ABSTRACT
Managing and securing networks requires collecting and analyzing network traffic data in real time. Existing telemetry systems do not allow operators to express the range of queries needed to perform management or scale to large traffic volumes and rates. We present Sonata, an expressive and scalable telemetry system that coordinates joint collection and analysis of network traffic. Sonata provides a declarative interface to express queries for a wide range of common telemetry tasks; to enable real-time execution, Sonata partitions each query across the stream processor and the data plane, running as much of the query as it can on the network switch, at line rate. To optimize the use of limited switch memory, Sonata dynamically refines each query to ensure that available resources focus only on traffic that satisfies the query. Our evaluation shows that Sonata can support a wide range of telemetry tasks while reducing the workload for the stream processor by as much as seven orders of magnitude compared to existing telemetry systems.
- Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. Understanding the Mirai botnet. In USENIX Security Symposium (2017). Google ScholarDigital Library
- Apache Thrift API. https://thrift.apache.org/.Google Scholar
- Arashloo, M. T., Koral, Y., Greenberg, M., Rexford, J., and Walker, D. SNAP: Stateful network-wide abstractions for packet processing. In ACM SIGCOMM (2016). Google ScholarDigital Library
- Armbrust, M., Xin, R. S., Lian, C., Huai, Y., Liu, D., Bradley, J. K., Meng, X., Kaftan, T., Franklin, M. J., Ghodsi, A., et al. Spark SQL: Relational Data Processing in Spark. In ACM SIGMOD International Conference on Management of Data (2015). Google ScholarDigital Library
- Assignment 3, COS 561, Princeton University. https://github.com/Sonata-Princeton/SONATA-DEV/tree/tutorial/sonata/tutorials/Tutorial-1.Google Scholar
- Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. Exposure: Finding malicious domains using passive DNS analysis. In USENIX Network and Distributed System Security Symposium (2011).Google Scholar
- Borders, K., Springer, J., and Burnside, M. Chimera: A declarative language for streaming network traffic analysis. In USENIX Security Symposium (2012). Google ScholarDigital Library
- Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. P4: Programming Protocol-independent Packet Processors. ACM SIGCOMM Computer Communication Review 44, 3 (July 2014), 87--95. Google ScholarDigital Library
- Bosshart, P., Gibb, G., Kim, H.-S., Varghese, G., McKeown, N., Izzard, M., Mujica, F., and Horowitz, M. Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN. In ACM SIGCOMM (2013). Google ScholarDigital Library
- Cranor, C., Johnson, T., Spatschek, O., and Shkapenyuk, V. Gigascope: A stream database for network applications. In ACM SIGMOD International Conference on Management of Data (2003). Google ScholarDigital Library
- The CAIDA UCSD Anonymized Internet Traces 2016-09. http://www.caida.org/data/passive/passive_2016_dataset.xml.Google Scholar
- Emmerich, P., Gallenmüller, S., Raumer, D., Wohlfart, F., and Carle, G. Moongen: A scriptable high-speed packet generator. In ACM Internet Measurement Conference (2015). Google ScholarDigital Library
- Estan, C., Savage, S., and Varghese, G. Automatically inferring patterns of resource consumption in network traffic. In ACM SIGCOMM (2003). Google ScholarDigital Library
- Fan, J., Xu, J., Ammar, M. H., and Moon, S. B. Prefix-preserving IP address anonymization: Measurement-based security evaluation and a new cryptography-based scheme. Computer Networks (2004). Google ScholarDigital Library
- Gil, T. M., and Poletto, M. MULTOPS: A data-structure for bandwidth attack detection. In USENIX Security Symposium (2001). Google ScholarDigital Library
- Gupta, A., Birkner, R., Canini, M., Feamster, N., MacStoker, C., and Willinger, W. Network Monitoring as a Streaming Analytics Problem. In ACM HotNets (2016). Google ScholarDigital Library
- Gurobi Solver. http://www.gurobi.com/.Google Scholar
- Harrison, R., Qizhe, C., Gupta, A., and Rexford, J. Network-Wide Heavy Hitter Detection with Commodity Switches. In ACM Symposium on SDN Research (SOSR) (2018). Google ScholarDigital Library
- Hira, M., and Wobker, L. J. Improving Network Monitoring and Management with Programmable Data Planes. Blog posting, http://p4.org/p4/inband-network-telemetry/, September 2015.Google Scholar
- Izzard, M. The Programmable Switch Chip Consigns Legacy Fixed-Function Chips to the History Books. https://goo.gl/JKWnQc, September 2016.Google Scholar
- Javed, M., and Paxson, V. Detecting stealthy, distributed SSH brute-forcing. In ACM SIGSAC Conference on Computer & Communications Security (2013), pp. 85--96. Google ScholarDigital Library
- Jose, L., Yan, L., Varghese, G., and McKeown, N. Compiling packet programs to reconfigurable switches. In USENIX NSDI (2015). Google ScholarDigital Library
- Jose, L., Yu, M., and Rexford, J. Online measurement of large traffic aggregates on commodity switches. In Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (March 2011). Google ScholarDigital Library
- Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. Fast portscan detection using sequential hypothesis testing. In IEEE Symposium on Security and Privacy (2004), IEEE, pp. 211--225.Google ScholarCross Ref
- Kührer, M., Hupperich, T., Rossow, C., and Holz, T. Exit from hell? Reducing the impact of amplification DDoS attacks. In USENIX Security Symposium (2014). Google ScholarDigital Library
- Liu, Z., Manousis, A., Vorsanger, G., Sekar, V., and Braverman, V. One sketch to rule them all: Rethinking network flow monitoring with UnivMon. In ACM SIGCOMM (2016). Google ScholarDigital Library
- Madden, S., Franklin, M. J., Hellerstein, J. M., and Hong, W. TAG: A Tiny Aggregation Service for Ad-hoc Sensor Networks. In USENIX OSDI (2002). Google ScholarDigital Library
- Madden, S. R., Franklin, M. J., Hellerstein, J. M., and Hong, W. TinyDB: An Acquisitional Query Processing System for Sensor Networks. ACM Transaction on Database System 30, 1 (2005). Google ScholarDigital Library
- Moshref, M., Yu, M., Govindan, R., and Vahdat, A. Dream: Dynamic resource allocation for software-defined measurement. ACM SIGCOMM (2015). Google ScholarDigital Library
- Moshref, M., Yu, M., Govindan, R., and Vahdat, A. Scream: Sketch resource allocation for software-defined measurement. In ACM CoNEXT (2015). Google ScholarDigital Library
- Moshref, M., Yu, M., Govindan, R., and Vahdat, A. Trumpet: Timely and precise triggers in data centers. In ACM SIGCOMM (2016). Google ScholarDigital Library
- Mullin, J. K. Optimal Semijoins for Distributed Database Systems. IEEE Transactions on Software Engineering 16, 5 (1990). Google ScholarDigital Library
- Narayana, S., Arashloo, M. T., Rexford, J., and Walker, D. Compiling path queries. In USENIX NSDI (2016). Google ScholarDigital Library
- Narayana, S., Sivaraman, A., Nathan, V., Goyal, P., Arun, V., Alizadeh, M., Jeyakumar, V., and Kim, C. Language-directed Hardware Design for Network Performance Monitoring. In ACM SIGCOMM (2017). Google ScholarDigital Library
- Pa, Y. M. P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., and Rossow, C. IoTPOT: Analysing the rise of IoT compromises. In USENIX Workshop on Offensive Technology (2015). Google ScholarDigital Library
- Polychroniou, O., Sen, R., and Ross, K. A. Track join: Distributed joins with minimal network traffic. In ACM SIGMOD International Conference on Management of Data (2014). Google ScholarDigital Library
- An update on the Memcached/Redis benchmark. http://oldblog.antirez.com/post/update-on-memcached-redis-benchmark.html.Google Scholar
- Apache Flink. http://flink.apache.org/.Google Scholar
- Benchmarking Apache Kafka: 2 Million Writes Per Second (On Three Cheap Machines). https://engineering.linkedin.com/kafka/benchmarking-apache-kafka-2-million-writes-second-three-cheap-machines.Google Scholar
- OpenSOC. http://opensoc.github.io/.Google Scholar
- OpenSOC Scalability. https://goo.gl/CX2jWr.Google Scholar
- Sonata's technical report. http://www.cs.princeton.edu/~arpitg/pdfs/sonata_tr.pdf.Google Scholar
- The Bro Network Security Monitor. https://www.bro.org/.Google Scholar
- The CAIDA Anonymized Internet Traces 2016 Dataset. https://www.caida.org/data/passive/passive_2016_dataset.xml.Google Scholar
- Slowloris HTTP DoS. https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris, June 2009.Google Scholar
- Srivastava, U., Munagala, K., and Widom, J. Operator Placement for In-Network Stream Query Processing. In Symposium on Principles of Database Systems (2005). Google ScholarDigital Library
- Tammana, P., Agarwal, R., and Lee, M. Simplifying datacenter network debugging with PathDump. In USENIX OSDI (2016). Google ScholarDigital Library
- Apache Spark. http://spark.apache.org/.Google Scholar
- Barefoot's Tofino. https://www.barefootnetworks.com/technology/.Google Scholar
- P4 software switch. https://github.com/p4lang/behavioral-model.Google Scholar
- Scapy: Python-based interactive packet manipulation program. https://github.com/secdev/scapy/.Google Scholar
- SONATA Github. https://github.com/Sonata-Princeton/SONATA-DEV.Google Scholar
- Sonata Queries. https://github.com/sonata-queries/sonata-queries.Google Scholar
- Vinnakota, B. P4 with the Netronome Server Networking Platform. https://goo.gl/PKQtC7, May 2016.Google Scholar
- Wu, Q., Strassner, J., Farrel, A., and Zhang, L. Network telemetry and big data analysis. Network Working Group Internet-Draft (2016 (Expired)).Google Scholar
- Yu, M., Jose, L., and Miao, R. Software Defined Traffic Measurement with OpenSketch. In USENIX NSDI (2013). Google ScholarDigital Library
- Yuan, L., Chuah, C.-N., and Mohapatra, P. ProgME: Towards Programmable Network Measurement. In ACM SIGCOMM (2007). Google ScholarDigital Library
- Yuan, Y., Lin, D., Mishra, A., Marwaha, S., Alur, R., and Loo, B. T. Quantitative Network Monitoring with NetQRE. In ACM SIGCOMM (2017). Google ScholarDigital Library
- Zaharia, M., Das, T., Li, H., Hunter, T., Shenker, S., and Stoica, I. Discretized streams: Fault-tolerant streaming computation at scale. In ACM SOSP (2013). Google ScholarDigital Library
- Zhu, Y., Kang, N., Cao, J., Greenberg, A., Lu, G., Mahajan, R., Maltz, D., Yuan, L., Zhang, M., Zhao, B. Y., and Zheng, H. Packet-level telemetry in large datacenter networks. In ACM SIGCOMM (2015). Google ScholarDigital Library
Index Terms
- Sonata: query-driven streaming network telemetry
Recommendations
Concerto: cooperative network-wide telemetry with controllable error rate
APSys '20: Proceedings of the 11th ACM SIGOPS Asia-Pacific Workshop on SystemsNetwork-wide telemetry requires real-time analysis of a large amount of traffic. Telemetry systems use stream processors to support various applications, and Protocol Independent Switching Architecture switches to reduce the workload on stream ...
Video query processing in the VDBMS testbed for video database research
MMDB '03: Proceedings of the 1st ACM international workshop on Multimedia databasesThe increased use of video data sets for multimedia-based applications has created a demand for strong video database support, including efficient methods for handling the content-based query and retrieval of video data. Video query processing presents ...
Query indexing with containment-encoded intervals for efficient stream processing
Many continual range queries can be issued against data streams. To efficiently evaluate continual queries against a stream, a main memory-based query index with a small storage cost and a fast search time is needed, especially if the stream is rapid. ...
Comments