Sonata- Query-Driven Streaming Network Telemetry -slides.pptx

DaiboLiu1 33 views 28 slides Oct 08, 2024
Slide 1
Slide 1 of 28
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28

About This Presentation

Top paper slides

Size: 5.13 MB
Language: en
Added: Oct 08, 2024
Slides: 28 pages

Slide Content

Sonata Query-driven Streaming Network Telemetry Arpit Gupta Princeton University Rob Harrison, Marco Canini , Nick Feamster , Jennifer Rexford, Walter Willinger

Google Cogent Level3 2 Princeton Outages Congestion Cyberattacks Network Operator Network Management Detect network e vents in real time

Network Monitoring Requirements 3 👺 😵 Src : Victim Dst : DNS Src : Victim Dst : DNS Src : DNS Dst : Victim Src : DNS Dst : Victim DNS DNS Attacker Victim Receive DNS responses from many distinct sources jitter distinct hosts volume delay loss … Metrics address protocol payload device location … Traffic Flexible network monitoring is desired

Malware Detection Performance Diag.. DDoS Detection Fault Localization 4 Flexibility Scalability Abstractions Algorithms System Network Monitoring with Sonata Sonata

Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time? 5 Building Sonata is Challenging

Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time? 6 Building Sonata is Challenging

7 Header Metadata Payload Packet traversed path, queue size, number of bytes, … source/ destination address, protocol, ports, … Packet = ( path, qsize , nbytes ,… sIP , dIP , proto, sPort , dPort , … payload ) Packet as Tuple Treat packet as a tuple

Detecting DNS Reflection Attack Identify if DNS response messages from unique DNS servers to a single host exceeds a threshold ( Th ) 8 victimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th ) DNS Responses f rom Unique DNS Servers t o a Single Host e xceeds a Threshold Monitoring Tasks as Dataflow Queries Express wide range of network monitoring tasks in fewer than 20 lines of code

Building Sonata is Challenging Programming abstractions How to let network operators express queries for a wide-range of monitoring tasks? Scalability How to execute multiple queries for high-volume traffic in real time? 9

Univmon [ SIGCOMM’16] Marple [SIGCOMM’17] Gigascope [SIGMOD’03] NetQRE [ SIGCOMM’17] Match Headers + Payload Actions Any State O( Gb ) Speed O( μ s ) Headers++ add, subtract, bit operations O( Mb ) O( ns ) 10 Where to Execute Monitoring Queries? Switches CPUs Can we use both switches and CPUs ?

Programmable Deparser Stages ip.src =1.1.1.1 ip.dst =2.2.2.2 ... PISA* Processing Model 11 Packet Header Vector Programmable Parser Memory Persistent State ALU *RMT [ SIGCOMM’13]

Mapping Dataflow to Data plane 12 Which dataflow operators c an be compiled to match-action t ables ? Dataflow Data plane Model Pipeline Pipeline Processing Unit Operators Match-Action Tables Structured Data Tuples Packets

Compiling Individual Operators 13 filter(p) Stream of elements Elements s atisfying p redicate (p) Input Output pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th) 1 2 3 4 5 6 7 Match Action p udp.sport == 53

Compiling Individual Operators 14 reduce(f) Match Action * idx = hash( m.dstIP ) Input Output pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th) Stream of elements Result of applying f unction f over a ll e lements Memory Match Action * stateful[ idx ] += 1 1 2 3 4 5 6 7

Programmable Deparser Stages 15 Programmable Parser State Filter Map Filter D1 D2 Map R1 R2 Compiling a Query

Query Partitioning Decisions 16 Query Planner pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th ) Resources ? Reduce Load? Tuples pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th ) pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th ) pvictimIPs = pktStream . filter (p => p.udp.sport == 53) . map (p => ( p.dstIP , p.srcIP )) . distinct () . map (( dstIP , srcIP ) => ( dstIP , 1)) . reduce (keys=( dstIP ,), sum) . filter (( dstIP , count) => count > Th )

Query Partitioning ILP 17 Constraints Goal: Minimize tuples s ent to stream p rocessor Programmable Deparser Stages Programmable Parser Memory Persistent State ALU PHV Size Number of Actions Total Stages Stateful Memory Packet Header Vector

18 How Effective is Query Partitioning? Log Scale 8 Tasks, 100 Gbps Workload O(1 B)

19 How Effective is Query Partitioning? Log Scale O(1 B) O(100 M) O nly one order of magnitude reduction 8 Tasks, 100 Gbps Workload

Query Partitioning Limitations 20 Filter Map Filter D1 D2 Map R1 R2 distinct r educe How can we reduce the memory footprint of stateful operators?

Observations: Nature of Monitoring Tasks 21 DNS Reflection Attack Victims All Hosts Most monitoring tasks are looking for needles in a haystack

Detecting DNS Reflection Attack 22 victim = pktStream .map( dIP => dIP /8) .filter(p => p.udp.sPort == 53 ) .map(p => ( p.dIP , p.sIP )) .distinct() … Observations: Possible to Reduce Memory Footprint Only consider first 8 bits Queries at coarser levels have smaller memory footprint

Detecting DNS Reflection Attack 23 victim = pktStream .map( dIP => dIP /8) .filter(p => p.udp.sPort == 53) .map(p => ( p.dIP , p.sIP )) .distinct() … Observations: Possible to Preserve Query Accuracy Hierarchical packet field Query accuracy is preserved if refined with hierarchical packet fields

Filter D1 D2 Map R1 R2 Packet Stream t +W Iterative Query Refinement 24 Map Filter Map Window map( dIP => dIP /8) PISA Target First, execute query at coarser level

Filter D1 D2 Map R1 R2 Filtered Packet Stream Iterative Query Refinement 25 Map Filter Map Detection Delay Filter Filter Map Filter D1 D2 Map R1 R2 t+2W Smaller memory footprint PISA Target Then, execute query at finer level(s) Smaller memory footprint at the cost of additional detection delay

26 Query Planning Problem Goal Minimize tuples sent to the stream processor Given Queries, packet traces Determine Which packet field to use for iterative refinement? What levels to use for iterative refinement? What’s the partitioning plan for each refined query? Augment partitioning ILP to compute both refinement and partitioning plans

27 Sonata’s Performance Log Scale 8 Tasks, 100 Gbps Workload O(1 B) O(100 M) O(100 K) Up to 4 orders of magnitude reduction

Summary Key Takeaways Flexible Dataflow queries over packet tuples Fewer than 20 lines of code Scalable Query refinement and partitioning algorithms 4 orders of magnitude workload reduction Future Directions Monitor network-wide e vents Handle traffic d ynamics 28 http://sonata.cs.princeton.edu https://github.com/sonata-princeton
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 33
  • Slides 28
  • Age 419 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category