Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen Southeast University of China University of Florida
Motivation for Persistent Stealthy Spreaders Imagine a scenario A farm of servers are located in an Intranet The intranet is protected by a gateway router, which inspects the bypass traffic flows
Motivation for Persistent Stealthy Spreaders (cont.) Various malicious attacks may come from the Internet, for example, network/port scanning distributed denial-of-service (DDoS) attacks
Traditional Defense Technique Deployed at the Gateway Router Flow-based traffic monitoring For DDoS: monitor per-destination flow, the stream of packets sent to a common destination IP. For network scanner: monitor per-source flow, the stream of packets sent from a source IP. gateway gateway source destination source destination Per-destination Flow Per-source Flow
Traditional Defense Technique: Super-spreader Detection The spread of a flow is the number of distinct elements The spread of a per-destination flow is the number of distinct source addresses The spread of a per-source flow is the number of distinct destination addresses gateway gateway source destination source destination
Traditional Defense Technique: Super-spreader Detection The spread of a flow is the number of distinct elements The spread of a per-destination flow is the number of distinct source addresses A super-spreader detector locates the elephant flows whose spread exceeds a predefined The spread of threshold. a per-source [ref1, flow is ref2] the number of distinct destination addresses gateway gateway source destination source destination
Why New Techniques? The super-spreader detector may fail to discover malicious activities Example: Stealthy Degrade-of-Quality Attack Reduce the number of attacking machines to the scale of the number of legitimate users. Difficult to differentiate too many users and under attack
Why New Techniques? (cont.) Another Example: Stealthy Network Scan Reduce the probing rate to avoid detection gateway gateway gateway source destination Period 1 source destination Period 2 source destination Period 3 Attacker probes the intranet at a low rate, and it scans different network sections in different time periods Or use botnet to perform coordinated scan
A Useful Traffic Feature to Detect Stealthy Attacks The traffic of stealthy attackers will persist for much longer time than legitimate users Case 1: Stealthy Degrade-of-Quality attacks Legitimate users, when contacting web servers, typically stay for less than 20 minutes In contrast, attackers will send requests persistently to web servers to degrade their performance Case 2: Stealthy network scan attackers will scan the protected network for a long duration, in order to find the vulnerabilities avoid the network section scanned in one period to overlap with another for better efficiency
An Intuitive Explanation of Persistent Spread e 1 e 2 e 3 e 4 e 5 e 6 Period 1 e 1 Period 2 e 1 Period 3 e 2 e 2 e 3 e 3 e 4 e 4 e 5 e 5 e 6 e 6 persistent elements transient elements Persistent spread is the number of persistent elements, e.g., {e 1, e 4, e 6 } = 3
Problem Definition: Persistent Spread Estimation Notations: Let t be the number of measurement periods For a flow of interest, let S i be the set of elements that have been observed in the i th period,1 i t Problem: Estimate the cardinality of the intersection of t sets, e.g., S 1, S 2,, S t S* = S 1 S 2 S t
Challenges Constraint of Memory Usage: A good estimator design must use on-chip SRAM of NIC to support high packet processing speed It must use only a small portion of on-chip SRAM (e.g.,1 Mb), since on-chip SRAM are shared by many other functions --- routing/security/... Line Card or NIC (Network Interface Card) Bus On-chip SRAM Router Architecture Data Plane Control Plane Switch Fabric Main Memory CPU
Challenges (cont.) Fast online-operation (encoding) to keep up with line speed. Scalability: Simultaneously measuring large number of flows. Wide operating range to effectively measure elephant flows.
Baseline Solution: Hash Table with Partial Signatures In the i th period, set S i is recorded as a hash table A i, maintained in on-chip SRAM A i : array of hash buckets h(element) At the end of ith period, download A i to the main memory for post-processing Output: A 1 A 2 A t 8 bit partial signature + 32 bit pointer
Baseline Solution: Hash Table with Partial Signatures In the i th period, set S i is recorded as a hash table A i, maintained in on-chip SRAM A i : array of hash buckets h(element) At Since the end S of ith period, download A i to i is stored uncompressed, it has high the main memory memory cost for of 40 post-processing bits per element. Output: A 1 A 2 A t 8 bit partial signature + 32 bit pointer
Another Solution: Flajolet-Martin (FM) Sketches Set S i is compressed to store as a continuous variant of FM sketches [ref 5] Array of Buckets Y: 0.3 But inaccurate by estimating h(element) A bucket = A float number Exponential distribution with elem# S 1 S 2 S t S 1 U S 2 U U S t When the number of periods t grows, the ratio reduces, and becomes harder to estimate accurately
3 rd Solution based on Union of Bitmaps In the i th period, set S i is stored as a bitmap in on-chip SRAM h(element) bitmap B: 0 1 1 0 0 0 1 0 B[h(element)] := 1 When the i th period ends, download B i to main memory in main memory, there are t bitmaps B 1, B 2.B t, which correspond to sets S 1, S 2, S t of t periods
3 rd Solution based on Union of Bitmaps (cont.) Inclusion-exclusion rule converts intersection cardinality to weighted sum of union cardinalities Union cardinality S 1 U S 2 U U S t can be estimated from the bitwise OR B 1 ٧ B 2 ٧ ٧ B t However, when the number of periods t grows, B 1 ٧ B 2 ٧ ٧ B t become too dense
1 1 1 1 1 1 B 1 B 2 B 3 Our Solution based on Intersection of Bitmaps Our solution: Use the intersection bitmap B 1 ٨ B 2 ٨ ٨ B t Intuition: A persistent element sets the same bit in B 1, B 2,, B t to one, which distinguish it from transient elements transient element 1 persistent element transient element 2
Our Solution based on Intersection of Bitmaps (cont.) Notations: Z i is the fraction of zero bits in B i that are zeros Z* is the ratio of zero bits in bit array B* B* = B 1 B 2 B t n* is the number of persistent elements to estimate When t = 2, give a closed-form estimator: When t = 3, give a closed-form estimator:
Our Solution based on Intersection of Bitmaps (cont.) When t > 3, propose a numerical method where is calculated iteratively by the following procedure
Next Question: How big bit-maps are? One-size-for-all: If too big è waste of memory If too small è inaccurate elephant flows Flow spread distribution: # of Flows Power law distribution in log-log plot Flow Spread From CAIDA Traces -- Measurement Duration=1 Min
Myungkeun Yoon, Tao Li, Shigang Chen, Jih-kwon Peir, Fit a Compact Spread Estimator in Small High-Speed Memory, TON, vol. 19, no. 5, 2011. Virtual Bitmaps: one physical bitmap shared by all flows Our Design All flows share a single physical bitmap Each flow constructs a virtual bitmap by drawing bits pseudo-randomly from the shared physical bitmap Physical Bitmap virtual bitmap for a flow x:
Advantages Compactness: With sharing, elephant flows could borrow space from mice flows. Scalability: Able to estimate much more flows simultaneously. Simple online-operation: For each packet (src, dst), set: M[i] := 1, where i = H(H(src) mod m) dst ) mod u.
Bias of Virtual Bitmaps Positive Bias due to Bit Sharing Two virtual bitmaps may share the same bits For one flow, the elements coming from other flows are called noises Noises cause positive estimation bias Physical Bitmap 1 virtual virtual bitmap 1: 1 bitmap 2: 1 Myungkeun Yoon, Tao Li, Shigang Chen, Jih-kwon Peir, Fit a Compact Spread Estimator in Small High-Speed Memory, TON, vol. 19, no. 5, 2011.
Consider Multiple Monitoring Periods Physical Bitmap in Period 1: Virtual Bitmap 1: Virtual Bitmap 2: Physical Bitmap in Period 2: Virtual Bitmap 1: Virtual Bitmap 2:
Consider Multiple Monitoring Periods Physical Bitmap in Period 1: Virtual Bitmap 1: Virtual Bitmap 1: Virtual Bitmap 2: Physical Bitmap in Period 2: Virtual Bitmap 2: Intersection of Virtual Bitmaps of Flow 1 in Time Periods 1, 2,., t
Compensate Positive Bias For Virtual Bitmaps in Multiple Periods Use t = 2 as an Example. The equations for t = 3, 4, can be derived similarly. a) Estimate the number of persistent elements that have been mapped to the virtual bit vector b) Estimate the number of persistent elements for all flows in physical bitmap c) Estimate for the number of persistent elements that belongs to the flow of interest Noise Removal
Simulation Settings Persistent spread is in the range of 0 to 10 4 Signal-to-Noise Ratio (SNR) ranges: 1 to 0.4 SNR = S 1 S 2 S t S i - S 1 S 2 S t FM & our solution: <1 bit per element.
Simulation Results Hash table with partial signature FM sketch method based on S 1 S 2 S t S 1 U S 2 U U S t Our intersection-based virtual bitmap method based on B 1 ٨۸ B 2 ٨۸ ٨۸ B t
Summary of Contributions Propose a new primitive for network flow monitoring, named persistent spread estimator, which can detect stealthy network activities over long periods Describe a solution that can accurately estimate the persistent spread, and the accuracy improves as the increase of time periods t Provide extensive analysis of statistical properties of proposed methods, including estimator bias and variance Present comparative evaluation for 3 algorithms: Hash table with partial signature, FM sketch, and virtual bitmap.
Thanks! Questions? Presented by: Yan Qiao Ph.D., University of Florida