New directions in traffic measurement and accounting

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

New directions in traffic measurement and accounting

Full text

Pdf (319 KB)

Source

Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications table of contents

Pittsburgh, Pennsylvania, USA

SESSION: Measuring paths and flows table of contents

Pages: 323 - 336

Year of Publication: 2002

ISBN:1-58113-570-X

Also published in ...

Authors

Cristian Estan	University of California, San Diego, La Jolla, CA
George Varghese	University of California, San Diego, La Jolla, CA

Sponsors

ACM: Association for Computing Machinery
SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 18, Downloads (12 Months): 100, Citation Count: 65

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/633025.633056 What is a DOI?

ABSTRACT

Accurate network traffic measurement is required for accounting, bandwidth provisioning and detecting DoS attacks. These applications see the traffic as a collection of flows they need to measure. As link speeds and the number of flows increase, keeping a counter for each flow is too expensive (using SRAM) or slow (using DRAM). The current state-of-the-art methods (Cisco's sampled NetFlow) which log periodically sampled packets are slow, inaccurate and resource-intensive. Previous work showed that at different granularities a small number of "heavy hitters" accounts for a large share of traffic. Our paper introduces a paradigm shift for measurement by concentrating only on large flows --- those above some threshold such as 0.1% of the link capacity.We propose two novel and scalable algorithms for identifying the large flows: sample and hold and multistage filters, which take a constant number of memory references per packet and use a small amount of memory. If $M$ is the available memory, we show analytically that the errors of our new algorithms are proportional to $1/M$; by contrast, the error of an algorithm based on classical sampling is proportional to $1/\sqrtM$, thus providing much less accuracy for the same amount of memory. We also describe further optimizations such as early removal and conservative update that further improve the accuracy of our algorithms, as measured on real traffic traces, by an order of magnitude. Our schemes allow a new form of accounting called threshold accounting in which only flows above a threshold are charged by usage while the rest are charged a fixed fee. Threshold accounting generalizes usage-based and duration based pricing.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. Altman and K. Chu. A proposal for a flexible service plan that is attractive to users and internet service providers. In IEEE INFOCOM, April 2001.
	2	Burton H. Bloom, Space/time trade-offs in hash coding with allowable errors, Communications of the ACM, v.13 n.7, p.422-426, July 1970 [doi>10.1145/362686.362692]
	3	N. Brownlee, C. Mills, and G. Ruth. Traffic flow measurement: Architecture. RFC 2722, Oct. 1999.
	4	N. G. Duffield , M. Grossglauser, Trajectory sampling for direct traffic observation, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.271-282, August 28-September 01, 2000, Stockholm, Sweden
	5	Nick Duffield , Carsten Lund , Mikkel Thorup, Charging from sampled network usage, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA [doi>10.1145/505202.505232]
	6	C. Estan and G. Varghese. New directions in traffic measurement and accounting. Tech. Report 699, UCSD CSE, Feb. 2002.
	7	Min Fang , Narayanan Shivakumar , Hector Garcia-Molina , Rajeev Motwani , Jeffrey D. Ullman, Computing Iceberg Queries Efficiently, Proceedings of the 24rd International Conference on Very Large Data Bases, p.299-310, August 24-27, 1998
	8	W. Fang and L. Peterson. Inter-as traffic patterns and their implications. In IEEE GLOBECOM, Dec. 1999.
	9	Anja Feldmann , Albert Greenberg , Carsten Lund , Nick Reingold , Jennifer Rexford , Fred True, Deriving traffic demands for operational IP networks: methodology and experience, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.257-270, August 28-September 01, 2000, Stockholm, Sweden
	10	W. Feng et al. Stochastic fair blue: A queue management algorithm for enforcing fairness. In IEEE INFOCOM, April 2001.
	11	Phillip B. Gibbons , Yossi Matias, New sampling-based summary statistics for improving approximate query answers, Proceedings of the 1998 ACM SIGMOD international conference on Management of data, p.331-342, June 01-04, 1998, Seattle, Washington, United States
	12	J. Huber. Design of an OC-192 flow monitoring chip. UCSD Class Project, March 2001.
	13	Jeffrey K. MacKie-Mason , Hal R. Varian, Pricing the Internet, Public access to the Internet, MIT Press, Cambridge, MA, 1995
	14	R, Mahajan et al. Controlling high bandwidth aggregates in the network. http://www.aciri.org/pushback/, July 2001.
	15	D. Moore. http://www.caida.org/analysis/security/code-red/.
	16	Cisco NetFlow http://www.cisco.com/warp/public/732/Tech/netflow.
	17	R. Pan et al. Approximate fairness through differential dropping. Tech. report, ACIRI, 2001.
	18	David A. Patterson , John Hennessy, Computer Organization and Design, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2004
	19	S. Subramanya Sastry , Rastislav Bodík , James E. Smith, Rapid profiling via stratified sampling, Proceedings of the 28th annual international symposium on Computer architecture, p.278-289, June 30-July 04, 2001, Göteborg, Sweden
	20	S. Shenker , D. Clark , D. Estrin , S. Herzog, Pricing in computer networks: reshaping the research agenda, ACM SIGCOMM Computer Communication Review, v.26 n.2, p.19-43, April 1996 [doi>10.1145/231699.231703]
	21	Smitha , Inkoo Kim , A. L. Narasimha Reddy, Identifying Long-Term High-Bandwidth Flows at a Router, Proceedings of the 8th International Conference on High Performance Computing, p.361-371, December 17-20, 2001
	22	K. Thomson, G. Miller, and R. Wilder. Wide-area traffic patterns and characteristics. In IEEE Network, December 1997.

CITED BY 65

	Abhishek Kumar , Jun (Jim) Xu , Li Li , Jia Wang, Space-code bloom filter for efficient traffic flow measurement, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA
	Cristian Estan , Stefan Savage , George Varghese, Automated measurement of high volume traffic clusters, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France
	Xin Li , Fang Bian , Mark Crovella , Christophe Diot , Ramesh Govindan , Gianluca Iannaccone , Anukool Lakhina, Detection and identification of network anomalies using sketch subspaces, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Cristian Estan , George Varghese , Mike Fisk, Bitmap algorithms for counting active flows on high speed links, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA
	Robert Schweller , Zhichun Li , Yan Chen , Yan Gao , Ashish Gupta , Yin Zhang , Peter A. Dinda , Ming-Yang Kao , Gokhan Memik, Reversible sketches: enabling monitoring and analysis over high-speed data streams, IEEE/ACM Transactions on Networking (TON), v.15 n.5, p.1059-1072, October 2007
	Qi Zhao , Jun Xu , Zhen Liu, Design of a novel statistics counter architecture with optimal space and time efficiency, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	Cristian Estan , George Varghese , Michael Fisk, Bitmap algorithms for counting active flows on high-speed links, IEEE/ACM Transactions on Networking (TON), v.14 n.5, p.925-937, October 2006
	Fragkiskos Papadopoulos , Konstantinos Psounis , Ramesh Govindan, Performance Preserving Network Downscaling, Proceedings of the 38th annual Symposium on Simulation, p.285-294, April 04-06, 2005
	Alex C. Snoeren , Barath Raghavan, Decoupling policy from mechanism in Internet routing, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004
	Xenofontas Dimitropoulos , Marc Stoecklin , Paul Hurley , Andreas Kind, The eternal sunshine of the sketch data structure, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.17, p.3248-3257, December, 2008
	Bharath Madhusudan , John W. Lockwood, A Hardware-Accelerated System for Real-Time Worm Detection, IEEE Micro, v.25 n.1, p.60-69, January 2005
	Abhishek Kumar , Minho Sung , Jun (Jim) Xu , Jia Wang, Data streaming algorithms for efficient and accurate estimation of flow size distribution, ACM SIGMETRICS Performance Evaluation Review, v.32 n.1, June 2004
	Cristian Estan , Stefan Savage , George Varghese, Automatically inferring patterns of resource consumption in network traffic, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
	Jörg Wallerich , Holger Dreger , Anja Feldmann , Balachander Krishnamurthy , Walter Willinger, A methodology for studying persistency aspects of internet flows, ACM SIGCOMM Computer Communication Review, v.35 n.2, April 2005
	Aleksandar Kuzmanovic , Edward W. Knightly, Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
	Ashwin Lall , Vyas Sekar , Mitsunori Ogihara , Jun Xu , Hui Zhang, Data streaming algorithms for estimating entropy of network traffic, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	George Varghese , Cristian Estan, The measurement manifesto, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004
	Abdesselem Kortebi , Luca Muscariello , Sara Oueslati , James Roberts, Minimizing the overhead in implementing flow-aware networking, Proceedings of the 2005 symposium on Architecture for networking and communications systems, October 26-28, 2005, Princeton, NJ, USA
	Qunfeng Dong , Suman Banerjee , Jia Wang , Dheeraj Agrawal, Wire speed packet classification without tcams: a few more registers (and a bit of logic) are enough, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
	Nan Hua , Bill Lin , Jun (Jim) Xu , Haiquan (Chuck) Zhao, BRICK: a novel exact active statistics counter architecture, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
	Qi (George) Zhao , Abhishek Kumar , Jia Wang , Jun (Jim) Xu, Data streaming algorithms for accurate and efficient measurement of traffic and flow matrices, ACM SIGMETRICS Performance Evaluation Review, v.33 n.1, June 2005
	Graham Cormode , Flip Korn , S. Muthukrishnan , Divesh Srivastava, Finding hierarchical heavy hitters in data streams, Proceedings of the 29th international conference on Very large data bases, p.464-475, September 09-12, 2003, Berlin, Germany
	Rong Pan , Balaji Prabhakar , Konstantinos Psounis , Damon Wischik, SHRiNK: a method for enabling scaleable performance prediction and efficient network simulation, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.975-988, October 2005
	Robert Schweller , Ashish Gupta , Elliot Parsons , Yan Chen, Reversible sketches for efficient and accurate change detection over network data streams, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Saar Cohen , Yossi Matias, Spectral bloom filters, Proceedings of the 2003 ACM SIGMOD international conference on Management of data, June 09-12, 2003, San Diego, California
	Edith Cohen , Nick Duffield , Haim Kaplan , Carsten Lund , Mikkel Thorup, Algorithms and estimators for accurate summarization of internet traffic, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Aleksandar Kuzmanovic , Edward W. Knightly, Low-rate TCP-targeted denial of service attacks and counter strategies, IEEE/ACM Transactions on Networking (TON), v.14 n.4, p.683-696, August 2006
	Bernard Chazelle , Joe Kilian , Ronitt Rubinfeld , Ayellet Tal, The Bloomier filter: an efficient data structure for static support lookup tables, Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms, January 11-14, 2004, New Orleans, Louisiana
	L. K. Lee , H. F. Ting, Maintaining significant stream statistics over sliding windows, Proceedings of the seventeenth annual ACM-SIAM symposium on Discrete algorithm, p.724-732, January 22-26, 2006, Miami, Florida
	Edith Cohen , Nick Duffield , Haim Kaplan , Carsten Lund , Mikkel Thorup, Sketching unaggregated data streams for subpopulation-size queries, Proceedings of the twenty-sixth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 11-13, 2007, Beijing, China
	Haiquan (Chuck) Zhao , Ashwin Lall , Mitsunori Ogihara , Oliver Spatscheck , Jia Wang , Jun Xu, A data streaming algorithm for estimating entropies of od flows, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Giuseppe Bianchi , Simone Teofili , Matteo Pomposini, New directions in privacy-preserving anomaly detection for network traffic, Proceedings of the 1st ACM workshop on Network data anonymization, October 31-31, 2008, Alexandria, Virginia, USA
	Fang Hao , Murali Kodialam , T. V. Lakshman, Building high accuracy bloom filters using partitioned hashing, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
	Chadi Barakat , Gianluca Iannaccone , Christophe Diot, Ranking flows from sampled traffic, Proceedings of the 2005 ACM conference on Emerging network experiment and technology, October 24-27, 2005, Toulouse, France
	Nick Duffield , Carsten Lund , Mikkel Thorup, Estimating flow distributions from sampled flow statistics, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
	Nick Duffield , Carsten Lund, Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA
	Stênio Fernandes , Carlos Kamienski , Judith Kelner , Dênio Mariz , Djamel Sadok, A stratified traffic sampling methodology for seeing the big picture, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.14, p.2677-2689, October, 2008
	Fang Hao , Murali Kodialam , T. V. Lakshman , Hui Zhang, Fast payload-based flow estimation for traffic monitoring and network security, Proceedings of the 2005 symposium on Architecture for networking and communications systems, October 26-28, 2005, Princeton, NJ, USA
	Graham Cormode , S. Muthukrishnan, An improved data stream summary: the count-min sketch and its applications, Journal of Algorithms, v.55 n.1, p.58-75, April 2005
	Jianning Mai , Chen-Nee Chuah , Ashwin Sridharan , Tao Ye , Hui Zang, Is sampled data sufficient for anomaly detection?, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Cheqing Jin , Weining Qian , Chaofeng Sha , Jeffrey X. Yu , Aoying Zhou, Dynamically maintaining frequent items over a data stream, Proceedings of the twelfth international conference on Information and knowledge management, November 03-08, 2003, New Orleans, LA, USA
	Nick Duffield , Carsten Lund , Mikkel Thorup, Estimating flow distributions from sampled flow statistics, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.933-946, October 2005
	Vyas Sekar , Michael K. Reiter , Walter Willinger , Hui Zhang , Ramana Rao Kompella , David G. Andersen, CSAMP: a system for network-wide flow monitoring, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.233-246, April 16-18, 2008, San Francisco, California
	Nishad Manerikar , Themis Palpanas, Frequent items in streaming data: An experimental evaluation of the state-of-the-art, Data & Knowledge Engineering, v.68 n.4, p.415-430, April, 2009
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Graham Cormode , S. Muthukrishnan, Space efficient mining of multigraph streams, Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 13-15, 2005, Baltimore, Maryland
	Seong Soo Kim , A. L. Narasimha Reddy, Statistical techniques for detecting traffic anomalies through packet header data, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.562-575, June 2008
	Aditya Akella , Bruce Maggs , Srinivasan Seshan , Anees Shaikh, On the performance benefits of multihoming route control, IEEE/ACM Transactions on Networking (TON), v.16 n.1, p.91-104, February 2008
	Ram Keralapura , Graham Cormode , Jeyashankher Ramamirtham, Communication-efficient distributed monitoring of thresholded counts, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
	Graham Cormode , S. Muthukrishnan , Irina Rozenbaum, Summarizing and mining inverse distributions on data streams via dynamic inverse sampling, Proceedings of the 31st international conference on Very large data bases, August 30-September 02, 2005, Trondheim, Norway
	Ken Keys , David Moore , Cristian Estan, A robust system for accurate real-time summaries of internet traffic, ACM SIGMETRICS Performance Evaluation Review, v.33 n.1, June 2005
	Graham Cormode , S. Muthukrishnan, What's hot and what's not: tracking most frequent items dynamically, ACM Transactions on Database Systems (TODS), v.30 n.1, p.249-278, March 2005
	Xenofontas Dimitropoulos , Paul Hurley , Andreas Kind, Probabilistic lossy counting: an efficient algorithm for finding heavy hitters, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Ratul Mahajan , Neil Spring , David Wetherall , Thomas Anderson, User-level internet path diagnosis, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	David Plonka , Paul Barford, Context-aware clustering of DNS query traffic, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
	Matthew Roughan , Yin Zhang, Secure distributed data-mining and its application to large-scale network measurements, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006
	Graham Cormode , S. Muthukrishnan, What's new: finding significant differences in network data streams, IEEE/ACM Transactions on Networking (TON), v.13 n.6, p.1219-1232, December 2005
	Abhishek Kumar , Minho Sung , Jun (Jim) Xu , Ellen W. Zegura, A data streaming algorithm for estimating subpopulation flow size distribution, ACM SIGMETRICS Performance Evaluation Review, v.33 n.1, June 2005
	Qin Zhang , Feifei Li , Ke Yi, Finding frequent items in probabilistic data, Proceedings of the 2008 ACM SIGMOD international conference on Management of data, June 09-12, 2008, Vancouver, Canada
	Xuan Chen , John Heidemann, Flash crowd mitigation via adaptive admission control based on application-level observations, ACM Transactions on Internet Technology (TOIT), v.5 n.3, p.532-569, August 2005
	Yin Zhang , Sumeet Singh , Subhabrata Sen , Nick Duffield , Carsten Lund, Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Balachander Krishnamurthy , Subhabrata Sen , Yin Zhang , Yan Chen, Sketch-based change detection: methods, evaluation, and applications, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA
	Edith Cohen , Nick Duffield , Carsten Lund , Mikkel Thorup, Confident estimation for multistage measurement sampling and aggregation, ACM SIGMETRICS Performance Evaluation Review, v.36 n.1, June 2008
	Mike Fisk , George Varghese, Agile and scalable analysis of network events, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.14-25, February 2007