Taming Internet TrafficSome notes on modeling the wild nature of OD

flows

Augustin SouleKavé Salamatian

Antonio NucciNina Taft

Univ. Paris VIUniv. Paris VISprintlabsIntel Berkeley

What’s next

Definition of the problemOverview of the approachStudy of the modeling partStudy of the Tracking part

Network monitoring (1)

Network state results fromTraffic demand

OD matrixCapacity offer

Routing matrix, link capacity, traffic engineering, etc…

Objective of the network operator To drive the equilibrium point to the most

beneficialBy managing the capacity offer

Traffic engineering is the art of managing capacity offer

Network monitoring (2)

MonitoringCapacity offer

Pings, failure monitoring, SNMP reports Traffic demand ?

Is not observable per seAt least in real time

Have to infer it indirectlyTraffic counts

Network monitoring (3)

Monitoring ? Being able to separate

What is predicted Expected, under control, normal, …

What is unpredicted Unexpected, Out of range, abnormal, …

Occam razor view Express what is predictable by a short model Describe fully what is unpredictable

Interpretation view Only what is unpredictable have to be given a sense What is predictable give no information

Architecture of a network monitoring system

Overview of the solution

Model the normal behavior of traffic demand At sufficient granularity level

Relevant granularity for operator ?

Compare observation with prediction made by model

Rise an alarm if a divergence is seenWow, I just rediscovered Kalman

Filter!

What’s a traffic matrix?

Can define variety of matricesSelect timescaleSelect node

granularity: router, prefix, POP, etc.

Application wise !

City A

City B

City C

City A City B City Corigin

destination

25 Mbps

Notation: Problem Formulation

Link1Link2Link3.Link L

=

ODAB

ODAC

ODAD

.

.

.

0 1 1/2 0 0 0 0 0 1 0 0 . .

routing matrix

Y = A XHave linear system:

Y A

Xfrom SNMP link counts

from IGP link weightsissue: # links < < # OD pairs=> underconstrained system=> infinite # of solutions

OD Traffic Dynamics (1)

OD traffic dynamics (2)

Temporal correlationsDiurnal, weekly, monthly, etc..

Spatial correlationSame Origin PopSame destination PoP

Create a dynamic LTI model for OD flows capturing temporal and spatial dependencesX(t+1) = C*X(t)+W(t)

W(t) account for model unprecision

Traffic Model State space model :

How to calibrate C, Q and R? EM method

Find the value of C, Q and R such that the observations are most likely to be observed

Observations might be OD traffic itself or the link count OD traffic is better , Sometimes no other choice

Good initial point are needed. Use OD traffic first, link count next

Multi-linear MethodX(t+1) is expressed as a multi-linear relation of X(t)Lead to a diagonal matrix Q

)()(*)(

)()(*)1(

tVtXAtY

tWtXCtX

),0(~

),0(~

RNV

QNW

Raw data

Let’s suppose we have gathered over one day the full OD matrix Sampled Aggregate NetFlow (Cisco) used on all

routers inside Sprint’s European network. Flow = 5-tuple (@src,@dst,port src, port dst, proto) Each flow is sampled every 250th packet. Downloaded BGP tables and configuration files from

all routers: Used to determine egress points within Sprint’s AS => yielding the FULL traffic matrix.

Three weeks of data from August 2003.

Many thanks to Anukool Lakhina to collect/process the raw data :)

Inside the modelImpulse response of the filter

At time t=1 OD 1 is set to 1

See the propagation of this impulse on all the other OD pairs

24 h PeriodicityExponentially decreasing Sinusoid

Inside the model

Radius :Amplitude of the eigenvalue

Angle :Frequency of the eigenvalue

Pole diagram

r

Inside the modelFiltering the eigenvalues

Filter out the over learning-Remove small timescale fluctuations-Remove Fast oscillations

Keep the White area

Kalman filtering

Filter out what is compatible with the model from what is incompatibleDo it by comparing what is predicted by

the model with what is observed Innovation process: two steps

Prediction Correction

)(ˆ)()(ˆ)()( tXAtYtYtYt

QAAPPtXCtX Tkk

1 , )(ˆ)1(ˆ

1

11

11

)1(

, )1(ˆ)1()1()1(ˆ)1(ˆ

RAAPAPtK

PKAIPtXAtYtKtXtX

Tk

Tk

kK

Example of fitting

Monitoring information

Confidence interval can be made on innovation process If then something out of

prediction has happenedRaise an alarm !Is every change a problem ?

Same approach for OD pairsAbility to track changes on each ODMight be useful for DDoS attack detection and

management

)(var2)( tt

Innovation on the link

Innovation on the OD

Need to recalibrate the modelFor these OD pairs

Recalibration !

Need to find out the new model !Several way

Do a netflow acquisition for all changing OD flows. Mix with previous OD flow. Recalibrate the model

Use traffic count for recalibrating the model using EM method with previous model as starting point

Develop a continuous time adaptive mechanism

Use LMS or RMS algorithmUse a sliding windows

Example of fittingAfter recalibrations

Innovation After Recalibrations

L2-Norm over time

Contributions

New tracking approach for network monitoringUsing Time and Spatial correlation

OD flows model

Able to detect deviations from the modelThanks to Kalman Filter

Really Fast and Scalable.Whole process in less than 2 minutes for 14

daysValidated using real Traces.