Presentation is loading. Please wait.

Presentation is loading. Please wait.

SONATA: Query-Driven Network Telemetry

Published byDevi Gunawan Modified over 5 years ago

Similar presentations

Presentation on theme: "SONATA: Query-Driven Network Telemetry"— Presentation transcript:

1 SONATA: Query-Driven Network Telemetry
Arpit Gupta COS 561: Advanced Computer Networks

2 Network Telemetry Ideal Network

3 Network Telemetry required to detect Network Events
Real Network

4 Existing Telemetry Systems
Compute Store Queries Analysis Packet Capture SNMP Collection NetFlow

5 Existing Systems are Query-Agnostic!
Existing Telemetry Systems Compute Store Queries Analysis Collection Existing Systems are Query-Agnostic!

6 Problems with Status Quo
Expressiveness Configure collection & analysis stages separately Static (and often coarse) data collection Brittle analysis setup---specific to collection tools Scalability Hard to scale query execution as: Traffic Volume increases and/or Number of Queries increases Hard to express & scale queries for network telemetry tasks!

7 Idea 1: Declarative Query Interface
Extensible Packet-As-Tuple Abstraction Treat packets as tuples carrying header, payload, and meta fields Expressive Dataflow Operators Most telemetry applications Collect aggr. statistics over subset of traffic Join results of one analysis with the other Express them as declarative queries composed of dataflow operators, e.g. map, reduce, filter, join etc. , e.g., timestamp, queue length etc.

8 Collect aggr. stats over subset of traffic
Example Queries Detecting Newly Opened TCP Connections Detect hosts for which the number of newly opened TCP connections exceeds threshold (Th) victimIPs = pktStream .filter(p => p.tcp.flag == SYN) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Collect aggr. stats over subset of traffic

9 Apply multiple aggregations over the packet tuple streams
Example Queries Detecting Traffic Anomalies Detect hosts for which the number of unique source IPs sending DNS response messages exceeds threshold (Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Apply multiple aggregations over the packet tuple streams

10 Join results of one analysis with the other
Example Queries Confirming Reflection Attacks Detect hosts with traffic anomalies that are of type RRSIG victimIPs = pktStream .filter(p => p.udp.sport == 53) .join(pVictimIPs, key=‘dstIP’) .filter(p => p.dns.rr.type == RRSIG) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > T2) .map((dstIP, count) => dstIP) Join results of one analysis with the other

11 Easier to express network telemetry tasks!
Changing Status Quo Expressiveness Express dataflow queries over packet tuples Not tied to low-level (3rd party/platform-specific) APIs Trivial to add new queries and change collection tools Easier to express network telemetry tasks!

12 Expressive but not Scalable!
Query Execution Use Scalable Stream Processors Process all (or subset of) captured packet tuples using state-of-the-art Stream Processor Queries Stream Processor Packet Tuples Packet Capture Expressive but not Scalable!

13 Idea 2: Query Partitioning
Observation Data plane can process packets at line rate How it works? Execute subset of dataflow operators in the data plane Trade-off Trades workload at stream processor at the cost of additional resource usage in the data plane

14 Query Partitioning in Action
Queries Runtime Stream Processor Packet Tuples Data Plane Configurations Programmable Data Plane Partition Queries b/w Switches and Stream Processor

15 Query Partitioning in Action
pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Traffic Anomaly Query pktStream .filter(p=>p.srcPort==53) .map(p=>(p.dstIP,p.srcIP)) .distinct() .map((dstIP, srcIP)=>(dstIP,1)) .reduce(keys=(dstIP,), sum) .filter((dstIP,count)=>count>Th) .map((dstIP, count) => dstIP) Stream Processor Programmable Data Plane

16 Compiling Queries for PISA Targets
pktStream .filter(p=>p.udp.sport==53) .map(p=>(p.dstIP,p.srcIP)) .distinct() M A M A M A M A Monitoring Port Pktin Pktout Register Operators  Match-Action Table(s) Queries  Sequence of Tables PISA Target

17 Idea 3: Iterative Refinement
Observation Tiny fraction of traffic or flows satisfy telemetry queries How it works? Execute queries at coarser levels Iteratively zoom-in on interesting traffic over time Trade-offs Trades workload at stream processor at the cost of additional detection delay

18 Iterative Refinement in Action
Queries Runtime Stream Processor Packet Tuples Data Plane Configurations Programmable Data Plane Queries’ Output Drives further Processing

19 Iterative Refinement in Action
pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Traffic Anomaly Query /8  /16 Q8(W) = pktStream .filter(p=>p.udp.sport==53) .map(dstIP=>dstIP/8) .map(p=>(p.dstIP,p.srcIP)) Q16(W+1) = pktStream .filter(p=>p.udp.sport==53) .join(Q8(W),key=p.dstIP/8) .map(dstIP=>dstIP/16) .map(p=>(p.dstIP,p.srcIP)) W W + 1 Query-Driven Network Telemetry! Time

20 Sonata is Expressive & Scalable!
Changing Status Quo Expressiveness Express Dataflow queries over packet tuples Not worry about how and where the query is executed Adding new queries and collection tools is trivial Scalability Answers multiple queries for traffic volume as high as few Tb/s in real-time Sonata is Expressive & Scalable!

21 Programmable Data Plane
Implementation Query Interface Q1 Q2 QN Iterative Refinement Output Core Queries Queries Query Partitioning Data Plane Driver Streaming Driver Tuples Stream Processor Packets In Packets Out Programmable Data Plane

22 Summary sonata.cs.princeton.edu
SONATA enables expressive and scalable network telemetry using Declarative Query Interface Query Partitioning Iterative Refinement Join Team-Sonata 10+ active members and growing GitHub: github.com/Sonata-Princeton/SONATA-DEV sonata.cs.princeton.edu

23 Project Ideas

24 Extend Packet Tuples Currently, dns.rr.type is parsed in user-space
victimIPs(t) = pktStream(W) .filter(p => p.dns.rr.type == RRSIG) Currently, dns.rr.type is parsed in user-space Possible to parse it in the data plane itself Layers of Interest: DNS SMTP

25 Extend Dataflow Operators
Extend existing Operators Reduce Currently, only sum function is supported Implement more complex aggregation functions Join Currently, only inner join is supported Implement full outer, cartersian, left/right inner/outer joins Add new Operators FlatMap Sample

26 Design Sonata for Smart Homes
Internet Ras PIs  Streaming Target Smart NICs  Data-Plane Target

Download ppt "SONATA: Query-Driven Network Telemetry"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.

Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
SDN and Openflow.

SDN and Openflow.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
WAN Technologies.

WAN Technologies.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Review: –What is AS? –What is the routing algorithm in BGP? –How does it work? –Where is “policy” reflected in BGP (policy based routing)? –Give examples.

Review: –What is AS? –What is the routing algorithm in BGP? –How does it work? –Where is “policy” reflected in BGP (policy based routing)? –Give examples.
Copyright © 2002 OSI Software, Inc. All rights reserved. PI-NetFlow and PacketCapture Eric Tam, OSIsoft.

Copyright © 2002 OSI Software, Inc. All rights reserved. PI-NetFlow and PacketCapture Eric Tam, OSIsoft.
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
11 SYSTEM PERFORMANCE IN WINDOWS XP Chapter 12. Chapter 12: System Performance in Windows XP2 SYSTEM PERFORMANCE IN WINDOWS XP  Optimize Microsoft Windows.

11 SYSTEM PERFORMANCE IN WINDOWS XP Chapter 12. Chapter 12: System Performance in Windows XP2 SYSTEM PERFORMANCE IN WINDOWS XP  Optimize Microsoft Windows.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
IP Forwarding.

IP Forwarding.
SDN Dev Group, Week 3 Aaron GemberAditya Akella University of Wisconsin-Madison 1 Floodlight Controller; Application Wishlist.

SDN Dev Group, Week 3 Aaron GemberAditya Akella University of Wisconsin-Madison 1 Floodlight Controller; Application Wishlist.

Similar presentations

Ads by Google