610 likes | 630 Views
This Ph.D. defense explores the limitations of existing traffic modeling approaches and proposes a rapid method for generating realistic traffic models in a changing network environment. The approach includes structural modeling, rapid model parameterization, understanding heavy-hitter traffic, and traffic inference.
E N D
Rapid generation of structural model from network measurements Kun-chan Lan USC/ISI kclan@isi.edu http://www.isi.edu/~kclan Ph.D Defense
location direction time Traffic is different at any which way you look • Simulation and analysis heavily relies on good traffic model • No “typical” traffic model !! • Traffic changes over time • Traffic is different at different location • Traffic is different in different direction different in time different at location different in direction
heavy-tailed not heavy-tailed BU ITA Problem with existing traffic modeling approaches • Traditional trace-replay time-series-based technique • Do not capture feedback effect in the protocol • Limitation of existing traffic generator • Implicit assumption about the distributions of the traffic (e.g. Pareto for file size distribution) • Existing detailed models are based on traces from a single point • Need to integrate data from multiple points to get a network-wide view of traffic
Thesis statement We can rapidly generate realistic traffic models in a constantly changing distributed network environment like Internet Ph.D Defense
Our approaches • Structural modeling • Rapid model parameterization (RAMP) • Understanding of heavy-hitter traffic • Traffic inference Ph.D Defense
Agenda • Motivation • Pre-Qual • Structural modeling • Problems with existing approaches • Why structural modeling • Case study: RealAudio • Rapid model parameterization (RAMP) • Applications of RAMP • Understanding heavy-hitter flows • Traffic Inference • Conclusion and future work Ph.D Defense
replay Markov ARMIA TES FBM FGN Trace result autocorrelation marginal distribution Traditional traffic modeling • Can reproduce similar time series as the actual traffic, but … • Provide no or little insight about the observed characteristics of measured traffic and its underlying cause • Can not capture the feedback effect in the protocol • Internet protocols present different behavior across a range of time scales. Ph.D Defense
client server > 10sec request 1~10sec response < 1sec request response Multiple levels of feedback effects in Web traffic user HTTP TCP page transmission user think time time user click user click user click end of page
Structural modeling • First proposed by Willinger (1998) • Emphasize on characterizing source-level pattern in which data is sent • Explicitly take into account the hierarchical structure of application and its underlying networking mechanism when modeling the traffic Ph.D Defense
Case study: RealAudio Bursty on-off behavior (off period~1.8 seconds) Flows are synchronized !! Multiple clients listening to the same live music Multi-scale Validation of Structural Models of RealAudio Traffic Kun-chan Lan, John Heidemann, submitted to ACM MSJ
Structural model of RealAudio • User behavior • User arrival • Number of flows per user • Flow data • Packet length • Flow duration • Flow rate • Flow synchronization • Packet data • On period • Off period • Number of packets sent in each on-off period user flow packet Ph.D Defense
model that does take flow synchronization into account model that doesn’t take flow synchronization into account Use multi-scaling plot to debug the model trace Ph.D Defense
Agenda • Motivation • Pre-Qual • Structural modeling • Rapid model parameterization (RAMP) • Applications of RAMP • Understanding heavy-hitter flows • Traffic Inference • Conclusion and future work Ph.D Defense
What is RAMP • A tool to quickly parameterize traffic model from measurement and generate realistic current traffic in simulation • Design principal of RAMP • Based on structural modeling approach • Focus on application-level behavior: invariant to network condition • Consider the hierarchical structure of the application and its underlying networking mechanism • Based on empirical distribution of the traffic • No assumption about traffic properties Ph.D Defense
CDFs Network characteristics • Bottleneck link BW • RTT • Number of nodes ns web model tcpdump trace parameters page arrival object size . . User behavior • Number of users • User arrival • # of page per user • Page arrival • # of object per page • Object arrival • Object size RAMP RApid Model Parameterization Rapid model parameterization from traffic measurements Kun-chan Lan, John Heidemann, TOMACS 2002
user user Page file object Model user behavior • Currently support Web and FTP traffic • Use server-to-client one-way traffic, and infer HTTP request/response info by observing the changes of sequence number of ACK (Smith et al. 2001) • User behavior • User arrival: Poisson • Number of files transmitted per user • Server popularity • File • File arrival • File size • TCP window size • User behavior • User arrival: Poisson • Number of page per user • Server popularity • Page • Page arrival • Number of objects per page • Persistent connection • Request size • Object • Object arrival • Object size • TCP window size FTP Web
Agenda • Motivation • Pre-Qual • Applications of RAMP • Understanding heavy-hitter flows • Traffic Inference • Conclusion and future work A Tool for Rapid Model Parameterization and its applications Kun-chan Lan, John Heidemann. SIGCOMM MOMETOOL 2003
Determine the similarity between networks and generate projected model Causes of the variation in the tail: model body and tail separately Relationship between individual work Pre-Qual Structural modeling RAMP Applications Traffic inference based on similarity of networks Heavy-hitter traffic
Agenda • Motivation • Pre-Qual • Applications of RAMP • Pipelined-RAMP • Generate high speed synthetic traces • Analyze and model malicious traffic • Understanding heavy-hitter flows • Traffic Inference • Conclusion and future work A Tool for Rapid Model Parameterization and its applications Kun-chan Lan, John Heidemann. SIGCOMM MOMETOOL 2003
Near-real-time trace-driven simulation • On-line simulation: useful for real-time network control and traffic prediction • Speed of RAMP: ~5K packets/s (1.7 GHz Pentium IV,1G memory) • To process higher-rate trace (> 5K pkt/s) on-line • Better Hardware • Software change: Incrementally update the output CDFs as each new flow arrives (instead of computing all flows at once) Ph.D Defense
Traffic collection2 Traffic collection3 RAMP2 RAMP3 ns simulation2 ns simulation3 nam visualization2 nam visualization3 Pipeline-RAMP T Traffic collection1 nam visualization1 RAMP1 ns simulation1 • Effect of smaller T • Pros: closer to “real-time” • Cons: • more incomplete flows in each T: misrepresent traffic • Flows start at Tcurrent and end at Tfuture : keep the states of such flows but ignore them in the computation of Tcurrent • Flows start at Tprevious and end at Tcurrent : use previous stored states to compute such flows • More states to keep • Less samples: more prone to noise in the data
Need for high bandwidth network traffic traces • Characteristics of high bandwidth traffic (eg traffic in the core) is different from low bandwidth traffic • Traces from high bandwidth link (OC48, OC 192) are not widely available • Applications of high speed synthetic traffic: study of future router, switch and protocol Generation of High Bandwidth Network Traffic Traces Purushotham Kamath, Kun-chan Lan, John Heidemann, Joseph Bannister and Joe Touch. MASCOTS 2002
Generate high bandwidth traces with RAMP • Challenges • Timestamp: affected by link + router + transportation protocol + application protocol + user behavior • Unique address: more unique address (but not necessarily proportional) • Our approach • Use RAMP to extract application behavior from low bandwidth trace • Application characteristics typically remain unchanged in high speed link • Scale up other factors in the simulation • Scale up the number of nodes: host pair increases as the square root of bit rate (Claffy 2001) • Scale up the link bandwidth • Scale down the user inter-arrival time # of nodes link bandwidth ×n simulation user/application CDF
RAMP as trace-driven analysis tool • What’s the effect of malicious traffic such as DDoS on normal background traffic? • Our approach • Selected metrics: latency of DNS and web mice (delay-sensitive) • Use RAMP as an trace analysis tool • RAMP outputs flow statistics as a by-product during generating the models • Compare characteristics of network traffic during phased affected by malicious traffic with phases when such activity is negligible • Traces: Los Nettos, Internet2 link at USC • Results: average DNS latency can increase as high as 230% and web latency can increase as high as 30% during attack The Effect of Malicious Traffic on the Network Kun-chan Lan, Alefiya Hussain, Debojyoti Dutta. PAM 2003
Agenda • Motivation • Pre-Qual • Applications of RAMP • Understanding heavy-hitter flows • Relationship between different characterizations of heavy-hitter flows • Causes of strong correlation between rate and size • Traffic Inference • Conclusion and future work Ph.D Defense
Heavy-hitter flows • Motivation • Previously several models described dominanttraffic in different ways: size,duration, brustiness. How do they relate? • It’s important to understand heavy-hitter flows for traffic engineering and modeling purpose • Related work • Size: Elephant and mice (Floyd et al) • Duration: Tortoise and dragonfly (Brownlee and Claffy) • Burstiness: Alpha and beta traffic (Sarvotham and Riedi) • Traces collection: Los Nettos, NLANR • Such flows also cause the variation in the tail of distributions for some traffic parameters (e.g. object size) between two networks On the correlations of Internet flows characteristics Kun-chan Lan, John Heidemann, submitted to SIGMETRICS
Our methodology • Study flows in four dimensions: size, duration,rate and burstiness and understand how they are related • Our classification of “heavy-hitter traffic” • Elephant: flow size > XKB • Tortoise: flow duration > Yminutes • Cheetah: flow rate > Z KB/sec • Porcupine: flow burstiness > M KB • Choices of threshold (i.e. X, Y, Z, M) • Randomly-picked values (eg. X=100, Y=15) • Mean + 3 * standard deviation of all flows • The largest 1% percent of all flows Ph.D Defense
Definition of burstiness • Variance burstiness • Divide a flow into bins bi of duration T • Burstiness = standard deviation of all bi • RTT burstiness • Burst size = bytes sent in each RTT • Burstiness = mean(burst size) * RTTavg • Train burstiness • Burstiness = mean(burst rate) * mean (inter-burst) burst burst burst time Inter-burst > t Inter-burst < t
Relationship between heavy-hitters given expect • Long-lived interactive traffic like telnet can become elephant • More than 50% of long-lived flows are DNS traffic • Web traffic accounts for most of cheetah and porcupine traffic Ph.D Defense
80% of tortoises are less than 10KB Tortoises are due to application behavior (DNS+telnet > 60%) instead of big file transfer (FTP~5%) porcupine are strongly correlated with elephants 70% of cheetah are less than 10KB Lots of fast flows are just small bursts of packets Distribution of flow size Distribution of flow duration • 70% of internet flows are less than 10 sec • 95% of cheetah are less than 1 sec • 50% of elephant are longer than 2 min, 20% of them are longer than 15 min • 65% of porcupine are less than 10 sec • Porcupines are due to large file transfer over fast link
Only 5% elephant are burstier than 10MB • 80% of cheetahs are burstier than 10MB • More than 80% of Internet flows and 90% of tortoises have burstiness less than 1MB Distribution of flow burstiness Correlation of size, duration, rate and burstiness (all flows) Ph.D Defense
Zhang et al. showed rate and size of Internet flows are strongly correlated (SIGCOMM 2002) We show that high correlation between flow rate and size can be explained by protocol reasons Flows have similar durations due to transport and application-level protocol mechanisms Highcorrelations between (rate, size) and (size, burstiness) can be explained by similar reasons SYN timeout (3s) Persistent Connection t.o. (15s) TIME_WAIT timeout (120s) Bands (2,3,4) due to different length timeouts. 1 10 1K 100 10K Causes of high correlation between flow rate and size Slope (1) due to similar duration, varying amounts of traffic. 10K rate (bytes/sec) 1K 100 10 1 Ph.D Defense size (bytes)
Agenda • Motivation • Pre-Qual • Applications of RAMP • Understanding heavy-hitter flows • Traffic Inference • Temporal and spatial correlations between user populations • The effect of heavy-hitter flows on the tail • Utilize correlations between user populations for traffic inference • Conclusion and future work Ph.D Defense
Need for traffic inference • Need to integrate data from multiple points to get a network-wide view of traffic • Difficulty in collecting packet-level data at every single router • A OC48 link can generate 100GB data per hour • Indirect measurement • Infer traffic of network A based on measurements taken from network B
Traffic correlations • Examples of traffic correlations • Web caching (Wang ‘99) • Diurnal pattern (Paxson ‘94) • Organization membership (Padmanabhan ’00) • Sharing of common resource (Lan ‘01) • Our approaches • Utilize correlations between user populations for traffic inference to reduce measurement overhead • Challenge • When traffic is correlated: traffic aggregation? similar users? • How traffic is correlated: temporal? spatial? • Which traffic parameters are correlated? On utilizing the correlations between user populations for traffic inference Kun-chan Lan, John Heidemann, submitted to SIGMETRICS
Data from similar networks • Similar networks • Networks with similar user populations • More formal definitions later • Two subnets of ISI • AI division and Networking Division • Users are mainly researchers/GRA • Two subnets of USC • SAL and EEB • Users are mainly students from CS and EE • Number of users in USC is 2.5 times of that of ISI Ph.D Defense
ISI USC Temporal correlation in the same network variation in tail Spatial correlation between “similar” networks stronger correlation between USC subnets => effect of traffic aggregation
Effect of heavy-hitter flows before after # of object per page object size object size flows > 1MB after removing flows > 1MB • Dominant flows: distribution of number of object per page is bi-modal • The difference in the tail is less significant once dominant flows are removed • Mean of data above 99% quantile • before: ISI-a (583KB), ISI-b (2672KB) • after: ISI-a (382KB), ISI-b (479KB)
Reduce the effect of heavy-hitters × 2.5 Larger user population 3 hours 6 hours 12 hours Longer measurement period
Utilize correlations between user populations for traffic inference • Structural modeling approach: model traffic (T) as T=f(N,U,A) • N: number of user • U: user-behavior parameters (eg. user “think” time) • A: application-specific parameters (eg. object size) • Our approaches • Based on initial measurements at t0 confirming the “similarity” between network n1 and n2 • Use future measurements of n2 to predict the traffic in n1 at t1 and t2 • Assuming the correlations between n1 and n2 remains relatively unchanged over time • Approximation of tail behavior
f(Nn1t1,Un1t1,An1t1) f(Nn1t2,Un1t2,An1t2) f(Nn1t0,Un1t0,An1t0) α g() f(Nn2t1,Un2t1,An2t1) f(Nn2t0,Un2t0,An2t0) f(Nn2t2,Un2t2,An2t2) n1 n2 t0 t1 t2 time • Derive N, U and A via RAMP • Test the similarity between An1 and An2 • Derived and g() can be used to predict future traffic of n1 Ph.D Defense
Similarity test • Strictly similar • Normalize the tested distributions first • Test if two distributions are significantly different in mean (Student’s t-Test) , variance (F-Test) and shape (K-S test) • Two distributions are strictly similar if they pass all three tests at 99% confidence level • Similarity function • s=w1m + w2v + w3D • m=|(N1) - (N2)|/|MAX((N1),(N2))| • v=|(N1) - (N2)|/|MAX((N1), (N2))| • : mean, : variance, D: Kolmogorov-Smirnov D value, N1 and N2: data samples Ph.D Defense
Validation.. Case 1: infer n1 (network div.) model using n2 (AI div.) trace example input distribution of object size output of n1 model flow size flow duration
..Validation Case 2: infer n1(network div.) model using n2 (business office) trace example input distribution of object size output of n1 model flow size flow duration
Approximation of tail behavior • Difficult to predict/simulate heavy-tailed workload • Require long simulation time to reach steady state • Our approximation • Model body and tail separately • Approximate the tail behavior with a constant value d • d = bottleneck link BW ×duration of simulation • c: cutoff point between body and tail Cumulative probability fT(x) • fupper:fB(x), x < c • q(c), c < x < d • 1, x > d • flower:fB(x), x < c • 1, x > c q(c) fB(x) c d object size
Effect of tail approximation • Effect of c on simulation: look at q(c) at 99%, 98%, 97%, 96%, 95% • Total BW generated during the entire simulation: • deviation=(BWmodel-BWtrace)/BWtrace • Wavelet scaling plots • Our approximation performs well when q(c) is above 99% • BW deviation: upper bound=3%, lower bound= -7%
Conclusion • Thesis statement • Our goal is to rapidly generate realistic traffic model in a constantly changing distributed network environment like Internet • Our contributions • Use of Structural modeling • RAMP • Understanding heavy-hitter flows • Traffic inference using correlations between user population Structural modeling RAMP Heavy-hitter traffic Traffic inference Ph.D Defense
Future work • Structural models of other important traffic • P2P, DNS, RealAudio etc. • Extend RAMP to a wireless context • Generate realistic mobility model based on traces of access points in a WLAN • Multi-dimensional traffic characterization • Analyze traffic along multiple different dimensions to detect interesting/important traffic cluster • Effect of aggregation on traffic similarity • Does traffic from two different POPs still exhibit “similar” traffic statistics? Ph.D Defense
Comment? Ph.D Defense
Backup slides Ph.D Defense