1 An Information-theoretic Approach to Network Measurement and Monitoring Yong Liu, Don Towsley, Tao Ye, Jean Bolot.

Slides:



Advertisements
Similar presentations
New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.
Advertisements

Monitoring very high speed links Gianluca Iannaccone Sprint ATL joint work with: Christophe Diot – Sprint ATL Ian Graham – University of Waikato Nick McKeown.
Distributed Assignment of Encoded MAC Addresses in Sensor Networks By Curt Schcurgers Gautam Kulkarni Mani Srivastava Presented By Charuka Silva.
IPv4 - The Internet Protocol Version 4
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.
Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,
FLAME: A Flow-level Anomaly Modeling Engine
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
FLIP : Flexible Interconnection Protocol Ignacio Solis Katia Obraczka.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Variance of Aggregated Web Traffic Robert Morris MIT Laboratory for Computer Science IEEE INFOCOM 2000’
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge
Exploiting Packet Header Redundancy for Zero Cost Dissemination of Dynamic Resource Information Peter A. Dinda Prescience Lab Department of Computer Science.
1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Chapter 3 Review of Protocols And Packet Formats
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
RACE: Time Series Compression with Rate Adaptivity and Error Bound for Sensor Networks Huamin Chen, Jian Li, and Prasant Mohapatra Presenter: Jian Li.
R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.
1 Chapter 1 OSI Architecture The OSI 7-layer Model OSI – Open Systems Interconnection.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
Multimedia Data Introduction to Lossless Data Compression Dr Sandra I. Woolley Electronic, Electrical.
Addressing Image Compression Techniques on current Internet Technologies By: Eduardo J. Moreira & Onyeka Ezenwoye CIS-6931 Term Paper.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
End-to-End Performance and Fairness in Multihop Wireless Backhaul Networks V. Gambiroza, B. Sadeghi, and E. Knightly Rice University.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Decoding an IP Header (1)
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
Optimal Sampling Strategies for Multiscale Stochastic Processes Vinay Ribeiro Rolf Riedi, Rich Baraniuk (Rice University)
Samples of Descriptive Problems CSC/ECE 573, Sections 001 Fall, 2012.
Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Introduction to TCP/IP networking. TCP/IP protocol family IP : Internet Protocol UDP : User Datagram Protocol TCP : Transmission Control Protocol.
1 CSE 5346 Spring Network Simulator Project.
Locating network monitors: complexity, heuristics, and coverage Kyoungwon Suh Yang Guo Jim Kurose Don Towsley.
Lect1..ppt - 01/06/05 CDA 6505 Network Architecture and Client/Server Computing Lecture 3 TCP and IP by Zornitza Genova Prodanoff.
Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Chapter 3 TCP and IP Chapter 3 TCP and IP.
Multiplexing.
Data Streaming in Computer Networking
Process-to-Process Delivery, TCP and UDP protocols
Internet Protocol Formats
Impact of Packet Sampling on Anomaly Detection Metrics
Optimal Elephant Flow Detection Presented by: Gil Einziger,
EE 122: Lecture 18 (Differentiated Services)
Feifei Li, Ching Chang, George Kollios, Azer Bestavros
ECSE-4670: Computer Communication Networks (CCN)
Leveraging Textual Specifications for Grammar-based Fuzzing of Network Protocols Samuel Jero, Maria Leonor Pacheco, Dan Goldwasser, Cristina Nita-Rotaru.
Internet Protocol Formats
ECSE-4670: Computer Communication Networks (CCN)
EE 122: Differentiated Services
Network-Wide Routing Oblivious Heavy Hitters
Review of Internet Protocols Transport Layer
Presentation transcript:

1 An Information-theoretic Approach to Network Measurement and Monitoring Yong Liu, Don Towsley, Tao Ye, Jean Bolot

2 Outline  motivation  background  flow-based network model  full packet trace compression  marginal/joint  coarser granularity  netflow and SNMP  future work

3 Motivation  network monitoring: sensing a network  traffic engineering, anomaly detection, …  single point v.s. distributed  different granularities  full traffic trace: packet headers  flow level record: timing, volume  summary statistics: byte/packet counts  challenges  growing scales: high speed link, large topology  constrained resources: processing, storage, transmission  30G headers/hour at UMass gateway  solutions  sampling: temporal/spatial  compression: marginal/distributed

4 Questions  how much can we compress monitoring traces?  how much information is captured by different monitoring granularity?  packet trace/NetFlow/SNMP  how much joint information is there in multiple monitors?  joint compression  trace aggregation  monitor placement

5 Our Contribution  flow-based network models  explore temporal/spatial correlation in network traces  projection to different granularity  information theoretic framework  entropy: bound/guideline on trace compression  quantitative approach for more general problems  validation against measurement from operational network

6 Entropy & Compression  Shannon entropy of discrete r.v.  compression of i.i.d. symbols (length M) by coding  coding:  expected code length:  info. theoretic bound on compression ratio:  Shannon/Huffman coding  assign short codeword to frequent outcome  achieve the H(X) bound

7 Entropy & Correlation  joint entropy  entropy rate of stochastic process  exploit temporal correlation  Lempel-Ziv Coding: (LZ77, gzip, winzip) asymptotically achieve the bound for stationary process  joint entropy rate of correlated processes  exploit spatial correlation  Slepian-Wolf Coding: (distributed compression) encode each process individually, achieve joint entropy rate in limit

8 Network Trace Compression  naïve way: treat as byte stream, compress by generic tools  gzip compress UMass traces by a factor of 2  network traces are highly structured data  multiple fields per packet diversity in information richness correlation among fields  multiple packets per flow packets within a flow share information temporal correlation  multiple monitors traversed by a flow most fields unchanged within the network spatial correlation  network models  explore correlation structure  quantify information content of network traces  serves as lower bounds/guidelines for compression algorithms

9 Packet Header Trace source IP address destination IP address data sequence number acknowledgment number time stamp (sec.) time stamp (sub-sec.) total lengthToSvers.HLen IPIDflags TTLprotocolheader checksum destination portsource port window sizeHlen fragment offset TCP flags urgent pointerchecksum Timing IP Header TCP Header 01631

10 Header Field Entropy source IP address destination IP address data sequence number acknowledgment number time stamp (sec.) time stamp (sub-sec.) total lengthToSvers.HLen IPIDflags TTLprotocolheader checksum destination portsource port window sizeHlen fragment offset TCP flags urgent pointerchecksum Timing IP Header TCP Header flow id time

11 Single Point Packet Trace T0 F0 T1 F1 T3 F0 Tn Fn Tm F0  temporal correlation introduced by flows  packets from same flow closely spaced in time  they share header information  packet inter-arrival: # bits per packet: T0 F0 T3 F0 Tm F0  flow based trace:  flow record: F0 KT0 flow ID flow size arrival time packet inter-arrival

12 Network Models  flow-based model  flow arrivals follow Poisson with rate  flows are classified to independent flow classes according to routing (the set of routers traversed)  flow i is described by: flow inter-arrival time: flow ID: flow length: packet inter-arrival time within the flow:  packet arrival stochastic process:

13 Entropy in Flow Record  # bits per flow:  # bits per second:  marginal compression ratio  determined by flow length (pkts.) and variability in pkt. inter-arrival.

14 Single Point Compression: Results TraceH (total)Model Ratio Compression Algorithm C1-in BB1-out BB2-out  Compression ratio lower bound calculated by entropy much lower than real compression algorithm  Real compression algorithm difference  Records IPID, packet size, TCP/UDP fields  Fixed packet buffer for each flow => many flow records for long flows

15 Distributed Network Monitoring  single flow recorded by multiple monitors  spatial correlation: traces collected at distributed monitors are correlated  marginal node view: #bits/sec to represent flows seen by one node, bound on single point compression  network system view: #bits/sec to represent flows cross the network, bound on joint compression  joint compression ratio: quantify gain of joint compression

16  “perfect” network  fixed routes/constant link delay/no packet loss  flow classes based on routes  flows arrive with rate:  # of monitors traversed:  #bits per flow record:  info. rate at node v:  network view info. rate:  joint compression ratio: Baseline Joint Entropy Model  dependence on # of monitors travered

17 Joint Compression: Results Set of TracesJoint Compression Ratio {C1-in, BB1-out, C2-in, BB2-out}0.5 {C1-in, BB1-out} {C1-in, BB2-out} {C2-in, BB1-out} {C2-in, BB2-out}0.6679

18 Coarser Granularity Models  NetFlow model  similar to flow model:  joint compression result similar to full trace  SNMP model  any link SNMP rate process is sum of rate processes of all flow classes passing through that link  traffic rates of flow classes are independent Gaussian  entropy can be calculated by covariance of these processes  information loss due to summation  small joint information between monitors  difficult to recover rates of flow classes from SNMP data

19 Joint Compression Ratio of Different Granularity Set of TracesSNMPNetFlowPacket Trace {C1-in, BB1-out} {C1-in, BB2-out}

20 Conclusion  information theoretic bound on marginal compression ratio -- ~ 20% (time+flow id, even lower if include other low entropy fields)  marginal compression ratio high (not very compressible) in SNMP, lower in NetFlow, and the lowest in full trace  joint coding is much more useful/nessassary in full trace case than in SNMP  “More entropy for your buck”

21 Future Work  network impairments  how many more bits for delay/loss/route change  model netflow with sampling  distributed compression algorithms  lossless v.s. lossy compression  entropy based monitor placement  maximize information under constraints

22 Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.