Paper Info
Title
Efficient detection of flow anomalies with limited monitoring resources
Abstract
Real time detection of flow anomalies is a critical part of wide range of management and security applications in many Cloud and NFV systems. Solutions based on per-flow records have become impossible due to the increasing traffic volumes and the limited available resources such as TCAM entries and fast counters. In this paper we study a novel dynamic control mechanism that allows detecting flow anomalies using only a limited number of counters. Starting from the simple observation that it is impossible to guarantee instantaneous detection of flow anomalies with a limited amount of counters, we study the trade-off between the time required to detect the anomaly and the number of available counters. We implemented the scheme in an OpenFlow enabled switch, where the logic is implemented in the controller, and demonstrate that it can be used to detect a single flow anomaly within large real traffic volume. To further reduce the detection time, we also implemented the scheme logic inside the switch and used the controller only for configuration. This implementation indeed yielded a faster detection and lower monitoring communication overhead while not introducing any significant observable costs at the switch itself.
Year
DOI
Venue
2016
10.1109/CNSM.2016.7818400
2016 12th International Conference on Network and Service Management (CNSM)
Keywords
Field
DocType
flow anomaly detection,limited monitoring resources,security applications,cloud systems,NFV systems,TCAM entries,fast counters,dynamic control mechanism,OpenFlow enabled switch,scheme logic
Control theory,Content-addressable memory,Network Functions Virtualization,Computer science,Flow (psychology),Real-time computing,OpenFlow,Software,Traffic volume,Cloud computing
Conference
ISBN
Citations 
PageRank 
978-1-5090-3236-5
0
0.34
References 
Authors
8
2
Name
Order
Citations
PageRank
Jalil Moraney111.70
Danny Raz21643152.24