Tools, Algorithms & System Implementation for End-user performance monitoring

Tools, Algorithms & System Implementation for End-user performance monitoring dario.rossi Dario Rossi dario.rossi@enst.fr http://www.enst.fr/~drossi

Agenda • Tools, algorithms • System implementation • End-user performance monitoring • Two perspective: • Background (all available from my webpage) • Foreground (open for collaboration)

Background

Tools, Algorithms • Classification (C45, SVM,..) • Regression (ARMA,SVR,..) • Statistical analysis (PCA, ANOVA,..) • Inference (Apriori,…) Applied to: • Traffic analysis & classification

System implementation Tstat • Passive flow-level sniffer, classifier, traffic analyzer ModelNet-TE • Packet-level emulator with Traffic Engineering capabilities Demonstration software • at Sigcomm, Sigmetrics, Infocom, Globecom • All available from SOFTWARE and DEMO categories at http://www.enst.fr/~drossi

End-user performance monitoring • Web • Methodology to infer, from TCP traffic, if a Web connection has been interrupted • P2P-VoIP • In-depth black-box study of Skype • P2P-TV systems • Assessment of peer selection strategies • More at http://ww.enst.fr/~drossi/index.php?n=Main.PublicationsByTopic

Stochastic PacketInspection (KISS) Behavior analysis(Abacus) Deep Packet Inspection (DPI) Example: traffic classification Specific Keyword Application syntax Algorithm design GET MAIL FROM: R S V P K G B X C S P T X M L T BT K G B X A P S T R S V P Entropy of L7 header, Chi-square test Contact “weights” CDF Bhattaccharyya distance

Kiss vs Abacus algorithms http://www.enst.fr/~drossi/index.php?n=Software.ClassificationDemo PPLive Normalized c2 (first 14 header bytes) Packets per sender peers pdf (5 sec intervals) TVAnts SopCast

System implementation HTTP YouTube ISP1 BitTorrent Other TCP BitTorrent UDP Other UDP … ISP5 eMule

Foreground

Interests • Very high-speed implementation (>10Gbps) • Monitoring & classification • Federation of passive measurement points • Increase statistical relevance of measurement • Challenging per se • New measures: Workload for CDN/ICN • New algorithms: Bufferbloat inference • New tools: Map-Reduce for traffic analysis

System implementation (1/2) • Wire-speed classification engines Submitted to IMC’12

System implementation (2/2) … • Federation of passive measurement points • Aim: coalesce RRD data to increase statistical relevance • Incentive model: gain access to the aggregated data • Implementation • Star topology: the root R fetch ISP1…ISPn, aggregates on ISP* and redispatch • Chain: ISP2 aggregate ISP1 and ISP2, pass it to ISP3 and so on; chain ends at R that add its own data to ISP* and send it back • P2P: structured vs unstructured? e.g., BitTorrent only to redispatch ISP*? ISP1 ISPn ISP2

System implementation (3/3) • Exploit of (new) active measurement points • Compare results between PlanetLab & e.g., Boinc • Boinchttp://boinc.berkeley.edu/ • Aim: collaborative/volounteering computing • Used by: More than 295,000 worldwide location • Incentive to provide PCs: being on the top-100. • Unexplored for network resources

End-user performance monitoring (1/2) Bufferbloat! TCP AIMD fills the buffer! Nasty impact on interactive Web, VoIP, gaming traffic • Bufferbloat Large buffer size (≥128KB) + Narrow bw (≤1Mbps) = Queueing delay (≥1 sec) • Passive accurate methodto measure remote peers queue size • Integration on Dasu(BitTorrentplugin) to crowdsource ISP characterization ? Submitted to IMC’12

End-user performance monitoring (2/2) • Workload for CDN/ICN • Goal: assess the relevance of in-network caching • Need: a relevant large-scale workload • Challenges • Cannot use Tier-1 backbone trace • current dest. Server IP maps to CDN nodes • Cannot use DNS • Caching => @root malformed > legitimate queries; frequencies avail at stub resolver, but impossible to get contemporary logs from many (>1000) of them • Cannot use HTTP • Not everything tunneled in HTTP; still, would need payload of Tier-1 backbone, with a large snaplen to get the full URLs • Solution? In progress (=none so far)

?? || //

Backup slides

Traffic Classification Taxonomy

Stochastic PacketInspection (KISS) Behavior analysis(Abacus) Deep Packet Inspection (DPI) Overview Specific Keyword Application syntax Algorithm design GET MAIL FROM: R S V P K G B X C S P T X M L T BT R S V P K G B X A P S T

KISS: Stochastic packet inspection Y1 X Header syntax is fixed, binary alphabet Y2 1) Extract the first N bytesof the payload from awindow of W consecutive packets 2) Divide each byte in 2 chunks of 4 bits 3) Collect the frequency distribution Oi of the values assumed by each chunk 4) Compare the distribution to a uniform distribution Ei=/24with a c2-like test counters C||D = 3 bit fixed random deterministic Y1 pkt1 cb d2 ... 02 60 Y1 pkt2 cc d5 ... 02 08 Y2 pkt1 01 da ... 02 65 Y1 pkt3 cd c0 ... 02 d9 Y2 pkt2 02 c1 ... 02 5c Y2 pkt3 03 dc ... 02 11 Y1 pkt4 ce cb ... 02 28 Y1 pkt5 cf d1 ... 02 8a Y1 pkt6 d0 ca ... 02 3a Y2 pkt4 04 c2 ... 02 b7 measure the randomness of each chunk KISS signature: [X1, X2, ... X2N] over W pkts

Abacus: Behavioral signatures X Applications implement different activities (signaling, data chunks) and tuning (chunk size) Count the number of packets/bytes received in a fixed time window DT 2) Count the number of hosts sending a given number of packets/bytes (exponential binning) 3) Normalize the packet/bytewise counts to gather two probabilitymass functions Y1 Y2 Y3 Y4 Y5 Freq. ... 2 4 8 16 Distribution = [1, 1, 3, 0] Signature = [0.2, 0.2, 0.6] Example using packets

Kiss vs Abacus signatures PPLive Normalized c2 (first 14 header bytes) Packets per sender peers pdf (5 sec intervals) TVAnts SopCast

Oops! • Sorry, wrong key

Tools, Algorithms & System Implementation for End-user performance monitoring