Efficient Detection Of Flow Anomalies With Limited Monitoring Resources

ג'ליל מוראני, הרצאה סמינריונית למגיסטר
יום חמישי, 17.9.2015, 13:00
טאוב 601
Prof. D. Raz

The real time detection of flow anomalies is a critical part of wide range of management and security applications in many Cloud and NFV systems. Solutions that are based on per-flow records become impossible due to the increasing traffic volumes and the limited available resources such as TCAM entries and fast counters. In this paper we study a novel dynamic control mechanism that allows detecting flow anomalies using only a limited number of counters. Starting from the simple observation that it is impossible to guarantee instantaneous detection of flow anomalies with a limited amount of counters, we study the tradeoff between the time required to detect the anomaly and the number of available counters. We implemented the scheme in an OpenFlow enabled switch, where the logic is implemented in the controller, and demonstrate that it can be used to detect a single flow anomaly within large real traffic volume. To further reduce the detection time, we also implemented the scheme logic inside the switch and used the controller only for configuration. This implementation indeed yields a faster detection and lower monitoring communication overhead while not introducing any significant observable costs at the switch itself.

בחזרה לאינדקס האירועים