Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sonata Query-driven Streaming Network Telemetry

Published byΜαργαρίτες Βουγιουκλάκης Modified over 5 years ago

Similar presentations

Presentation on theme: "Sonata Query-driven Streaming Network Telemetry"— Presentation transcript:

1 Sonata Query-driven Streaming Network Telemetry
Arpit Gupta Princeton University Rob Harrison, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger

2 Detect network events in real time
Network Management Outages Google Level3 Cyberattacks Detect network events in real time Cogent Network Operator Princeton Congestion

3 Network Monitoring Requirements
DNS Src: DNS Dst: Victim Receive DNS responses from many distinct sources Src: Victim Dst: DNS DNS 👺 Src: DNS Dst: Victim Flexible network monitoring is desired address protocol payload device location Traffic jitter distinct hosts volume delay loss Metrics Src: Victim Dst: DNS Attacker 😵😵 Victim

4 Network Monitoring with Sonata
Performance Diag.. Malware Detection Flexibility Fault Localization DDoS Detection Abstractions Sonata System Algorithms Scalability

5 Building Sonata is Challenging
Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time?

6 Building Sonata is Challenging
Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time?

7 Packet as Tuple Treat packet as a tuple Packet
traversed path, queue size, number of bytes, … Metadata Header source/ destination address, protocol, ports, … Payload Treat packet as a tuple Packet = (path, qsize, nbytes,… sIP, dIP, proto, sPort, dPort, … payload)

8 Monitoring Tasks as Dataflow Queries
Detecting DNS Reflection Attack Identify if DNS response messages from unique DNS servers to a single host exceeds a threshold (Th) victimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) Express wide range of network monitoring tasks in fewer than 20 lines of code DNS Responses from Unique DNS Servers to a Single Host exceeds a Threshold

9 Building Sonata is Challenging
Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time?

10 Where to Execute Monitoring Queries?
CPUs Switches Match Headers + Payload Actions Any State O(Gb) Speed O(μs) Headers++ add, subtract, bit operations O(Mb) O(ns) Can we use both switches and CPUs? Gigascope [SIGMOD’03] NetQRE [SIGCOMM’17] Univmon [SIGCOMM’16] Marple [SIGCOMM’17]

11 PISA* Processing Model
Programmable Parser Persistent State Programmable Deparser Memory ALU Packet Header Vector ip.src= ip.dst= ... Stages *RMT [SIGCOMM’13]

12 Mapping Dataflow to Data plane
Model Pipeline Processing Unit Operators Match-Action Tables Structured Data Tuples Packets Which dataflow operators can be compiled to match-action tables?

13 Compiling Individual Operators
Stream of elements Elements satisfying predicate (p) filter(p) Input Output pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) Match Action p udp.sport == 53 1 2 3 4 5 6 7

14 Compiling Individual Operators
Stream of elements Result of applying function f over all elements reduce(f) Input Output Memory pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) Match Action * idx = hash(m.dstIP) 1 2 3 4 5 6 7 Match Action * stateful[idx] += 1

15 Programmable Deparser
Compiling a Query Programmable Parser State Programmable Deparser Filter Map D1 D2 Map R1 R2 Filter Stages

16 Query Partitioning Decisions
pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) Query Planner Resources? Reduce Load? Tuples

17 Query Partitioning ILP
Programmable Parser Persistent State Programmable Deparser Constraints PHV Size Memory ALU Number of Actions Stateful Memory Total Stages Packet Header Vector Stages Goal: Minimize tuples sent to stream processor

18 How Effective is Query Partitioning?
O(1 B) Log Scale 8 Tasks, 100 Gbps Workload

19 How Effective is Query Partitioning?
O(1 B) O(100 M) Log Scale Only one order of magnitude reduction 8 Tasks, 100 Gbps Workload

20 Query Partitioning Limitations
distinct reduce Filter Map D1 D2 Map R1 R2 Filter How can we reduce the memory footprint of stateful operators?

21 Observations: Nature of Monitoring Tasks
DNS Reflection Attack Victims Most monitoring tasks are looking for needles in a haystack All Hosts

22 Observations: Possible to Reduce Memory Footprint
Detecting DNS Reflection Attack Only consider first 8 bits victim = pktStream .map(dIP => dIP/8) .filter(p => p.udp.sPort == 53) .map(p => (p.dIP, p.sIP)) .distinct() Queries at coarser levels have smaller memory footprint

23 Observations: Possible to Preserve Query Accuracy
Detecting DNS Reflection Attack victim = pktStream .map(dIP => dIP/8) .filter(p => p.udp.sPort == 53) .map(p => (p.dIP, p.sIP)) .distinct() Hierarchical packet field Query accuracy is preserved if refined with hierarchical packet fields

24 Iterative Query Refinement
map(dIP=>dIP/8) Window Packet Stream t+W Map Filter Map D1 D2 Map R1 R2 Filter PISA Target First, execute query at coarser level

25 Iterative Query Refinement
Smaller memory footprint Detection Delay Smaller memory footprint at the cost of additional detection delay Map Filter Map D1 D2 Map R1 R2 Filter Filtered Packet Stream t+2W Filter Filter Map D1 D2 Map R1 R2 Filter PISA Target Then, execute query at finer level(s)

26 Query Planning Problem
Goal Minimize tuples sent to the stream processor Given Queries, packet traces Determine Which packet field to use for iterative refinement? What levels to use for iterative refinement? What’s the partitioning plan for each refined query? Augment partitioning ILP to compute both refinement and partitioning plans

27 Up to 4 orders of magnitude reduction
Sonata’s Performance O(1 B) O(100 M) Log Scale O(100 K) Up to 4 orders of magnitude reduction 8 Tasks, 100 Gbps Workload

28 https://github.com/sonata-princeton
Summary Key Takeaways Flexible Dataflow queries over packet tuples Fewer than 20 lines of code Scalable Query refinement and partitioning algorithms 4 orders of magnitude workload reduction Future Directions Monitor network-wide events Handle traffic dynamics

Download ppt "Sonata Query-driven Streaming Network Telemetry"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
Virtual Network Diagnosis as a Service Wenfei Wu (UW-Madison) Guohui Wang (Facebook) Aditya Akella (UW-Madison) Anees Shaikh (IBM System Networking)

Virtual Network Diagnosis as a Service Wenfei Wu (UW-Madison) Guohui Wang (Facebook) Aditya Akella (UW-Madison) Anees Shaikh (IBM System Networking)
SDN Applications Jennifer Rexford Princeton University.

SDN Applications Jennifer Rexford Princeton University.
Programming Protocol-Independent Packet Processors

Programming Protocol-Independent Packet Processors
P4: specifying data planes

P4: specifying data planes
Composing Software Defined Networks

Composing Software Defined Networks
SDX: A Software-Defined Internet Exchange

SDX: A Software-Defined Internet Exchange
Jennifer Rexford Princeton University

Jennifer Rexford Princeton University
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Building Compilers for Reconfigurable Switches Lavanya Jose, Lisa Yan, Nick McKeown, and George Varghese 1 Research funded by AT&T, Intel, Open Networking.

Building Compilers for Reconfigurable Switches Lavanya Jose, Lisa Yan, Nick McKeown, and George Varghese 1 Research funded by AT&T, Intel, Open Networking.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Programmable Data Planes COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Programmable Data Planes COS 597E: Software Defined Networking.
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.

Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.

Similar presentations

Ads by Google