Pinghui Wang,Xiaohong Guan,Tao Qin,Qiuzhen Huang

DOI: https://doi.org/10.1109/tifs.2011.2123094

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Due to the massive amount of data in high-speed network traffic and the limit on processing capability, it is a great challenge to accurately measure and monitor network traffic over high-speed links online. A new data structure is presented in this paper for locating the hosts associated with large connection degrees or significant changes in connection degrees based on the reversible connection degree sketch to monitor anomalous network traffic. The reversible connection degree sketch builds a compact summary of host connection degrees efficiently and accurately. For each packet coming, it only needs to set several bits selected in a bit array by a group of hash functions. These hash functions are designed based on the Chinese Remainder Theorem so that the in-degree or out-degree associated with a given host can be accurately estimated. With this new data structure, we develop a new reverse sketch method for locating abnormal hosts. Although the reversible connection degree sketch does not preserve any host address information, we can analytically reconstruct the host addresses associated with large connection degrees or significant changes in connection degrees by a simple calculation purely based on the characteristics of the hash functions. Furthermore, a reinforced reversible connection degree sketch, the double connection degree sketch, is developed to reduce false positives which are commonly encountered in the sketch-based methods. A traffic monitoring system based on this double connection degree is developed to detect and classify the abnormal hosts associated with large connection degrees or significant changes in connection degrees. The experiments are conducted based on the actual network traffic and the testing results show that our method is accurate and efficient.

Pinghui Wang,Xiaohong Guan,Weibo Gong,Don Towsley

DOI: https://doi.org/10.1109/infcom.2011.5934948

2011-01-01

Abstract:We present a new virtual indexing method for estimating host connection degrees for high speed links. It is based on the virtual connection degree sketch where a compact sketch of network traffic is built by generating the associated virtual bitmaps for each host. Each virtual bitmap consists of a fixed number of bits selected randomly from a shared bit array by a new method for recording the traffic flows of the corresponding host. The shared bit array is efficiently utilized by all hosts since its every bit is shared by the virtual bitmaps of multiple hosts. To reduce the “noise” contaminated in a host's virtual bitmaps due to sharing, we propose a new method to generate the “filtered” bitmap used to estimate host connection degree. Furthermore, it can be easily implemented in parallel and distributed processing environments. The experimental and testing results based on the actual network traffic show that the new method is accurate and efficient.

Xiang Chen,Xi Sun,Wenbin Zhang,Xin Yao,Zizheng Wang,Hongyan Liu,Qun Huang,Gaoning Pan,Xuan Liu,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/infocom52122.2024.10621293

2024-01-01

Abstract:Sketch-based traffic measurement is a crucial building block for monitoring traffic statistics and ensuring the quality of services of end-host applications. However, existing approaches for building sketches in end-hosts exhibit poor packet processing performance or high CPU consumption. In this paper, we propose MPU, which automatically offloads sketch-based measurement to the emerging hardware, DPU. MPU consists of a sketch analyzer that profiles sketch resource consumption and an optimization framework that formulates the offloading problem and maximizes sketch performance on DPU. We implement MPU on the NVIDIA BlueField DPU. Our testbed results indicate that MPU achieves 85% lower per-packet processing latency and 47% higher traffic measurement accuracy when compared to existing approaches.

Xiaohong Guan,Pinghui Wang,Tao Qin

DOI: https://doi.org/10.1109/GLOCOM.2009.5426280

2009-01-01

Abstract:Locating hosts with large connection degree is very important for monitoring anomalous network traffics. The in-degree (out-degree), defined as the number of distinct sources (destinations) that a network host is connected with (connects) during a given time interval. Due to massive amount of data in high speed network traffics and limit on processing capability, it is difficult to accurately locate hosts with large connection degree over high speed links on line. In this paper we present a new data streaming method for locating hosts with large connection degree based on the reversible connection degree sketch to monitor anomalous network traffics. The required memory space is small and constant, and more importantly the update/query complexity would not depend on the amount of data. The hash functions for data sketch are designed based on the remainder characteristics of the number theory so that in-degree/out-degree associated with a given host can be accurately estimated. Although the connection degree sketch does not preserve any host address information, we can analytically reconstruct the host addresses associated with large in-degree/out-degree by a simply equation purely based on the characteristics of the hash functions without using any host address information. This procedure is highly efficient since the computational time is constant and ignorable. Furthermore, this reversible connection degree sketch based method can be easily implemented in distributed systems. The experimental and testing results based on the actual network traffics show that the new method is truly accurate and efficient.

Yongquan Fu,Dongsheng Li,Siqi Shen,Yiming Zhang,Kai Chen

DOI: https://doi.org/10.48550/arXiv.1905.03113

2019-05-08

Abstract:Network monitoring is vital in modern clouds and data center networks for traffic engineering, network diagnosis, network intrusion detection, which need diverse traffic statistics ranging from flow size distributions to heavy hitters. To cope with increasing network rates and massive traffic volumes, sketch based approximate measurement has been extensively studied to trade the accuracy for memory and computation cost, which unfortunately, is sensitive to hash collisions. In addition, deploying the sketch involves fine-grained performance control and instrumentation. This paper presents a locality-sensitive sketch (LSS) to be resilient to hash collisions. LSS proactively minimizes the estimation error due to hash collisions with an autoencoder based optimization model, and reduces the estimation variance by keeping similar network flows to the same bucket array. To illustrate the feasibility of the sketch, we develop a disaggregated monitoring application that supports non-intrusive sketching deployment and native network-wide analysis. Testbed shows that the framework adapts to line rates and provides accurate query results. Real-world trace-driven simulations show that LSS remains stable performance under wide ranges of parameters and dramatically outperforms state-of-the-art sketching structures, with over $10^3$ to $10^5$ times reduction in relative errors for per-flow queries as the ratio of the number of buckets to the number of network flows reduces from 10\% to 0.1\%.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Jindian Liu,Zhuo Li,Huipeng Du,Haodong Zhou,Leyang Li,Yi An,Yu Zhang,Kaihua Liu,Qiang Li

DOI: https://doi.org/10.1016/j.comnet.2024.110467

IF: 5.493

2024-05-02

Computer Networks

Abstract:Accurate measurement of network traffic is an essential part of current network management tasks. Sketch is a kind of probabilistic data structure widely accepted in network measurement. However, it is challenging for classic sketches to reduce the storage cost with little loss of accuracy for highly skewed network traffic. Therefore, most sketch-based schemes store elephant flows and mouse flows separately to deal with the skewed network traffic. But they are not usually suitable for estimating the size of mouse flows and thus may lose some information of traffic. To this end, a novel sketch, called Funnel Sketch (FS), is proposed in this paper. By using a funnel-shaped architecture to separately store the elephant flows and mouse flows, while maintaining the mouse flows as possible. Thus, FS can not only adapt to skewed network traffic to improve memory efficiency, but also accurately estimate the size of mouse and elephant flows with efficient memory consumption. Moreover, FS is implemented on CPU and OVS platform to evaluate its performance. The experimental results show that FS greatly reduces the error by 90% for flow size estimation and elephant flow detection compared with the state-of-the-art sketch-based schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Min Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.10.008

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic pattern characteristics monitoring is useful for abnormal behavior detection and network management. In this paper, we develop a framework for connection degree calculation and measurement in high-speed networks. The bi-directional traffic flow model is employed to aggregate traffic packets, which can reduce the number of flow records and capture user's alternation behavior characteristics. The first order connection degree and joint correlation degree are selected as the features to capture the characteristics of traffic profiles. To perform careful traffic inspection and attack detection, not only the abnormal changes of a single traffic feature but also the correlations between the features are analyzed in the new framework. First, the symmetry of in and out connection degrees is analyzed. And we found that incomplete flows are an important information source for abnormal behavior detection. Second, joint correlation degree can characterize the user's communication profiles and their behavior dynamics, which are employed to perform abnormal detection using measurements based on Renyi cross entropy. Finally, the reversible degree sketch is employed for querying abnormal traffic pattern sources for real-time traffic management. The experimental results based on actual traffic traces collected from Northwest Regional Center of CERNET (China Education and Research Network) show the efficiency of the proposed method. The method based on Renyi entropy can detect abnormal changing points correctly. FNR of the reversible sketch for locating abnormal sources is below 4% and time complexity is constant and less than 4s, which is critical for real-time traffic monitoring.

Yuhan Wu,Shiqi Jiang,Yifei Xu,Siyuan Dong,Kaicheng Yang,Peiqing Chen,Tong Yang

DOI: https://doi.org/10.1109/tnse.2023.3284004

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:In network measurement, sliding window measurement has the advantage of providing recent and timely measurement results. Recently, sketches have become the most popular method of conducting flow-level network measurements due to their favorable trade-off between small memory overhead and high measurement accuracy. However, it remains a challenge that no current sketches are able to support unbiased estimation toward flow size measurement, which can improve the performance of tasks including network diagnoses, delay measurement and heavy hitter detection. In this paper, we propose the first work that achieves unbiased flow size measurement in sliding windows, namely Unbiased Cleaning sketch (UC sketch) . The key technique of the UC sketch is Unbiased Cleaning which can remove outdated keys from the sliding windows in a balanced way. Besides, we significantly reduce the variance of flow size by two optimization techniques, namely Linear Scaling and Column Randomizing . To prove the result, we conduct rigorous mathematical analysis and reasonable experiments. All related source codes are open-sourced at Github anonymously.

Rui Wang,Hongchao Du,Zhaoyan Shen,Zhiping Jia

DOI: https://doi.org/10.1016/j.comnet.2021.108155

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>Accurate measurement of network traffic is an essential part of current network management tasks. Traditional measurement methods based on counter and sketch respectively focus on the large flow detection and all flows queries, and the measurement accuracy is limited by the uncertainty in the large flow detection algorithm. Therefore, we design an asymmetric measurement architecture named DAP-Sketch. By using different data structures to measure large and small flows separately, DAP-Sketch provides the ability to query the approximate sizes of small flows while ensuring large flow detection. We propose a Deterministic Admission Policy (DAP) to dynamically distinguish the large and small flows, which effectively improves the accuracy of large flow detection and reduces the demand for storage resources. To improve the usability and universality of DAP, we put forward a <em>d</em>-Length DAP which applies local optimality instead of global optimality and makes our algorithm easy to implement. Furthermore, two optimization strategies with adaptive parameter adjustment are also designed in terms of the changes in memory space and traffic characteristics. Experimental results show that DAP-Sketch can outperform the best of the five typical measurement methods up to 59.3 times, decrease the requirements of network equipment resources, and achieve highly-precise and low-overhead network traffic measurement.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jiaqi Zhu,Kai Zhang,Qun Huang

DOI: https://doi.org/10.1145/3469393.3469398

2021-01-01

Abstract:Packet delay is a consensual indicator of network conditions. High delay packets of a flow indicate that there may be network congestion or network anomalies. In this paper, we consider Intra-FlowPacketDelay (IFPD), which is defined as the time span between two adjacent packets of a flow. In particular, we aim to detect packets that exhibit high IFPD. The key challenge is to simultaneously achieve high detection accuracy and preserve low resource usage. Existing measurement approaches reduce resource overheads by injecting probe packets or sampling. However, they can only measure an average delay of some packets but fail to monitor delay behavior of every single packet. To this end, we propose a sketch-based approach. Unfortunately, existing sketch-based methods cannot be directly applied to our high IFPD detection problem. That is because traditional sketch algorithms require that the update operation is additive, while measuring IFPD needs to deal with timestamps, which is not additive. We address this issue in three aspects: (i) using fingerprints to mitigate hash conflicts; (ii) a conservative update method that only selects one bucket to update; (iii) a replacement strategy that keeps potential flows with high IFPD in the sketch. Our experiments on real world traces demonstrate that our solution identifies high IFPD with nearly 99% recall rate and 99% precision with 600 KB memory, which outperforms existing sketch-based solutions.

Shangsen Li,Lailong Luo,Deke Guo,Qianzhen Zhang,Pengtao Fu

DOI: https://doi.org/10.48550/arXiv.2012.07214

2020-12-14

Data Structures and Algorithms

Abstract:Network measurement probes the underlying network to support upper-level decisions such as network management, network update, network maintenance, network defense and beyond. Due to the massive, speedy, unpredictable features of network flows, sketches are widely implemented in measurement nodes to approximately record the frequency or estimate the cardinality of flows. At their cores, sketches usually maintain one or multiple counter array(s), and rely on hash functions to select the counter(s) for each flow. Then the space-efficient sketches from the distributed measurement nodes are aggregated to provide statistics of the undergoing flows. Currently, tremendous redesigns and optimizations have been proposed to improve the sketches for better network measurement performance. However, existing reviews or surveys mainly focus on one particular aspect of measurement tasks. Researchers and engineers in the network measurement community desire an all-in-one survey that covers the entire processing pipeline of sketch-based network measurement. To this end, we present the first comprehensive survey of this area. We first introduce the preparation of flows for measurement, then detail the most recent investigations of design, aggregation, decoding, application and implementation of sketches for network measurement. To summarize the existing efforts, we carry out an in-depth study of the existing literature, covering more than 90 sketch designs and optimization strategies. Furthermore, we conduct a comprehensive analysis and qualitative/quantitative comparison of the sketch designs. Finally,we highlight the open issues for future sketch-based network measurement research.

Pinghui Wang,Xiaohong Guan,Don Towsley,Jing Tao

DOI: https://doi.org/10.1016/j.comnet.2012.03.025

IF: 5.493

2012-01-01

Computer Networks

Abstract:It is difficult to accurately measure node connection degrees for a high speed network, since there is a massive amount of traffic to be processed. In this paper, we present a new virtual indexing method for estimating node connection degrees for high speed links. It is based on the virtual connection degree sketch (VCDS) where a compact sketch of network traffic is built by generating multiple virtual bitmaps for each network node. Each virtual bitmap consists of a fixed number of bits selected randomly from a shared bit array by a new method for recording the traffic flows of the corresponding node. The shared bit array is efficiently utilized by all nodes since every bit is shared by the virtual bitmaps of multiple nodes. To reduce the “noise” contaminated in a node’s virtual bitmaps due to sharing, we propose a new method to generate the “filtered” bitmap used to estimate node connection degree. Furthermore, we apply VCDS to detect super nodes often associated with traffic anomalies. Since VCDS need a large amount of extra memory to store node addresses, we also propose a new data structure, the reversible virtual connection degree sketch, which identifies super node addresses analytically without the need of extra memory space but at a small increase in estimation error. Furthermore we combine the VCDS and RVCDS based methods with a uniform flow sampling technique to reduce memory complexities. Experiments are performed based on the actual network traffic and testing results show that the new methods are more memory efficient and more accurate than existing methods.

Hengrui Wang,Huiping Lin,Zheng Zhong,Tong Yang,Muhammad Shahzad

DOI: https://doi.org/10.1109/tc.2022.3185560

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Network monitoring and management require accurate statistics of a variety of flow-level metrics such as flow sizes, top- $k$ flows, and number of flows. Arguably, the current best technique to measure these metrics is sketches. While a significant amount of work has already been done on sketching techniques, there is still a lot of room for improvement because the accuracy of existing sketches varies with changing characteristics of network traffic. In this paper, we propose the idea of using machine learning to improve the accuracy of sketches, and propose a generic machine learning framework to reduce the dependence of accuracy of sketches on network traffic characteristics. We further present three case studies, where we applied our machine learning framework on sketches for measuring three flow-level network metrics, namely flow sizes, top- $k$ flows, and number of flows. We implemented and extensively evaluated this framework for these three metrics using both real-world and synthetic traffic traces. To the best of our knowledge, this is the first work that uses machine learning to reduce the dependence of sketching techniques on the characteristics of network traffic. We have released all our traces and implementation codes at Github.

Xinming Zhang,Zhongxiang Wei,Cenman Wang,Ye Tian,Wei Chen,Liyuan Gu

DOI: https://doi.org/10.1109/TNET.2023.3286879

2024-02-01

IEEE/ACM Transactions on Networking

Abstract:Sketch-based method has emerged as a promising direction for per-flow measurement in data center networks. Usually in such a measurement system, a sketch data structure is placed as a whole at one switch for counting all passing packets, but when summarizing measurement results from multiple switches, the overall accuracy is generally constrained by a few individual switches with small-sized sketches due to their limited memory resources. To address this problem, in this paper, we present Distributed Sketch, a new method for per-flow network measurement in data center networks. In Distributed Sketch, each network path is associated with a logical sketch, whose data structure is collectively maintained by all the switches along the path; meanwhile, each switch multiplexes its physical sketch to the constructions of the logical sketches of all the paths it belongs to. With Distributed Sketch, switches collaborate to measure network flows, and the network-wide measurement workload is fairly distributed among all the switches in the network. We implement Distributed Sketch with P4 on commodity hardware programmable switch, and in particular, to overcome the limitation that hardware switches do not support float-point computation, we present an optimal approximation method that involves only integer operations. We also propose an In-band Network Telemetry (INT) based method for addressing the challenges in deploying Distributed Sketch in large-scale data centers. Experiment results and theoretical analysis show that our proposed method is lightweight regarding measurement overhead, and by aggregating and making fair uses of resources from all the switches in the network, Distributed Sketch achieves a higher measurement accuracy compared with the state-of-the-art solutions.

Computer Science

Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1016/j.comnet.2015.08.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:Real-time characterization of network traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We further analyze the impact of ordering of data items on the memory usage and accuracy of LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.

Qun Huang,Xin Jin,Patrick P. C. Lee,Runhui Li,Lu Tang,Yi-Chao Chen,Gong Zhang

DOI: https://doi.org/10.1145/3098822.3098831

2017-01-01

Abstract:Network measurement remains a missing piece in today's software packet processing platforms. Sketches provide a promising building block for filling this void by monitoring every packet with fixed-size memory and bounded errors. However, our analysis shows that existing sketch-based measurement solutions suffer from severe performance drops under high traffic load. Although sketches are efficiently designed, applying them in network measurement inevitably incurs heavy computational overhead. We present SketchVisor, a robust network measurement framework for software packet processing. It augments sketch-based measurement in the data plane with a fast path, which is activated under high traffic load to provide high-performance local measurement with slight accuracy degradations. It further recovers accurate network-wide measurement results via compressive sensing. We have built a SketchVisor prototype on top of Open vSwitch. Extensive testbed experiments show that SketchVisor achieves high throughput and high accuracy for a wide range of network measurement tasks and microbenchmarks.

Qin Xin,Jianping Wu

DOI: https://doi.org/10.1007/s10619-018-7225-5

IF: 0.974

2018-01-01

Distributed and Parallel Databases

Abstract:Sketch is a memory-efficient data structure, and is used to store and query the frequency of any item in a given multiset. As it can achieve fast query and update, it has been applied to various fields. Different sketches have different advantages and disadvantages. Sketches are originally proposed for estimation of flow size in network measurement. The key factor of sketches for network measurement is the insertion speed and accuracy. In this paper, we propose a new sketch, which can significantly improve the insertion speed while improving the accuracy. Our key methods include on-chip/off-chip separation and partial update algorithm. Extensive experimental results show that our sketch significantly outperforms the state-of-the-art both in terms of accuracy and speed.

Yifan Han,He Huang,Yang Du,Yu-E Sun,Jia Liu,Hongli Xu

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom59178.2023.00036

2023-01-01

Abstract:Per-flow size measurement has wide applications in data center networks, such as flow scheduling, anomaly detection, and traffic engineering. To fit the module into limited on-chip memory and catch up with the line speed, existing works either use the bit sharing scheme to compress the flow information or require complex calculations to screen out large flows, resulting in substantial accuracy loss or heavy memory accesses, especially failing to measure medium-sized flows accurately, which are meaningful for practical applications such as usage accounting and billing. In light of this, we propose a new Hierarchical Sketch that adopts a hybrid on-chip/off-chip architecture to detect and estimate the flows whose size exceeds the threshold t (threshold-t flows for short) to cover both large and medium-sized flows. In Hierarchical Sketch, we design an on-chip bucket array together with an adaptive update scheme to record potential candidates for threshold$-t$ flows within one memory access as well as filter out unwanted flows. Besides, the flow records are downloaded to off-chip space for high memory efficiency and supporting online queries. We also implement a prototype on the NetFPGA development platform. Experimental results show that Hierarchical Sketch is up to 72.61% more accurate and 245% faster than the best baseline.

Xiaojun Cheng,Xuyang Jing,Zheng Yan,Xian Li,Pu Wang,Wei Wu

DOI: https://doi.org/10.1016/j.jnca.2023.103659

IF: 7.574

2023-07-01

Journal of Network and Computer Applications

Abstract:Learning-based sketch improves accuracy and reduces the space overhead of traditional sketches by using machine learning to recognize input data patterns. However, most learning-based sketches adopts offline learning to train a learning model, which shows poor accuracy in measuring dynamic network traffic. To accommodate unpredictable changes in network traffic, it is urgent to study a learning-based sketch that not only supports timely updating recognition rules but also keeps accurate and efficient network traffic measurement. We propose a novel adaptive learning-based sketch (ALSketch) to accurately and efficiently measure dynamic network traffic with online machine learning. ALSketch incrementally constructs a learner to identify hot and cold flows and store them separately. Such a strategy reduces hash conflicts and improves estimated accuracy under limited memory usage. We perform extensive comparative experiments to verify the performance of ALSketch. Experimental results reveal that the average relative error of ALSketch is approximately 1 . 86 ∼ 5 . 25 times lower than that of traditional sketches under the same memory conditions.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/INFOCOM.2014.6848076

2014-01-01

Abstract:Real-time characterization of traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.