Feibish, Danny Raz, and Minlan Yu. 2020. Routing Oblivious Measurement Analytics. In IFIP Networking Conference.

[3]

Ran Ben-Basat, Xiaoqi Chen, Gil Einziger, and Ori Rottenstreich. 2018. Efficient Measurement on Programmable Switches Using Probabilistic Recirculation. In IEEE International Conference on Network Protocols ICNP. 313--323.

[4]

Ran Ben-Basat, Gil Einziger, Shir Landau Feibish, Jalil Moraney, and Danny Raz. 2018. Network-wide routing-oblivious heavy hitters. In Symposium on Architectures for Networking and Communications Systems ANCS. 66--73.

[5]

Theophilus Benson and Balakrishnan Chandrasekaran. 2017. Sounding the Bell for Improving Internet (of Things) Security. In Workshop on Internet of Things Security and Privacy, IoT S&P@CCS. 77--82.

[6]

Yanpei Chen, Rean Griffiths, David Zats, Anthony D. Joseph, and Randy H. Katz. 2012. Understanding TCP Incast and its Implications for Big Data Workloads. ;login 37, 3 (June 2012).

[7]

Benoit Claise. 2004. Cisco Systems NetFlow Services Export Version 9. RFC 3954 (2004).

Digital Library

[8]

Graham Cormode. 2011. Continuous Distributed Monitoring: A Short Survey. In International Workshop on Algorithms and Models for Distributed Event Processing.

Digital Library

[9]

Graham Cormode, S Muthukrishnan, and Ke Yi. 2011. Algorithms for Distributed Functional Monitoring. ACM Transactions on Algorithms 7, 2 (2011), 21:1--21:20.

Digital Library

[10]

Damu Ding, Marco Savi, Gianni Antichi, and Domenico Siracusa. 2020. An Incrementally-Deployable P4-Enabled Architecture for Network-Wide Heavy-Hitter Detection. IEEE Transactions on Network and Service Management 17, 1 (2020), 75--88.

Digital Library

[11]

Cristian Estan and George Varghese. 2003. New Directions in Traffic Measurement and Accounting: Focusing on the Elephants, Ignoring the Mice. ACM Transactions on Computer Systems 21, 3 (2003), 270--313.

Digital Library

[12]

Rob Harrison, Qizhe Cai, Arpit Gupta, and Jennifer Rexford. 2018. Network-Wide Heavy Hitter Detection with Commodity Switches. In ACM SIGCOMM Symposium on SDN Research SOSR. 8:1--8:7.

[13]

Qun Huang, Xin Jin, Patrick P. C. Lee, Runhui Li, Lu Tang, Yi-Chao Chen, and Gong Zhang. 2017. SketchVisor: Robust Network Measurement for Software Packet Processing. In ACM SIGCOMM. 113--126.

[14]

Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, Jon Zolla, Urs Hölzle, Stephen Stuart, and Amin Vahdat. 2013. B4: Experience with a Globally-deployed Software Defined WAN. In ACM SIGCOMM. 74--87.

[15]

Yuliang Li, Rui Miao, Changhoon Kim, and Minlan Yu. 2016. FlowRadar: A Better NetFlow for Data Centers. In USENIX NSDI. 311--324.

[16]

Zaoxing Liu, Antonis Manousis, Gregory Vorsanger, Vyas Sekar, and Vladimir Braverman. 2016. One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon. In ACM SIGCOMM. 101--114.

[17]

P. Phaal, S. Panchen, and N. McKee. 2001. InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks. RFC 3176 ( 2001).

[18]

report [n. d.]. The CAIDA Anonymized Internet Traces 2016 Dataset. https://www.caida.org/data/passive/passive_2016_dataset.xml. ([n. d.]).

[19]

Vyas Sekar, Michael K. Reiter, Walter Willinger, Hui Zhang, Ramana Rao Kompella, and David G. Andersen. 2008. cSamp: A System for Network-Wide Flow Monitoring. In USENIX NSDI. 233--246.

Digital Library

[20]

Vibhaalakshmi Sivaraman, Srinivas Narayana, Ori Rottenstreich, S. Muthukrishnan, and Jennifer Rexford. 2017. Heavy-Hitter Detection Entirely in the Data Plane. In ACM SIGCOMM Symposium on SDN Research SOSR. 164--176.

[21]

slowloris 2009. Slowloris HTTP DoS. https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris. (June 2009).

[22]

url [n. d.]. Barefoot's Tofino. https://www.barefootnetworks.com/technology/. ([n. d.]).

[23]

AnWang, Wentao Chang, Songqing Chen, and Aziz Mohaisen. 2018. Delving Into Internet DDoS Attacks by Botnets: Characterization and Analysis. IEEE/ACM Transactions on Networking 26, 6 (2018), 2843--2855.

Digital Library

[24]

Tong Yang, Jie Jiang, Peng Liu, Qun Huang, Junzhi Gong, Yang Zhou, Rui Miao, Xiaoming Li, and Steve Uhlig. 2018. Elastic Sketch: Adaptive and Fast Network-Wide Measurements. In ACM SIGCOMM. 561--575.

Digital Library

[25]

Ke Yi and Qin Zhang. 2009. Optimal Tracking of Distributed Heavy Hitters and Quantiles. In ACM SIGMOD-SIGART-SIGACT Symposium on Principles of Database Systems PODS. 167--174.

[26]

Minlan Yu, Lavanya Jose, and Rui Miao. 2013. Software Defined Traffic Measurement with OpenSketch. In USENIX NSDI. 29--42.

Cited By

Shou CBhatia RGupta AHarrison RLokshtanov DWillinger W(2024)Query Planning for Robust and Scalable Hybrid Network Telemetry SystemsProceedings of the ACM on Networking10.1145/36494712:CoNEXT1(1-27)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649471
Chiesa MVerdi F(2023)Network Monitoring on Multi-Pipe SwitchesProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/35793217:1(1-31)Online publication date: 2-Mar-2023
https://dl.acm.org/doi/10.1145/3579321
Harris DRinberg ARottenstreich O(2023)Compressing Distributed Network Sketches With Traffic-Aware SummariesIEEE Transactions on Network and Service Management10.1109/TNSM.2022.317229920:2(1962-1975)Online publication date: Jun-2023
https://doi.org/10.1109/TNSM.2022.3172299
Show More Cited By

Index Terms

Carpe Elephants: Seize the Global Heavy Hitters
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Concerto: cooperative network-wide telemetry with controllable error rate
APSys '20: Proceedings of the 11th ACM SIGOPS Asia-Pacific Workshop on Systems

Network-wide telemetry requires real-time analysis of a large amount of traffic. Telemetry systems use stream processors to support various applications, and Protocol Independent Switching Architecture switches to reduce the workload on stream ...
Computing discounted multidimensional hierarchical aggregates using modified Misra Gries algorithm

Finding the "Top k" list or heavy hitters is an important function in many computing applications, including database joins, data warehousing (e.g., OLAP), web caching and hits, network usage monitoring, and detecting DDoS attacks. While most ...
Beating CountSketch for heavy hitters in insertion streams
STOC '16: Proceedings of the forty-eighth annual ACM symposium on Theory of Computing

Given a stream p₁, …, p_m of items from a universe U, which, without loss of generality we identify with the set of integers {1, 2, …, n}, we consider the problem of returning all ℓ₂-heavy hitters, i.e., those items j for which f_j ≥ є √F₂, where f_j is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPIN '20: Proceedings of the Workshop on Secure Programmable Network Infrastructure

August 2020

53 pages

ISBN:9781450380416

DOI:10.1145/3405669

Copyright © 2020 ACM.

© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SIGCOMM '20

Sponsor:

SIGCOMM

SIGCOMM '20: Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication

August 10 - 14, 2020

Virtual Event, USA

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
266
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shou CBhatia RGupta AHarrison RLokshtanov DWillinger W(2024)Query Planning for Robust and Scalable Hybrid Network Telemetry SystemsProceedings of the ACM on Networking10.1145/36494712:CoNEXT1(1-27)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649471
Chiesa MVerdi F(2023)Network Monitoring on Multi-Pipe SwitchesProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/35793217:1(1-31)Online publication date: 2-Mar-2023
https://dl.acm.org/doi/10.1145/3579321
Harris DRinberg ARottenstreich O(2023)Compressing Distributed Network Sketches With Traffic-Aware SummariesIEEE Transactions on Network and Service Management10.1109/TNSM.2022.317229920:2(1962-1975)Online publication date: Jun-2023
https://doi.org/10.1109/TNSM.2022.3172299
Su HQin SWu ZPeng TLiu SZhou Y(2023)Graph Sketch Based Heavy Change Detection for Temporal Network Traffic Analysis2023 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)10.1109/CyberC58899.2023.00041(200-209)Online publication date: 2-Nov-2023
https://doi.org/10.1109/CyberC58899.2023.00041
Zhao FAgrawal DAbbadi AMetwally A(2022)SpaceSaving±Proceedings of the VLDB Endowment10.14778/3514061.351406815:6(1215-1227)Online publication date: 1-Feb-2022
https://dl.acm.org/doi/10.14778/3514061.3514068
Harris DRinberg ARottenstreich O(2021)Distributed Sketching with Traffic-Aware Summaries2021 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking52078.2021.9472827(1-8)Online publication date: 21-Jun-2021
https://doi.org/10.23919/IFIPNetworking52078.2021.9472827
Bauer SJaeger BHelfert FBarias PCarle GFeamster NLutu A(2021)On the evolution of internet flow characteristicsProceedings of the 2021 Applied Networking Research Workshop10.1145/3472305.3472321(29-35)Online publication date: 24-Jul-2021
https://dl.acm.org/doi/10.1145/3472305.3472321
Bose AMaji DAgarwal PUnhale NShah RVutukuru M(2021)Leveraging Programmable Dataplanes for a High Performance 5G User Plane FunctionProceedings of the 5th Asia-Pacific Workshop on Networking10.1145/3469393.3469400(57-64)Online publication date: 24-Jun-2021
https://dl.acm.org/doi/10.1145/3469393.3469400
Kfoury ECrichigno JBou-Harb E(2021)An Exhaustive Survey on P4 Programmable Data Plane Switches: Taxonomy, Applications, Challenges, and Future TrendsIEEE Access10.1109/ACCESS.2021.30867049(87094-87155)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3086704

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents