arpit gupta
play

Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco - PowerPoint PPT Presentation

Mar 06, 2023 •460 likes •854 views

SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger Existing Telemetry Systems Compute Store Analysis Queries Packet Capture

  1. SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison , Ankita Pawar, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger

  2. Existing Telemetry Systems Compute Store Analysis Queries Packet Capture SNMP Collection NetFlow 2

  3. Existing Telemetry Systems Compute Store Analysis Queries Collection Existing Systems are Query-Agnostic! 3

  4. Problems with Status Quo • Expressiveness – Configure collection & analysis stages separately – Static (and often coarse) data collection – Brittle analysis setup---specific to collection tools • Scalability Hard to scale query execution as: • Traffic Volume increases and/or Network Telemetry Systems should be • Number of Queries increases Expressive & Scalable 4

  5. Idea 1: Declarative Query Interface • Extensible Packet-As-Tuple Abstraction Treat packets as tuples carrying header, payload, and meta fields • Expressive Dataflow Operators – Most telemetry applications • Collect aggr. statistics over subset of traffic • Join results of one analysis with the other – Express them as declarative queries composed of dataflow operators, e.g. map , reduce , filter , join etc. 5

  6. Example Queries Detecting Newly Opened TCP Connections Detect hosts for which the number of newly opened TCP connections exceeds threshold (Th) victimIPs = pktStream .filter(p => p.tcp.flag == SYN) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) Collect aggr. stats over subset of traffic 6

  7. Example Queries Detecting Traffic Anomalies Detect hosts for which the number of unique source IPs sending DNS response messages exceeds threshold (Th) pvictimIPs = pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) . distinct () .map((dstIP, srcIP) => (dstIP, 1)) Apply multiple aggregations over the . reduce (keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) packet tuple streams .map((dstIP, count) => dstIP) 7

  8. Example Queries Confirming Reflection Attacks Detect hosts with traffic anomalies that are of type RRSIG victimIPs = pktStream .filter(p => p.udp.sport == 53) . join ( pVictimIPs , key=‘dstIP’) .filter(p => p.dns.rr.type == RRSIG ) .map(p => (p.dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > T2) Join results of one analysis with the other .map((dstIP, count) => dstIP) 8

  9. Changing Status Quo • Expressiveness – Express dataflow queries over packet tuples – Not tied to low-level (3 rd party/platform-specific) APIs – Trivial to add new queries and change collection tools Easier to express network telemetry tasks! 9

  10. Query Execution Use Scalable Stream Processors Process all (or subset of) captured packet tuples using state-of-the-art Stream Processor Stream Processor Queries Packet Tuples Packet Capture Expressive but not Scalable! 10

  11. Idea 2: Query Partitioning • Observation Data plane can process packets at line rate • How it works? Execute subset of dataflow operators in the data plane • Trade-off Trades workload at stream processor at the cost of additional resource usage in the data plane 11

  12. Query Partitioning in Action Stream Processor Queries Runtime Packet Tuples Data Plane Configurations Programmable Data Plane Partition Queries b/w Switches and Stream Processor 12

  13. Query Partitioning in Action pktStream .filter(p => p.udp.sport == 53) .map(p => (p.dstIP, p.srcIP)) Traffic Anomaly Query .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=(dstIP,), sum) .filter((dstIP, count) => count > Th) .map((dstIP, count) => dstIP) pktStream .map((dstIP, srcIP)=>(dstIP,1)) .filter(p=>p.srcPort==53) .reduce(keys=(dstIP,), sum) .map(p=>(p.dstIP,p.srcIP)) .filter((dstIP,count)=>count>Th) .distinct() .map((dstIP, count) => dstIP) Stream Processor Programmable Data Plane 13

  14. Compiling Queries for PISA Targets pktStream .filter(p=>p.udp.sport==53) .map(p=>(p.dstIP,p.srcIP)) .distinct() M A M A M A M A Monitoring Pkt out Pkt in Port Register PISA Target See Tutorial 2 for details

  15. Limited Data-Plane Resources • Number of Physical Stages • Number of Actions per Stage M A M A M A M A Pkt out Pkt in Register Physical Stages

  16. Limited Data-Plane Resources Available Memory per Stage M A M A M A M A Pkt out Pkt in Register SRAM for Stateful Operations

  17. Limited Data-Plane Resources Available State for Metadata fields Packet Header Vector M A M A M A M A Pkt out Pkt in Register

  18. Selecting Query (Partitioning) Plans • Given: Queries & Training Data • Objective: Minimize the workload at Stream Processor • Constraints: – Available memory per stage Solve Query Planning Problem as an ILP – Available space for metadata fields – Number of actions per stage – Total number of stages 18

  19. Idea 3: Iterative Refinement • Observation Tiny fraction of traffic or flows satisfy telemetry queries • How it works? – Execute queries at coarser levels – Iteratively zoom-in on interesting traffic over time • Trade-off s Trades workload at stream processor at the cost of additional detection delay 19

  20. Iterative Refinement in Action Iterative Refinement Stream Processor Queries Runtime Packet Tuples Data Plane Configurations Programmable Data Plane Queries’ Output Drives further Processing 20

  21. Iterative Refinement in Action Refinement Key = dstIP pktStream .filter(p => p.udp.sport == 53) .map(p => (p. dstIP , p.srcIP)) Traffic Anomaly Query .distinct() .map((dstIP, srcIP) => (dstIP, 1)) .reduce(keys=( dstIP ,), sum) .filter((dstIP, count) => count > Th) à /16 /8 .map((dstIP, count) => dstIP) Q 8 (W) = pktStream Q 16 (W+1) = pktStream .filter(p=>p.udp.sport==53) .filter(p=>p.udp.sport==53) .map( dstIP=>dstIP/8 ) .filter( p=>p.dstIP/8 in Q 8 (W) ) .map(p=>(p.dstIP,p.srcIP)) .map( dstIP=>dstIP/16 ) … .map(p=>(p.dstIP,p.srcIP)) … W + 1 W Query-Driven Network Telemetry! Time 21

  22. Quantify Performance Gains • Realistic Workload – Anonymized packet traces from a large ISP – Processing 20 M packets per second (~100 Gbps) • Typical Telemetry Tasks New TCP, SSH Brute, Super Spreader, Port Scan, DDoS, SYN Flood, Completed Flows, Slow Loris, … • Comparisons All-SP, Filter-DP, Max-DP, Fix-REF 22

  23. Single-Query Performance Reduces workload at stream processor by up to seven orders of magnitude 23

  24. Multi-Query Performance Reduces workload at stream processor by up to three orders of magnitude 24

  25. Sensitivity Analysis Data-Plane Resources Sonata makes the best use of available limited data-plane resources 25

  26. Changing Status Quo • Expressiveness – Express Dataflow queries over packet tuples – Not worry about how and where the query is executed – Adding new queries and collection tools is trivial • Scalability Answers multiple queries for traffic volume as high as 100 Gb/s in real-time Sonata is Expressive & Scalable ! 26

  27. Sonata Implementation Query Interface Q 1 Q 2 Q N Iterative Refinement Output Core Queries Queries Query Partitioning Streaming Driver Data Plane Driver Tuples Stream Processor Packets In Packets Out Programmable Data Plane 27

  28. More Use Cases 28

  29. Performance Monitoring Monitor various performance metrics TCP-Monitoring = pktStream .map(p => ( key , perf-metric )) 5-tuples, nBytes, ingress-egress pairs, loss, src-dst pairs, latency, .. … 29

  30. Performance Monitoring Identify flows for which the traffic volume exceeds threshold (T) Heavy-Hitters = pktStream .map(p => (p.5-tuple,p.nBytes)) .reduce(keys=(5-tuple,), sum) .filter((5-tuple,bytes) => bytes > T) .map((5-tuple,bytes)=> 5-tuple) Use Sonata for Collection & Analysis 30

  31. Detecting Microbursts Detect ports for which the total traffic volume exceeds a threshold (T 1 ) mBursts = pktStream .map(p => (p.port, p.nBytes)) .reduce(keys=(port,), sum) .filter((port, bytes) => bytes > T 1 ) .map((port, bytes) => port) 31

  32. Analyzing Microbursts Analyze which flows contribute to microbursts Top-Contributors = pktStream .map(p => (p.port,p.5-tuple,p.nBytes)) .join( mBursts , key=‘port’) .map((port,5-tuple,nBytes)=>(5-tuple,nBytes)) .reduce(keys=(5-tuples,), sum) .filter((5-tuples,bytes) => bytes > T 2 ) .map((5-tuples,bytes) => 5-tuples) 32

  33. Future Work 33

  34. Extend Packet Tuples victimIPs(t) = pktStream(W) … .filter(p => p.dns.rr.type == RRSIG ) … • Currently, dns.rr.type is parsed in user-space • Possible to parse it in the data plane itself • Layers of Interest: – DNS – SMTP – … 34

  35. Extend Dataflow Operators • Extend existing Operators – Reduce • Currently, only sum function is supported • Implement more complex aggregation functions – Join • Currently, only inner join is supported • Implement full outer, Cartesian, left/right inner/outer joins • Add new Operators – Flat Map – Sample 35

Recommend

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn

Take the Q Train: Value Capture of Public Infrastructure Projects Arpit Gupta (NYU Stern) Stijn Van Nieuwerburgh (Columbia GSB, NBER, CEPR) Constantine Kontokosta (NYU CUSP, Marron) Baruch, April 7, 2020 1 / 35 Motivation As major urban

958 views • 46 slides
Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta

Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta

Peering at the Internets Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta Georgia Tech Matt Calder (USC), Nick Feamster (Georgia Tech), Marshini Chetty (Maryland), Enrico Calandro (Research ICT Africa), Ethan

638 views • 25 slides
Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott Shenker + * Internet Exchange Points Global Transit / Hyper Giants National Large Content, Consumer, Hosting CDN

729 views • 20 slides
SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean Donovan, Brandon Schlinker, Nick Feamster, Jennifer Rexford, Scott Shenker, Russ Clark, Ethan Katz-Bassett Georgia Tech, Princeton University, UC

508 views • 33 slides
Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini,

Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini,

SONATA: Query-Driven Network Telemetry Arpit Gupta Princeton University Rob Harrison, Ankita Pawar, Rdiger Birkner, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger Conventional Network Telemetry Compute Store Analysis

692 views • 24 slides
Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS

363 views • 20 slides
Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch

Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch

Pa PacketScope: : Monit itorin ing the Pac acket Li Lifecycle Wi Within a a S Swi witch Ross Teixeira (Princeton) Rob Harrison (United States Military Academy) Arpit Gupta (UC Santa Barbara) Jennifer Rexford (Princeton) Ou Outline

335 views • 18 slides
Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori

Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid *, Rdiger Birkner , Ori Rottenstreich*, Arpit Gupta*, Nick Feamster*, Jennifer Rexford* *Princeton University, ETH Zrich Motivation Incoming Flows Classifier

841 views • 82 slides
Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain

Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain

Controlled Foreign Corporation Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax Background Spread of CFC legislation across the world in last 30-40 years US-perhaps first country to

469 views • 19 slides
Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael

Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael

Informed Truthfulness for Multi-Task Peer Prediction Victor Shnayder , Arpit Agarwal, Rafael Frongillo, David C. Parkes Nov 3, 2016; HCOMP16 Foundations Workshop 1 Lets talk about crowdsourcing 2 Task: How many cows in this image? 3

780 views • 47 slides
Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain

Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain

Analysis of Wikileaks Cables Using NLP Techniques CS671: Natural language Processing Arpit Jain Sugam Anand Mentor : Dr . Amitabha Mukerjee Why Wikileaks ? Wikileaks embassy cables revelations covered a huge dataset of official documents

2.82k views • 10 slides
Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April

Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April

Exotic New Patterns of Natalie Wolchover Synchronization Presented by Farhan Asif Chowdhury, Arpit Garg and Md Abdur Rahaman 18th April 2019 Synchronization Two or more dynamical systems Adjust some of their properties To a common

392 views • 25 slides
Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan,

Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan,

Architectural Support for Atomic Durability in Non-Volatile Memory Arpit Joshi , Vijay Nagarajan, Stratis Viglas, Marcelo Cintra NVMW 2018 Summary Non-Volatile Memory (NVM) - on the memory bus enables in-memory persistent data structures

1.12k views • 87 slides
Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit

Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit

Rank Aggregation from Pairwise Comparisons in the Presence of Adversarial Corruptions Arpit Agarwal, Shivani Agarwal, Sanjeev Khanna, Prathamesh Patil ICML 2020 Rank Aggregation from Pairwise Comparisons In many practical applications, the

844 views • 37 slides
Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director

Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director

Most Favored Nation Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax MFN Principle State A binds itself to State B with respect to favorable treatment afforded by it in future to State C

554 views • 16 slides
DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta

DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta

DieCast: Testing Distributed Systems with an Accurate Scale Model Diwaker Gupta Diwaker Gupta Kashi V. Vishwanath Amin Vahdat University of California, San Diego High performance Alice filesystem Limited testing infrastructure Diverse

590 views • 29 slides
Thin Capitalization Certificate Course on International Taxation, Chennai Arpit Jain Director

Thin Capitalization Certificate Course on International Taxation, Chennai Arpit Jain Director

Thin Capitalization Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax Anti abuse Principle Tax avoidance Issues Sham transaction Step transaction Abuse of law

520 views • 17 slides
Efficient Persist Barriers for Multicores Arpit Joshi, Vijay Nagarajan, Marcelo Cintra, Stratis

Efficient Persist Barriers for Multicores Arpit Joshi, Vijay Nagarajan, Marcelo Cintra, Stratis

MICRO-48 Efficient Persist Barriers for Multicores Arpit Joshi, Vijay Nagarajan, Marcelo Cintra, Stratis Viglas Summary Efficient persist barrier Used to implement persistency models Persistency = when stores become durable

881 views • 71 slides
SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC.

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC.

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC. WWW.BGUPTA.COM WHAT IS YOUR PASSWORD? Jimmy Kimmel Live @Gupta Consulting, LLC. www.bgupta.com 2 JIMMY KIMMEL LIVE - OBSERVATIONS Most Common Password

965 views • 62 slides
Politics of Fiscal Policy: What do we know Sanjeev Gupta XXX REGIONAL FISCAL POLICY SEMINAR S

Politics of Fiscal Policy: What do we know Sanjeev Gupta XXX REGIONAL FISCAL POLICY SEMINAR S

Politics of Fiscal Policy: What do we know Sanjeev Gupta XXX REGIONAL FISCAL POLICY SEMINAR S antiago 26-28 March 2018 Sanjeev Gupta | CGDev.org Drawn From a Recent Book Published by the IMF Last Year Sanjeev Gupta | CGDev.org | 1 Outline

257 views • 21 slides
GST ANNUAL RETURN CA DR ARPIT HALDIA FY 2017-18 RELEVANT SECTION, RULE, NOTIFICATIONS AND ROD

GST ANNUAL RETURN CA DR ARPIT HALDIA FY 2017-18 RELEVANT SECTION, RULE, NOTIFICATIONS AND ROD

GST ANNUAL RETURN CA DR ARPIT HALDIA FY 2017-18 RELEVANT SECTION, RULE, NOTIFICATIONS AND ROD Relevant Section: Section 44 read with Rule 80 Relevant Notification: Notification No. 74/2018-Central Tax Dated 31 st December 2018 Order

1.53k views • 137 slides
Vienna Convention on Law of Treaties Certificate Course on International Taxation, Chennai Arpit

Vienna Convention on Law of Treaties Certificate Course on International Taxation, Chennai Arpit

Vienna Convention on Law of Treaties Certificate Course on International Taxation, Chennai Arpit Jain Director International Tax Treaties for International Treaty Vienna Convention on the Law of Treaties 1969 Adopted in 1969, in

543 views • 22 slides
PERCEPTUAL ACCOUNT OF SYMBOLIC REASON LANDY, ALLEN, ZEDNIK 2014 Rishav Raj Agarwal Arpit Agarwal

PERCEPTUAL ACCOUNT OF SYMBOLIC REASON LANDY, ALLEN, ZEDNIK 2014 Rishav Raj Agarwal Arpit Agarwal

PERCEPTUAL ACCOUNT OF SYMBOLIC REASON LANDY, ALLEN, ZEDNIK 2014 Rishav Raj Agarwal Arpit Agarwal WHAT IS SYMBOLIC REASONING? The science of reasoning by the aid of representative symbols a+b=b+a CONTEMPORARY VIEWS Symbolic Reasoning as

456 views • 17 slides
Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo Cintra, Stratis Viglas NVMW 2019 Persistent Memory Systems L1 L1 LLC Persistent Memory 2 Persistent Memory Systems L1 L1 Persistent

1.1k views • 70 slides

More recommend