|M.Sc Student||Moraney Jalil|
|Subject||Efficient Detection of Flow Anomalies with Limited|
|Department||Department of Computer Science||Supervisor||Professor Dan Raz|
|Full Thesis text|
The real time detection of flow anomalies is a critical part of wide range of management and security applications in many Cloud and NFV systems. Solutions that are based on per-flow records become impossible due to the increasing traffic volumes and the limited available resources such as TCAM entries and fast counters.
In this paper we study a novel dynamic control mechanism that allows detecting flow anomalies using only a limited number of counters. This is important since network traffic monitoring is a critical building block in various management, control and security applications. Starting from the simple observation that it is impossible to guarantee instantaneous detection of flow anomalies with a limited amount of counters, we study the tradeoff between the time required to detect the anomaly and the number of available counters.
We implemented the scheme in an OpenFlow enabled switch, where the logic is implemented in the controller, and demonstrate that it can be used to detect a single flow anomaly within large real traffic volume. To further reduce the detection time, we also implemented the scheme logic inside the switch and used the controller only for configuration. This implementation indeed yields a faster detection and lower monitoring communication overhead while not introducing any significant observable costs at the switch itself.