Technical Report MSC-2015-26

Title: Efficient Detection Of Flow Anomalies With Limited Monitoring Resources
Authors: Jalil Moraney
Supervisors: Danny Raz
PDFCurrently accessibly only within the Technion network
Abstract: The real time detection of flow anomalies is a critical part of wide range of management and security applications in many Cloud and NFV systems. Solutions that are based on per-flow records become impossible due to the increasing traffic volumes and the limited available resources such as TCAM entries and fast counters.

In this paper we study a novel dynamic control mechanism that allows detecting flow anomalies using only a limited number of counters. This is important since network traffic monitoring is a critical building block in various management, control and security applications. Starting from the simple observation that it is impossible to guarantee instantaneous detection of flow anomalies with a limited amount of counters, we study the tradeoff between the time required to detect the anomaly and the number of available counters. We implemented the scheme in an OpenFlow enabled switch, where the logic is implemented in the controller, and demonstrate that it can be used to detect a single flow anomaly within large real traffic volume. To further reduce the detection time, we also implemented the scheme logic inside the switch and used the controller only for configuration. This implementation indeed yields a faster detection and lower monitoring communication overhead while not introducing any significant observable costs at the switch itself.

CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2015
To the main CS technical reports page

Computer science department, Technion