about-core

05 - Software Defined Monitoring: A new approach to Network Traffic Monitoring

Viktor Pus, Lukas Kekely (CESNET)

Network traffic monitoring has recently settled down in the form of Net-Flow statistics measurement, export, storage and processing. While the main research focus has shifted to the methods of nding interesting/anomalous patterns in the collected data, we foresee considerable changes in the lower layers of the mentioned monitoring chain.
The changes will be driven by three main forces: (1) The expected end of network "ossication" introduced by Software Dened Networking. In SDN, the network architect is allowed to dene a variety of network layers and services with an unprecedented freedom. Current network monitoring devices are not exible enough for this change. (2) Advances in the network throughput. IEEE forecasts that the bandwidth of some services (such as financial transactions) will increase more than hundred times in this decade. Monitoring of the current 100 Gbps and future 400 Gbps and 1 Tbps lines
is a great challenge. (3) Lack of application layer protocol support in the existing monitoring devices. This is more evident with the rise of advanced
security threats, such as low-volume application DDoS attacks, which may
not be visible in traditional TCP/IP ow statistics. We propose a concept of Software Dened Monitoring as a natural complement to SDN. In SDM, the monitoring hardware is tightly coupled with the control software. While the software (which has the advantage of ex-ible programming in common programming languages) performs a detailed application-level monitoring of interesting/suspicious trac, it configures the 1 hardware to perform a high-speed ordinary NetFlow monitoring of the un-interesting bulk trac at the same time. Results of both system parts are then combined and exported in the IPFIX protocol, which allows to export an additional application level information with the ows.
This way, the system throughput is retained (or even improved) and the
output data is augmented by the software applications digging deeper in
the packets and exporting more detailed information in IPFIX. Our work
in progress includes the Virtex-7 FPGA accelerator PCI-Express board with
100 Gbps Ethernet interface, the FPGA rmware and the control software
with the number of advanced analysis modules (HTTP, DNS parsers/thread
detectors etc.).

Download file

Posters