Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis § Anthony Joseph* Nina Taft § *UC Berkeley § Intel Research Large Scale Distributed Monitoring Platform Purpose: Enhance distributed monitoring platforms with a distributed triggering capability. A set of distributed monitors Each produces ongoing time series signals Sends filtered signal to coordinator A coordinator Is aggregation, detection and coordination center Fires trigger if subset of nodes violates a threshold constraint Tell monitors what level of accuracy is needed in their reporting Examples Distributed monitors are IDS systems and coordinator is global log repository sitting inside security operations center in enterprise network. For enterprise and ISP IT teams: monitors on each link and coordinator pulls data into network operations center to monitor for hot spots, failures, attacks, and check when upgrades needed. We focus on sums of incoming time series: fire a trigger when the sum of monitored variable, across multiple machines, is too high. E.g., number of TCP connections, number of DNS transactions, traffic volume per port 80, etc. Problem Statement User Inputs: Constraint violation threshold: C Tolerable false alarm rate:  Tolerable missed detection rate:  Tolerable error zone around constraint:  Accrue penalty as bypass constraint C Let V(t,  ) be size of penalty, at time t, over past window  GOAL: fire trigger whenever penalty exceeds error tolerance, with required accuracy level AND with minimum communication overhead (monitor updates) Cumulative Triggers The  used is this corresponds to the beginning of most recent “busy” period Distributed Trigger Tracking Framework Reducing Communication Overhead Solution Approach Evaluation and Results How to lower communication overhead but still fire trigger accurately? Filter monitored signal, don’t update unless significant change occurred Key idea: when far away from trigger threshold, monitors can afford to be less accurate. Coordinator informs them when they can do this, and by how much. To lower communications costs, monitors should send as few signal updates as possible There is a discrepancy between the coordinator’s view of the global state and the actual global state. With fewer updates, the discrepancy increases. Need to manage the tradeoff: coordinator view needs to be accurate enough to as to fire the trigger with prescribed accuracy level while simultaneously keeping the communications overhead as low as possible Challenge Use queues at local monitors. Only send update when queue is full. Use queue at coordinator. Fire trigger when queue overflows. Problem: Size all the queues correctly so that triggers fire with desired accuracy level. Analytical solution: using M/M/1 and M/D/1 queue models, can solve explicitly for queue sizes. Adaptivity: Coordinator computes excess slack and distributes it to monitors adaptively, to resize their local queues. Less than 10% of original signal sent. A > 90% reduction in overhead! Can operate well when requirements on false alarms and missed detections are low. constraint threshold error tolerance false alarm rate missed detection rate user inputs original monitored time series filtered time series filtering parameters Deployed 200 SNORT sensors on Planetlab nodes. Evaluation carried out for following time series: “number of active TCP connections”