The present invention generally relates to streaming algorithms useful for obtaining summaries efficiently over unaggregated packet streams and for providing unbiased estimators for various characteristics, such as, for example, the amount of traffic that belongs to a specified subpopulation of flows, which are more accurate than prior art algorithms.
Collection and summarization of network traffic data is necessary for many applications including billing, provisioning, anomaly detection, inferring traffic demands, and conjuring packet filters and routing protocols. Traffic includes interleaving packets of multiple flows but the summaries should support queries on statistics of subpopulations of IP flows, such as the amount of traffic that belongs to a particular protocol, originate from a particular AS, or both. These queries are posed after the sketch is produced. Therefore, it is critical to retain sufficient metadata information and provide estimators that facilitate such queries.
IP packet streams are processed in real-time at the routers by systems, such as Cisco's sampled NetFlow (NF) or processed by software tools, such as Gigascope [8]. Two critical resources in the collection of data are the high-speed memory (usually expensive fast SRAM) and CPU power that are used to process the incoming packets. The available memory limits the number of cached flows that can be actively counted. The processing power limits the level of per-packet processing and the fraction of packets that can undergo higher-level processing.
The practice is to obtain periodic summaries (sketches) of traffic by applying a data stream algorithm to the raw packet stream. NF samples packets randomly at a fixed rate. Once a flow is sampled, it is cached, and a counter is created that counts subsequent sampled packets of the same flow. The number of counters is the number of distinct sampled flows. The packet-level sampling that NF performs serves two purposes. First, it addresses the memory constraint by reducing the number of distinct flows that are cached (the bulk of small flows is not sampled). Without sampling, a counter is needed for each distinct flow in the original stream. Second, the sampling reduces the processing power needed for the aggregation, since only sampled packets require the higher-level processing required to determine if they belong to a cached flow.
An algorithm that is able to count more packets than NF using the same number of statistics counters (memory) is sample-and-hold (SH) [13, 12]. With SH, as with NF, packets are sampled at a fixed rate and once a packet from a particular flow is sampled, the flow is cached. The difference is that with SH, once a flow is actively counted, all subsequent packets that belong to the same flow are counted (with NF, only sampled packets are counted). SH sketches are considerably more accurate than NF sketches [13, 12]. A disadvantage of SH over NF, however, is that the summarization module must process every packet in order to determine if it belongs to a cached flow. This additional processing makes it less practical for high volume routers.
NF and SH use a fixed packet sampling rate, as a result, the number of distinct flows that are sampled and therefore the number of statistics counters required is variable. When conditions are stable, the number of distinct flows sampled using a given sampling rate has small variance. Therefore one can manually adjust the sampling rate so that the number of counters does not exceed the memory limit and most counters are utilized [12]. Anomalies such as DDoS attacks, however, can greatly affect the number of distinct flows. A fixed-sampling-rate scheme can not react to such anomalies as its memory requirement would exceed the available memory. Therefore, anomalies would cause disruption of measurement or affect router performance. These issues are addressed by adaptive variants that include adaptive sampled NetFlow (
Statistical summaries of IP traffic are at the heart of network operation and are used to recover information on arbitrary subpopulations of flows. It is, therefore. of great importance to collect the most accurate and informative summaries given the router's resource constraints. IP packet streams consist of multiple interleaving IP flows. While queries are posed over the set of flows, the summarization algorithm is applied to the stream of packets. Aggregation of traffic into flows before summarization is often infeasible and, therefore, the summary has to be produced over the unaggregated stream. Cisco's sampled NetFlow, based on aggregating a sampled packet stream into flows, is the most widely deployed such system.
Two sources of inefficiency have been observed in the prior art methods. First, a single parameter (the sampling rate) is used to control utilization of both memory and processing/access speed, which means that it has to be set according to the bottleneck resource. Second, the unbiased estimators are applicable to summaries that in effect are collected through uneven use of resources during the measurement period (information from the earlier part of the measurement period is either not collected at all and fewer counter are utilized or discarded when performing a sampling rate adaptation).
The present invention provides algorithms that collect more informative summaries through an even and more efficient use of available resources. The heart of this approach is a novel derivation of efficiently-computable unbiased estimators that use these more informative counts. It has now been analytically proven that these estimators are superior (have at most the same variance on all packet streams and subpopulations) to prior art approaches. Simulations on Pareto distributions and IP flow data show that the summaries of the present invention provide significantly more accurate estimates. The implementation designs of the present invention can be efficiently deployed at routers.
In one embodiment, the present invention provides a method of obtaining a sketch of an unaggregated packet stream. The method comprises aggregating packets sampled at a sampling rate from a packet stream into flows associated therewith, counting the aggregated packets associated with each flow, and adjusting the sampling rate based on quantity of flows, by implementation of (a) Adaptive Sampled NetFlow (
In one embodiment, the method of the invention can further comprise decreasing the sampling rate in response to i) a quantity of cached flows being equal to a maximum quantity of cached flows, and ii) a sampled packet not being associated with a cached flow, using three tunable parameters μ, pstart and pbase, wherein 0<μ<1, pbase≦1 and pstart≦pbase and sampling rates are of the form (pstart/pbase) μ′ where t is a nonnegative integer. Further, the method can comprise calculating the adjusted weight using: AA
In one embodiment, the method of the present invention can further comprise sampling all packets at a fixed rate pbase to obtain a pbase-sampled stream to reduce the packet stream before implementation of Adaptive Sample-and-Hold.
In another embodiment, the present invention provides a method of obtaining a sketch of an unaggregated packet stream comprising aggregating packets sampled at a sampling rate from a packet stream into flows associated therewith, counting the aggregated packets associated with each flow, and adjusting the sampling rate based on quantity of flows, by implementation of: (a) Adaptive Sampled NetFlow (
In another embodiment, the present invention provides a method of calculating an estimate of a quantity of flows of size i in a packet stream comprising aggregating sampled packets of a packet stream into flows and counting quantity of packets in each flow by implementation of Sample-and-Hold (SH) and calculating the estimate Ĉi of the quantity of flows of size i in the packet stream using:
Ĉ
i
=O
i
/p−O
i+1(1−p)/p,
for i>0, Oi being a random variable representing at least one flow that has i counted packets, i being quantity of counted packets, and p being a fixed sampling rate.
In an additional embodiment, the present invention provides a method of calculating an estimate of a quantity of flows of size i in a packet stream comprising aggregating sampled packets of a packet stream into flows and counting quantity of packets in each flow by implementation of Adaptive Sample-and-Hold (
for i>0, Oi being a random variable representing at least one flow that has i counted packets, i being quantity of counted packets, n(F) being the total number of counted packets for all flows combined, w(F) being the total number of packets in the stream, k being the maximum number of cached flows.
In one embodiment, Oi is a random variable representing at least one flow that is member of a subpopulation of flows. The subpopulation of the at least one flow can be associated with at least one of a protocol, an application, and a source.
A system and computer-readable medium in accordance with the present invention, which incorporate at least some of the preferred features, is intended to be within the scope of the present invention. The system may be implemented using at least one of a microprocessor, a microcontroller, programmable logic, and/or an application specific integrated circuit (ASIC) with or without software and/or firmware. The computer-readable medium may include a compact disc (CD), digital video disc (DVD), and/or tape, which include instructions that when executed by at least one computing device performs the methods in accordance with the present invention.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed as an illustration only and not as a definition of the limits of the invention.
In one embodiment, the present invention includes sketching algorithms for packet streams that obtain considerably more accurate statistics than existing approaches. The sketches can be used for many types of queries, such as, subpopulation-size queries (number of packets of a subpopulation), and bytes and flow size distribution. Available resources are used in a balanced and load-sensitive way to collect more information from the packet sample. In a further embodiment, the present invention includes unbiased estimators that use the additional information. The algorithms of the present invention are robust to anomalies and changes in traffic patterns, and gracefully degrade performance when there is a decrease in available resources. They are supported by rigorous analysis.
Step counts for NF and SH. NF, SH, and their adaptive variants do not equally utilize available resources through the measurement period: The number of cached flows increases through the measurement period and reaches its maximum only at the end. The adaptive
Step-counting NetFlow (
Hybrids of NF and SH. There are multiple resource constraints for gathering statistics. At the router, the memory size that determines the number of statistics counters and the CPU processing (or size of specialized hardware) that determines the fraction of packets that can be examined against the flow cache. Other constraints are the available bandwidth and storage to transmit and store the final sketch. Previous schemes, however, use a single parameter (sampling rate) with these multiple constraints: NF (and
Subpopulation weight estimators. (Section 4) The sketches of the present invention have the form of a subset of the flows along with the flow attributes and an adjusted weight associated with each flow. Adjusted weights have the property that for each flow, the expectation is equal to its actual size. (Adjusted weights of flows not included in the sketch are defined to be zero). Therefore, an unbiased estimate for the size of a subpopulation of flows is obtained by summing the adjusted weights of flows in the sketch that belong to this subpopulation. The per-flow unbiasedness property is highly desirable as accuracy increases when aggregating over larger subpopulations and when combining estimates obtained from sketches of different time periods. The invention provides the calculation and analysis of unbiased adjusted weights.
The derivation of adjusted weights for NF, which applies fixed-rate sampling, is standard: a simple scaling of the counts by the inverse sampling rate. The present invention provides adjusted weights assignments for
The quality of the adjusted weight assignment depends on the distribution over subsets of flows that are included in the sketch, the information collected by the algorithm for these flows, and the procedure used to calculate these weights. The distribution of the subsets of flows included in the sketch produced by each of the algorithms NF, SH, hybrids, and variants, is that of drawing a weighted sample without replacement (WS) from the full set of aggregated flows. Therefore, the difference in the quality of the sketches stems only from the variance of the adjusted weights assigned. More informative counts are beneficial only if they correspond to adjusted weights with lower variance. In this specification, the variance of the adjusted weight assignment is analyzed and a strong relation between the different methods that holds for any packet stream and any flow or subpopulation of flows is established: The
FSD and other subpopulation properties. (Sections 5 and 6) There are multiple aggregates of interest over subpopulations and it is important that the same summaries can support queries for these aggregates. In this specification, unbiased estimators for important classes of aggregates are derived. Flow Size Distribution (FSD) estimators, that provide unbiased estimates on the number of distinct flows of certain range of sizes in a subpopulation are derived in Section 5. Estimators for other properties such as total bytes or total number of AS hops to destination are derived in Section 6. For a cleaner exposition, lengthy or technical proofs are deferred to Section 9.
Implementation. The implementation design piggybacks on several existing ingredients. The basis is the flow counting mechanism that Cisco's NF deploys. (Proposed improved implementation such as [18, 11] can also be integrated.) A router implementation of adaptive sampling rate for
Discretized sampling rates. (Section 7) The pure adaptive models perform a rate adaptation each time a flow is “evicted” from the cache. Rate adaptations, however, are intensive operations [11, 16]. The present invention provides a “router friendly” variant of the pure model with discretized sampling rates. This design drastically reduces the number of rate adaptations and also simplifies their implementation. As in [11], discretization allows efficient rate adaptations. The discretized model, however, differs mathematically from the pure sampling schemes. In this specification, it is shown how to apply the estimators derived for the pure schemes to the discretized schemes. More importantly, it is shown that these estimators are also unbiased and retain other key properties of the estimators for the pure model. Furthermore, the particular discretization used was critical for the unbiasedness arguments to hold.
Performance study. (Section 8) In this specification, the performance of these methods on IP flows data collected by unsampled NF running on a gateway router and on synthetic data obtained using Pareto distribution with different parameter values is evaluated. On the IP data, subpopulations of flows that belong to specified applications are considered; and on the synthetic data, prefixes and suffixes of the flow size distribution are considered. The step-counting
An orthogonal summarization problem is summarizing aggregated data [14]. For example, using k-mins or bottom-k sketches [1, 4, 7, 5, 10]. Estimators developed for these summaries utilize the weight of each item, which is not readily available in an unaggregated setup. Direct application requires pre-aggregation, that is, obtaining an exact packet count for each flow as when running unsampled NF. This is infeasible in high volume routers as it requires processing of every packet and storing an active counter for every flow. These methods can be used, however, to trim the size of a sketch obtained using any method that obtains unbiased adjusted weights (including NF, SH, and their variants), when trimming is needed in order to address transmission bandwidth or storage constraints.
An extension of ASH that does not discard counts when a rate adaptation is performed was considered in [12] finding “elephant flows.” While this extension attempts to provide similar benefit to step-counting, it is not adequate for estimating subpopulation sizes. The unadjusted count itself is indeed a better estimator than the reduced count for each individual flow, but this estimator is inherently biased. The bias depends on where in the measurement period the packets occurred, and an unbiased estimator can not be constructed from the counts collected. The relative bias is very large on smaller flows (of the order of the inverse sampling-rate) and if used to estimate subpopulation sizes for such flows, a large relative error on such subpopulations (even is the subpopulation size is large) can be obtained.
Kumar et al [17] proposed a streaming algorithm for IP traffic that produces sketches that allow us to estimate the flow size distribution (FSD) of subpopulations. Their design executes two modules concurrently. The first is a sampled NetFlow module that collects flow statistics, along with full flow labels, over sampled packets. The second is a streaming module that is applied to the full packet stream and uses an array of counters, accessed by hashing. Estimating the flow size distribution is a more general problem than estimating the size of a subpopulation, and therefore this approach can be used to estimate the subpopulations sizes. To be accurate, however, the number of counters in the streaming module should be roughly the same as the number of flows and therefore the size of fast memory (SRAM) should be proportional to the number of distinct flows.
In some cases, protocol-level information such as testing for the TCP syn flag [9] on sampled packets and using TCP sequence numbers [19] can be used to obtain better estimates of the size of the flow from sampled packets. These methods can significantly increase the accuracy of estimating the flow size distribution of TCP flows from packet samples, but are not as critical for subpopulation size estimates for subpopulations with multiple flows. In some embodiments, these methods can be integrated with the sketches of the present invention.
The present invention provides the underlying mathematical models of different flow sampling schemes. These models are used in the analysis and are mimicked by the “router friendly” implementations. The sampling schemes are data stream algorithms that are applied to a stream of packets.
Sampled NF performs fixed-rate packet sampling. Packets are sampled independently at a rate p and sampled packets are aggregated into flows. All flows with at least one sampled packet are cached and there is an active counter for each flow. The sketch includes all flows that are cached in the end of the measurement period.
SH, like NF, samples packets at a fixed rate p and maintains a cache of all flows that have at least one sampled packet. SH, however, processes all packets and not only sampled packets. If a processed packet belongs to a cached flow, it is counted.
The analysis is facilitated through a rank-based view of the sample space: Each point in the sample space is a rank assignment, where each packet is assigned a rank value that is independently drawn from U [0,1]. The actions of each of the sampling algorithms that are considered are defined by the rank assignment. Implementations do not track per-packet random rank values or even draw rank values. They maintain just enough “partial” information on the rank assignment to maintain a flow cache and counts that are consistent with the rank-based view.
For each flow fεF and position in the packet stream, the current rank value r(f) is defined to be the smallest rank assigned to a packet of the flow that occurred before the current position in the packet stream.
An NF sketch with sampling rate p is equivalent to obtaining a rank assignment and counting all packets that have rank value<p. The set of actively counted flows at a given time is {fεF|r(f)<p}.
An SH sketch with sampling rate p is equivalent to obtaining a rank assignment and counting all packets such that the current rank of the flow (including the current packet) at the time the packet is processed is smaller than p.
The adaptive algorithms
It is sometimes necessary to set a limit pstart<1 on the initial sampling rate. In this case, the current sampling rate is defined to be pstart if there are fewer than (k+1) distinct flows and otherwise is the minimum of pstart and the (k+1)st smallest rank among r(f) (fεF).
The sampling rate is determined by the rank assignment, the prefix of processed packets, and pstart (it does not depend on the sampling scheme). The effective sampling rate is defined as the value of the sampling rate at the end of the measurement period.
The set of cached flows at a given time (by either
The sketch includes the set of cached flows and their counts at the end of the measurement period.
A decrease of the current sampling rate is referred to as rate adaptation. The adaptive algorithms [13, 11] implement rate adaptation by decreasing the more informative flow counts that corresponded to the higher sampling rate. The step-counting algorithms,
Using the rank-based view,
Hybrid sketching algorithms use a base sampling rate parameter pbase, which controls the fraction of packets that are processed by the algorithm. The initial sampling rate is pstart≦pbase. A hybrid algorithm samples all packets independently at a fixed rate pbase and then applies a respective basic algorithm (SH,
The rank-based view of the hybrid algorithms is as follows. Hybrid-
An equivalent rank-based view of the hybrid algorithms discards all packets with rank value above pbase, scales the rank values of the remaining packets and pstart by p−1base, and applies the respective basic algorithm.
The following table shows the expected number of packets that are counted and processed for the example 100-packet flows in
The information collected by the algorithms is used to compute adjusted weights that are associated with each flow that is included in the sketch (flows that are not in the sketch have an adjusted weight of zero).
The notation AL(f) is used, where LεC{
Clearly, a correct adjusted weight for NF counts for a flow f with count i(f) is ApNF(f)=i(f)/p (the number of counted packets divided by the sampling rate p). The derivation of the adjusted weight assignments for the adaptive algorithms is more subtle and based on partitioning the sample space as in [4, 5, 10]. This partitioning allows application of the adjusted weights expressions that are applicable to the corresponding fixed-rate variants.
It has been found that there is a unique deterministic assignment of adjusted weights for each of the algorithms considered. Since deterministic assignment has smaller variance than any randomized one, it is preferable.
Lemma 4.1. Let i(f) be the packet count collected for a flow f by
Lemma 4.2. Let i(f) be the number of counted packets for a flow f with SH. The assignment ApSH(f)=i(f)+(1−p)/p if i(f)>0 (the flow is sampled) are correct adjusted weights.
In order for the assignment to be unbiased for 1-packet flows, pAp(1)+(1−p)Ap(0)=1. Substituting Ap(0), yields Ap(1)=1/p.
To be correct for n-packet items,
These are solved for n=2, 3, 4 . . . to obtain that Ap(n)=(1+(n−1)p/p=(1−p)/p+n for n≧1.
This assignment can also be derived by applying the Horvitz-Thompson estimator to each packet. For each packet, the partition of the sample space to two parts is looked at, one where a previous packet is sampled, and the other where a previous packet is not sampled. The adjusted weight assigned to a packet is unbiased on each part: if a previous packet is sampled, the probability that a packet is counted is 1 and its adjusted weight is 1. If no previous packet is sampled, then the probability that the packet is sampled is p and the Horvitz-Thompson adjusted weight is 1/p. The adjusted weight of the flow is the sum of the adjusted weights of sampled packets. This assignment can be interpreted as the first sampled packet of the flow representing 1/p unseen packets whereas subsequent counted packets of the flow represent only themselves.
Lemma 4.3. Consider
The information collected using
ApSNF(i(f))≡Ap
for the adjusted weight assigned by
Adjusted weights are computed after the counting period is terminated. After they are computed, the count vectors can be discarded. Therefore,
Theorem 4.4. The adjusted weight ApSNF(n) for
The adjusted weights for
A
p
,p
, . . . ,p
(0, . . . , 0, ij, ij+1, . . . , ir)=Ap
and therefore does not depend on the current sampling rate in the duration before the final contiguous period where the flow is actively counted. This means that it is sufficient to record the steps of the current sampling rate. Eq. (1) is an instance of the following generalization that states that the adjusted weight assignment does not depend on the values of the current sampling rate in durations when there are no counted packets.
Lemma 4.5. Consider a correct assignment of adjusted weight Ap(n). For an observed count i and p, let 1≦j1<j2< . . . <jr′=r be the coordinates such that ijk>0 or ijk=r (that is, r is included also if ir=0).
A
p
,p
, . . . ,p
(0, . . . , 0, ij
The lemma allows statement of the adjusted weight of a flow in terms of an equivalent flow where the number of steps is equal to the number of steps where the original flow had a nonzero count. It also allows the assumption, without loss of generality in the analysis, that all steps except possibly the last step have positive counts.
Let r be the number of steps and p1> . . . >pr the corresponding sampling rates. For a flow f, let n=(n1, . . . , nr) be the number of packets of f in each step and let i=(i1, . . . , ir) be the number of counted packets in each step. The probability that a flow with n packets has a count of i is denoted by q[i|n].
Expressions for the adjusted weights for
The values ci,j(p,n) (1≦i≦j≦r) are defined as follows (the parameters (p,n) are omitted when clear from context, and it is assumed that n1>0 w.l.o.g.):
1≦j≦r: c1,j=(1−pj)
2≦j≦r: c2,j=(1−pj)n
3≦i≦j≦r: ci,j=(1−pj)n
The following two lemmas are immediate from the definitions.
Lemma 4.6. •For 1≦j≦r, c1,j is the probability that the rank of the first packet of the flow is at least pj.
For 2≦i≦j≦r, c1,j(p,n) is the probability that the flow n is fully counted by
Lemma 4.7 The computation of the partial sums
. . . , r can be performed in O(r2) operations.
By lemma 4.6, ci,i(iε{1, . . . , r}) is the probability that the
The following theorem expresses the adjusted weight AS
The proof is provided in Section 9.1.
Theorem 4.8
Lemma 4.9. The adjusted weight AS
Unbiased adjusted weights for hybrid-
di,j(p,n) (2≦i≦j≦r) is defined as follows.
For (2≦i≦j≦r), di,j(p, n) is the probability that all packets of the flow n have rank values below the sampling rate at packet arrival time, that the flow is fully counted by
The probability that all packets are counted by
Theorem 4.10.
The proof of the Theorem is provided in Section 9.3.
The partial sums
r can be computed in O(r2) operations, and therefore, using Theorem 4.10 the adjusted weight AS
Theorem 4.4 is an immediate corollary of the above (for
The rank-based view shows that the distribution over subsets of flows included in the sketch is the same for
This distribution is equivalent to weighted sampling without replacement of k flows (
Since these algorithms (see Table 1) share the same distribution, the difference in estimate accuracy stems from the adjusted weight assignment. The quality of the assignment depends on the information the algorithm gathers and the method applied to derive the adjusted weights. When the adjusted weights have smaller variance, the estimates obtained are more accurate. The relation of estimate quality between the different estimators/algorithms has been explored.
An important property of the algorithms considered is zero covariances:
Lemma 4.11. Consider Lε{
(The proof is provided in Section 9.4.)
The zero covariance property is trivial for fixed-rate sampling (NF or SH), since each flow is selected independently. With the adaptive algorithms, however, the adjusted weights are not independent since inclusion of one flow makes it less likely for the other flow to be included. For
The zero covariance property of the random variables AL(f) (fεF) implies that:
Corollary 4.12. For any J⊂F and Lε{
Therefore, to show that an adjusted weight assignment has lower variance than another on all subpopulations, it suffices to show lower variance on all individual flows.
An algorithm dominates another, in terms of the information it collects on each sketched flow, if its output can be used to emulate an output of the second algorithm. It is not hard to see that
Theorem 4.13. For any packet stream and any flow f, the following relation between the variance of the adjusted weight assignments for f holds.
The proof is provided in Sections 9.2 and 9.3. The relation also holds to the fixed-rate variants of the algorithms (when the sampling rate or rate steps are fixed).
A variance relation also holds for the hybrids: the variance is non-increasing with the packet-processing rate pbase.
4.7 Estimators with Negative Covariances
The adjusted weights assignments ApL(n) were a function of the observed counts of the flow and the “sampling rate” (or sampling rate steps). Estimators that utilize different information are considered: the counts collected for other flows in the sketch and the total packet count of the stream.
The selectivity of a packet is 1/w(F), selectivity of a flow is ρ(f)=w(f)/w(F), and the selectivity of a subpopulation J is ρ(j)=w(J)/w(F). When the total weight w(F) is known, subpopulation weight and selectivity queries are equivalent: An estimator for subpopulation weight is obtained by multiplying the subpopulation selectivity estimator with w(F) and vice versa, by dividing the adjusted weight estimator with w(F).
Adjusted selectivities, RL( ) are unbiased estimators for selectivity. Adjusted selectivity estimators are derived for the adaptive algorithms that are based on the observed counts of all flows but do not depend on w(F). Adjusted weight assignments A+L( ) are derived for the adaptive algorithms that depend on w(F), and the observed counts of all flows.
Estimators for
if the packet v is counted and 0 otherwise.
if the packet v is counted and 0 otherwise.
if v is the first-counted packet of a flow.
Adjusted weight assignments can be incomparable. An assignment A1(f) is considered to be at least as good as A2(f) if A1( ) has at most the variance of A2( ) on any subpopulation. A sufficient condition is that for all fεF, VAR(A1(f))≦VAR(A2(f)) and for all f1≠f2, COV(A1(f1), A1(f2))≦COV(A2(f1), A2(f2)).
The adjusted weights assignments A+L(f) are such that
These properties imply that A+L(f) is better than AL(f) (at least as good on any subpopulation and better on some subpopulations). A case for these properties was made in [4, 5] for aggregated data, where there is a similar use of the total weight of the dataset to derive tighter estimators with negative covariances between subsets and zero sum of variances. These properties are also motivated by an interesting relation that shows that the variance of an “average” subset is a linear combination of the variance of the sum and the sum of variances [21].
These properties can not be obtained for fixed-rate sampling algorithms such as NF and SH: Since there is positive probability of an empty sample, it is not possible to have (unbiased) adjusted weights such that A+L(F)≡w(F). The relation A+L(F)≡w(F) is immediate from the definitions and the variance relations are established in Section 9.6.
A flow attribute that is lost when there is no pre-aggregation is the size of the flow (exact number of packets or bytes). This could be an important attribute for some aggregations, for example, to trace the origin of port scanning or worm activity one may want to aggregate over all flows that originate from a certain AS and have at most 10 packets. One also may want to estimate the number of flows in a subpopulation that are within a certain range of sizes.
FSD estimation is facilitated by assigning adjusted FSD estimators αiL( ) (i≧1) such that for any flow f, E(α|f|L(f))=1 and for i≠|f|, E(αiL(f))=0. Similarly to adjusted weights, αiL( )=0 for flows that are not included in the sketch. An unbiased estimator of the number of flows of size i in a subpopulation J is ΣfεJαiL(f). By summing the estimators αiL over a desired range of values iεR, unbiased estimates for the number of flows in this range in the subpopulation are obtained.
An important special case is the total number of flows in a subpopulation, which can be estimated using adjusted counts #L( ) (for any flow f, E(#L(f))=1). Adjusted counts from adjusted FSD estimators can be obtained using #L(p, n)=Σi>1 αiL(p, n).
Lε{NF,
For i≧1, the expectation of Oi is piCi+i(1−p)pi+1Ci+1+ . . . =Σj≧i(ij)pi(1−p)j−iCj. Therefore, the inverse of the matrix with entries (ij)pi(1−p)j−i, expresses each Cj as a linear combination of E(Oi)'s, and provides unbiased estimators [15, 9]. The entries of this inverted matrix are the FSD estimators αjL(p, i). The resulting estimators, however, are not well behaved [9]. Better estimators that use the TCP syn flag were proposed in [9].
Lε{SH,
Lemma 5.1. Ĉi=Oi/p−Oi+1(1−p)/p is an unbiased estimate of the number of flows of size i.
C
i
p+C
i+1(1−p)p+Ci+2(1−p)2p+ . . . =Σj≧iCj(1−p)j−1p
Therefore, the expectation of Oi/p−Oi+1(1−p)/p is Ci.
The respective nonzero coefficients are
αjL(p, j)=1/p and αjL(p, j+1)=−(1−p)/p for j≧1.
The estimator for the total number of flows is O1/p+Σi>1Oi, which corresponds to the adjusted counts #A
For
The respective nonzero FSD estimators are
The resulting estimator for adjusted count is
and 1 otherwise.
Lemma 5.2. Let n be the observed count and p=(p1, . . . , pr) the corresponding sampling rate steps. Assume WLOG that nl>0 for l≦l<r. The following are correct adjusted FSD estimators αiSSH(p, n) (i≧1). Only the nonzero values are stated.
The proof is deferred to Section 9.5.
Using the relation #SSH(p, n)=Σi≧1αiSSH(p, n) and Eq. (3), the following adjusted counts are obtained:
Corollary 5.3.•If |n|=1, #S
If nr≧1 and |n|>1, #S
If nr=0, |n|>1, let l<r be the last step with a positive packet count.
(If all steps but the last have nonzero counts, then #S
Expressions for adjusted counts can be derived directly through the methods developed for adjusted weight derivation (see Section 9). As is the case for adjusted weights, there is a unique adjusted counts function #L(p, n). For Lε{NF,
Adjusted FSD estimators are computed based on the step-counts and therefore to facilitate FSD estimation, they need to be computed before the step-counts are discarded.
Hybrid algorithms The existing FSD estimators for NF sketches [15, 9] and
For hybrid-
Lemma 5.4. The resulting estimates Ĉ′i (i≧1) are unbiased estimates of the number of flows of size i in the original stream.
The sketches support estimators for aggregates of other numeric flow properties over a queried subpopulation. Flow-level and packet-level properties are distinguished.
A numeric property h(f) of the flow f is classified as flow level if it can be extracted from any packet of the flow and some external data (therefore, h(f) for all the flows that are included in the sketch is known). Examples are the number of hops to the destination AS, unity (flow count), and flow identifiers (source or destination IP address and port, protocol). Flow-level properties can be aggregated per-packet or per-flow.
Per-packet aggregation. For a subpopulation J⊂F, the per-packet sum of h( ) over J is ΣfεJw(f)h(f).
The per-packet average is
If h(f) is the number of AS hops traveled by the flow f then the per-packet sum is the total number of AS hops traveled by packets in the subpopulation J and the per-packet average is the average number of hops traveled by a packet in J. If h(f) is unity, the per packet sum is the weight of the subpopulation. It is not hard to see that for a sketch with unbiased adjusted weights, ΣfεJA(f)h(f) is an unbiased estimator of the per-packet sum of h( ) over J. (A (possibly biased) estimator for the per-packet average is
Per-flow aggregation. The per-flow sum of h( ) over J is ΣfεJh(f). The per-low average of h( ) over J is ΣfεJh(f)/|J|. If h(f)≡1, the per-flow sum is the number of distinct flows in a subpopulation. If h(f) is the number of AS hops then the per-flow average is the average “length” of a flow in J.
The generic estimator for per-flow sums is based on adjusted counts. For each fεF, E(#(f)h(f))=h(f), therefore
is an unbiased estimator of the per-flow sum of h( ) over J.
Packet-level properties have numeric h( )-values that are associated with each packet. For a flow f the h( )-value of f is defined as h(f)=Σcεfh(c). If h(c) is the number of bytes in the packet c then h(f) is the number of bytes in the flow. If h(c) is unity, then h(f)=w(f) is the number of packets of the flow, h(f) is available only if all packets of f are processed and therefore is not provided for flows included in NF and SH variants sketches.
The algorithms are adapted to collect information needed to facilitate unbiased estimators. For any desired packet-level property h( ), adjusted h( )-values HpL(f) are produced. For any f, H(f) is an unbiased estimator of h(f) and H(f)=0 for flows that are not included in the sketch. For any subpopulation J, ΣfεJH(f)=ΣfεJ∩SH(f) is an unbiased estimator for ΣfεJh(f).
n(h)(f)←n(h)(f)n′(f)/n(f).
The updated n(h)(f) is the expectation of the updated h( ) count that would have been obtained if N and per-packet h( ) values were explicitly maintained and sampled from N a subset of size n′(f). (All subsets of N(f) that are of the same size have the same probability of being in the resample, regardless of the packet position or its h( ) value.)
This consideration extends to a sequence of rate adaptations: The final n(h) (f) has the expectation of the h( ) count over all resamples that resulted in the same sequence of packet count reductions. Interestingly, done this way, a lower variance estimator is obtained than if per-packet h( ) values for N(f) had been maintained and used, as the h( ) count used is the expectation of the latter in each part of a partition of the sample space.
where N(f) is the set of counted packets of f and c0(f)εN(f) is the first counted packet of f. To facilitate this estimator, the algorithm needs to record the h( ) value of the first packet and the sum of h( ) values of all subsequent packets. For
Byte counts can be estimated using a sketch built to estimate packet counts, but if byte counts are the main application, then SH variants can be adapted to estimate bytes directly instead of packets: The count values are applied to bytes and are captured as follows. If a packet belongs to a cached flow, the number of bytes is added to the active counter. Otherwise, the geometric distribution is used to determine what part of a packet (if at all) should be counted. For a continuous variant of this process, the exponential distribution can be used.
In one embodiment, the present invention provides an alternative to the pure models that addresses important practical implementation issues. The first is the number of rate adaptations performed. The second is the implementation of each rate adaptation, namely, the tracking of flow ranks that determines which flows are evicted and how counts are adjusted. It has been established that the discretized version preserves important properties of the pure model that allow for unbiased estimation and for other properties of the variance of the adjusted weights to carry over.
The discretized algorithm uses three tunable parameters that can be set by the router manufacturer. The first is pbase≦1 that determines the fraction of packets that are processed. The second is pstart≦pbase that determines the initial sampling rate. The third parameter is 0<μ<1 which controls the discretization of the sampling rates.
The number of rate-adaptations is a performance factor for all adaptive algorithms. Executing each adaptation is an intensive operation and therefore it is desirable to both limit the number of rate-adaptations and to carefully implement them [11]. For the step-counting algorithms, the number of rate adaptations also affects the size of intermediate storage and the computation of the adjusted weights (which depend on the number of rate-steps in which an actively-counted flow had a nonzero count).
The pure models perform a rate adaptation to evict a single cached flow at a time. It follows from the rank-based view that all adaptive algorithms (
Lemma 7.1. Let m be the size of the packet stream. The expected number of rate adaptations is ≦(k+1) ln(pstartm).
An unaggregated stream of multi-packet flows in this model is expressed as follows: Packets are processed as if they belong to a stream of 1-packet flows. Once a flow is cached, the rank value(s) of subsequent packets that belong to the flow are examined and then these packets are deleted. If the rank of the deleted packet is smaller than the current rank of its flow, an arbitrary rank decrease is simulated and the rank of the flow is decreased to that of the packet. An important point for the analysis is that packet deletion is independent of the rank of the deleted packet. The probability that the ith undeleted packet modifies the sketch (has rank value that is smaller than the (k+1)st smallest rank) is at most min{1, (k+1)/i}. The total number of undeleted packets is at most m. Therefore, the expected number of updates is at most
This bound is nearly tight for streams that consist of 1-packet flows [7], and it is Ω(k ln(pstartm)) (asymptotically tight) when at least a constant fraction of packets belong to small flows. Large number of small flows is common in Zipf-like data and small flows are often introduced in DDoS attacks, port or IP address scanning, and other anomalies.
The actions of a run of a discretized variant of
A discretized rank-based view of the discretized sketching algorithms is provided. This view is equivalent to replacing sampling rates and rank values of packets and flows×ε[0, 1] with [logμ(x/pbase)]. (Smaller values have larger discretized value.) Packets of the pbase-sampled stream are assigned discretized ranks using a geometric distribution with parameter (1−μ). The discretized rank of a flow is the largest rank of a packet of the flow. The discretized current sampling rate is initially set to [logμ(pstart/pbase)]. After k distinct flows are cached, it is the (k+1)st largest discretized rank of a flow, which is equal to the largest discretized rank of a cached flow plus 1. The discretized effective sampling rate is the discretized sampling rate at the end of the measurement period. The flow counts collected over the pbase-sampled stream correspond to those for the pure model: A packet is included in the current discretized
The following property, that holds for the pure model, extends to the discretized model:
Lemma 7.2. A flow f is cached in the discretized model if and only if its discretized rank is larger than the kth largest discretized rank of the flows in F\{f}. (If there are fewer than flows in F \{f} with positive discretized rank value, the flow is cached if and only if its rank is positive.)
This property is critical for extending the analysis of unbiased estimators and variance relations to the discretized model. It allows to simply “plug in” sampling rates and the respective flow counts into the unbiased estimators developed for the pure model. The subtle arguments do not carry over to other conceivable implementations of rate adaptations such as removing a constant fraction of (highest-ranked) cached flows [16, 11] without having to maintain additional state.
A side benefit of discretization is that fewer bits are needed to encode rank values of active flows, as the expected maximum discretized rank of a flow is logμ(mpbase). Other advantages of such discretization, such as layered transmission of summaries, are provided in [11].
The number of rate adaptations is tuned using the parameters μ and pstart. Larger values of μ correspond to a higher number of rate adaptations but also to better memory utilization and more flows in the final sketch (the expected number of active counters and number of flows in the final sketch is about k(1+μ)/2). Lower values of pstart eliminate up to [logμ(pstart/pbase)] rate adaptations. The counts of the step-counting algorithms are reduced by lower pstart, but if pstart is larger than the effective sampling rate, then the sketch produced by
Lemma 7.3. The expected number of rate adaptations performed is at most logμ(pstart*m).
An implementation of the discretized algorithms is outlined. The execution is divided into counting phases and rate adaptations (a design of [11] allows them to run concurrently).
Counting phase. Each counting phase starts with a set of statistics counters indexed by the flow attributes of cached flows and applied to the pbase-sampled packet stream. Each packet is labeled as “sampled” (again) with probability μt, where t is the current discretized sampling rate. The following is performed: (i) If the flow is cached then: If the algorithm is one of
Rate adaptation. The adaptive algorithms,
The update process is repeated until at least one flow has a count of zero. (The repeated process can be avoided by storing discretized rank values for each flow as proposed next for the step-counting algorithms.) All flows with a count of zero are then evicted from the cache.
The step-counting algorithms
The update process of the rank of cached flows emulates the following process that assigns ranks individually to packets counted in the recent counting step. The first packet counted (SH and hybrid variants with flow that was not cached at the beginning of the phase) and all packets counted (NF variants) obtain a random rank from a geometric distribution with parameter (1−μ), conditioned on it being larger than the current discretized sampling rate. The rank of each flow is updated to be the maximum of its current rank and the ranks assigned to the packets of the flow counted at the recent counting phase.
These updates can be performed efficiently (computation steps proportional to the number of cached flows with non-empty counts at the recent step) using the exponential distribution to find the maximum discretized rank over a set of packets.
Unbiased adjusted weights for the discretized algorithms are obtained by recording the discretized sampling rates for each step. Each discretized rate t is then converted to a corresponding sampling rate (pstart/pbase)μt and plugged in the corresponding expressions for
The arguments for correctness, that are based on obtaining an unbiased estimator on each part in a partition of the same space, extend to the discretized version using Lemma 7.2. If the ranks of all packets in F\{f} are fixed, the discretized sampling rate when f is counted depends only on these fixed ranks (and not on ranks assigned to previous packets of f) and is equal to the sampling rate at measurement time.
Therefore, unbiased adjusted weights can be computed while treating the effective sampling rate (for
The proofs of other properties, such as the relation between the algorithms (Section 4.4), the variance relation (Theorem 4.13), and the zero covariances (Lemma 4.11) extend to the discretized variants.
Simulations are used in order to understand several performance parameters: The accuracy of the estimates derived and its dependence on the algorithms, parameter settings, and the consistency of the subpopulation, the tradeoffs of the hybrid approach, and the effectiveness of the parameters controlling the number of rate adaptations. The simulations were performed using the discretized variants of the algorithms, with parameters k (maximum number of counters), 0<pbase≦1 that determines the fraction of processed packets (hybrid approach), and μ and pstart, that control a tradeoff between accuracy/utilization and the number of rate adaptations.
Both synthetic and IP flows datasets were used. The IP flows data were collected using unsampled NetFlow (flow-level summary of each 10 minute time period that includes a complete packet count for each flow) deployed at a gateway router. A typical period has about 5000 distinct flows and 100K packets. The synthetic datasets were produced using Pareto distributions with parameters α=1.1 and α=1.5. Distributions of flow sizes were generated by drawing 5000 flow sizes. A packet stream was simulated from each distribution of flow sizes by randomly permuting the packets of all flows.
The cumulative distributions of the weight of the top i flow sizes for each distribution is provided in
The subsets (subpopulations) considered for the synthetic datasets were the 2i largest flows and the 50%, 30%, and 10% smallest flows. This selection enables understanding of how performance depends on the consistency of the subpopulation (many smaller flows or fewer larger flows) and the skew of the data. The subpopulations used for the IP flows (gateway) data were a partition of the flows according to destination port.
The accuracy of subpopulation-size estimates obtained using
Results that show the average absolute value of the relative error as a function of the cache size k are provided in
On subpopulations of very small flows, such as bottom-50% of flows or DNS (port 53) traffic (only the latter is shown), all methods have similar performance. In particular, there is no advantage for
The results strongly support the use of step-counting as an alternative to the adaptive variants: On subpopulations consisting of many medium to large size flows, the relative error obtained using
The parameter pbase is decreased while maintaining the same flow cache size k=400.
The parameter μ, which controls the rate of decrease of the sampling rate, is sweeped and through it, the total number of rate adaptations performed. It is expected that the (absolute value of the) relative error of the estimates to increase when μ is decreased, as fewer packets are counted and reflected in the final sketch. On the other hand, the number of rate adaptations performed and the size of intermediate temporary storage needed to store the count vectors for
The adjusted weights assigned are a function of the observed count of the flow and the sampling rate. The sampling rate (effective sampling rate or sampling rate steps) in the adaptive algorithms is treated as fixed because for any flow f, it is determined by the sampling performed on all “other” flows (F\{f}). Therefore, within the probability subspace where the sampling on all other flows is fixed, the sampling rate is fixed. The adjusted weight of each flow is unbiased within each such subspace.
Three different techniques to derive adjusted weights are deployed. These techniques are general tools applicable to other quantities such as adjusted counts, unbiased FSD estimators, and adjusted selectivities.
where q[n|f] is the conditional probability that L obtains a count of n for a flow f. The system of equations can be used to derive expressions for the adjusted weights, be solved numerically to compute adjusted weights for each instance, or establish properties of the solution such as uniqueness. (A unique solution to this system implies that there is a unique deterministic assignment of adjusted weights that is a function of the observed counts of the flow and the sampling rate).
All three methods are demonstrated by applying them to derive
A correct adjusted weight assignment must satisfy for any vector n=(n1, . . . , nr),
(For a flow with counts (n1, . . . , nr), the expectation of the adjusted weight should be equal to the size
of the flow.)
To compute AS
(the square of the number of observed packets). (The time to solve the equations is proportional to
but having
coefficients, it takes time proportional to the number of nonzero coordinates of n to compute each one.) This quadratic dependence in the number of packets makes the computation very intensive for large flows. The equations are parametrically solved to derive expressions for the adjusted weights.
Lemma 9.1. Let
Lemma 9.1 is applied to express the sum as a sum of sums of the form of the lhs of Eq. (7) for the vectors
By rearranging it is obtained that
The proof follows using Eq. (3).
Derivation based on per-packet HT estimator. Let h be a per-packet weight function and let h(f)=Σcεfh(c) be the h( )-value of f. (h(c)≡w(c)=1 for packet counts but other packet-level properties can also be used such as the number of bytes in c.) Unbiased adjusted h( ) values HS
By definition, packets that are not counted have adjusted h( )-values zero.
The HT estimator of h(c) is the ratio of h(c) and the probability that the packet c is counted in the sketch. It is clearly unbiased. This probability, however, can not be computed from the sketch. A partition of the sample space is used such that within each subspace in the partition there is a positive probability that the packet is sampled and this conditional probability can be determined from the sketch. The adjusted h( ) value for each packet is an application of the HT estimator within this subspace.
The adjusted h( ) value HS
1. The rank values of packets in F\{f}.
2. The number of packets of f that are counted continuously up to and not including c. (Note that this could be 0.)
Note that the subspace that the rank assignment is mapped to also includes rank assignments where f does not appear in the sketch at all or that f appears but c is not counted. This happens if the current sampling rate drops below the current rank of the flow right before or after c is processed.
The conditional probability is computed that c is counted assuming that the rank assignment belongs to the particular subspace that it maps to. Since the ranks of packets of flows in F\{f} are fixed in this subspace then so are the steps, p, of the kth smallest rank of a flow in F\{f}. Furthermore, in any rank assignment in the given partition where packet c is counted, the same number of packets in each step are counted. Let n be the vectors of counts obtained for f in any rank assignment where c is counted. (In rank assignments in the same subspace where c is not counted this vector could be different.)
HS
To see this, fix the ranks of packets of F\{f}. Then
is the probability that all n1+ . . . +ni up to and including the packets of step i are counted. q[n|n] is the probability that all n packets are counted. Therefore, Eq. (8) is the conditional probability that n is counted given that all packets up to c are counted.
Let N1 be the set of packets counted in step i, and let c0 be the first counted packet.
To facilitate this estimator, the algorithm needs to collect per-step sums h(Ni) over counted packets in the step and to separately record h(c0).
Derivation based on dominance of
qSSH[n|n]ASSH(n).
Suppose now that |n|>nr. If the
Therefore, the contribution is the product
First considered is the case where |n|=nr (all observed packets are in the last step). In this case, if the
q
SSH
[n|n]A
ASH(|n|)=qSSH[n|n]ASSH(n).
One needs to be slightly careful with the first step by considering the rank of the first packet and then the other n1−1 packets. With probability pr, the first packet obtains rank value at most pr and
and therefore the contribution is the product
With probability p1−pr≡c1,r−c1,1, the first packet obtains rank value in (pr, p1], and applying a similar derivation as Eq. 10 for the remaining n1−1 packets, it is obtained
The contribution is therefore,
Summing the contributions of all the steps in Eq. 11, Eq. 12, and Eq. 13, it is obtained that this expectation is
(Using Theorem 4.8 and Eq. 3.)
Lemma 9.2. Consider a flow with
Consider a flow f with |f| packets and the probability subspace where ranks of packets belonging to all other flows (F\{f}) are fixed. It is sufficient to establish the relation between the methods in this subspace. Consider such a subspace. Let p be the steps of the effective sampling rate and pr be the final effective sampling rate. The adjusted weight assignment for all methods has expectation |f| within each such subspace. The variance of the different methods within such subspace is considered and the notation
The variance for
For
For
Using the explicit expressions (Eq. 14, 15, 16) and the inequality (1−p)n≧1−np for all natural n and 0≦p≦1 it follows that
The relation between the variance of the different methods is established via direct arguments that provide more insights and are applicable to the step-counting algorithms.
Lemma 9.3. Consider two mappings A1 and A2 and suppose there exists a partition of the sample space S into subspaces such that within each subspace S′⊂S,
Corollary 9.4. Let A1 be an estimator and consider a partition of the sample space. Consider the estimator A′1 that has a value that is equal to the expectation of A1 on the respective part of the partition. Then
E(A1)−E(A′1) and
If f is not included in the sample (r(f)>pr), it obtains an adjusted weight of zero with all four methods. Therefore, it suffices to compare the methods based on the variance in the adjusted weight assignment within the probability subspace when the flow is sampled (r(f)≦pr). Since all methods are unbiased, they all have the same expectation on this subspace. Apply Lemma 9.3. With
Next
The variance of
The following simple observation is applied. Consider a flow with counts n and a vector sn. The conditional probability that i packets are counted using
Lemma 9.5.
Consider one such subspace Ωn(p). By definition, the adjusted weight assigned to the flow f in this subspace is fixed and is equal to ApSSH(n).
Another
For any rank assignment, a packet is counted by
The probability over Ωn(p) of a rank assignment with corresponding
It follows from Equation (17) that A′pSSH(n) is a deterministic function of p and n. (This also follows the fact that
In Sections 4.1 and 9.1 it is shown that ApSSH(n) is the unique solution of a system of equations. Therefore, it is the only possible assignment of adjusted weights that are a deterministic function of p and n and are unbiased (has expectation |f|) for any possible f and a corresponding probability space Ω(p). Since the estimator A′pSSH(n) is also a deterministic function of n and p and is unbiased on Ω(p) it follows that
ApSSH≡A′pSSH.
Theorem 4.10 is proven (derivation of adjusted weights for
Consider first points in V where the first packet that has rank at most pr is a packet t of step 1.
The probability that
A sum is taken over t=0, . . . , n1−1 and divided by qSNF[n|n] to obtain the contribution to the average adjusted weight of NF in V of the points where the first packet that has rank at most pr is of step 1.
The derivation of the contribution to the average of points where the first packet having rank at most pr is in steps l=2, . . . r−1 is similar to that of Eq. (18), observing that
is the probability that
It is obtained that Eq. (19) (contribution of step l>1) is equal to
The first sum in the expression above is geometric, and the second is of the form
where it follows that
Using these observations, it is obtained that Equation (20) is equal to
By applying similar manipulations to Eq. (18), it is obtained that the numerator of that equation is equal to
Summing the contributions of steps l=1, . . . , r−1 (Eq. (22) and Eq. (21) for l=2, . . . , r−1) and obtain that the total contribution to the expectation is
The proof follows using Eq. (4).
Applying the HT estimator, an adjusted h( )-value for each observed packet is obtained. The proof methodology is similar to the one provided for
Consider a rank assignment x that results in an
Each packet is associated with a subspace of rank assignments as follows. For cεNi, the subspace is defined by the following constraints: (i) The rank values of all packets of flows in F\{f} are as in x. (ii) Each packet aε∪j=1r Nj\{c} has rank value that is below the current sampling rate at the time the packet arrives. (iii) The rank assignment is such that at the time packet c arrives, flow f is cached with a count that includes all the packets in ∪j=1i Nj that precede c.
This is a mapping from a rank assignment x and a packet c into a subspace. The subspaces partition the space of all rank assignments (including those where c is not counted in the sketch).
Next it is shown how to compute, given the sketch and the packet c, the conditional probability, within the subspace which x maps to, that c is counted. This probability is equal to the probability that all packets in ∪j=1r Nj are counted. Consider the subspace defined by (i): The probability that (ii)+(iii) hold given (i) is:
The probability that all packets in ∪j=1r Nj are counted given the constraint (i) is
If all packets are counted in the subspace specified by (i), then constraints (ii) and (iii) must hold. Therefore, the probability that c is counted conditioned on (i)+(ii)+(iii) is
The adjusted h( )-value of the packet c is then
The adjusted h( )-value of the flow is
The proof of Lemma 4.11 is based on conditioning on the rank values of packets belonging to flows in F\{f1, f2}, and the methodology carries over to establish this property for the discretized versions.
Therefore, on this part
Next consider
The proof of Lemma 5.2 is provided.
Denote by π(p, n, j) the conditional probability of an
If |n|=1 then π(p, n, 1)=1 and π(p, n, j)=0 for j≠1 (the
α1SSH(p, n)=1/pr (and αjSSH(p, n)=0 for all j≠1).
If |n|=nr then π(p, n, nr)=1 and π(p, n, j)=0 for j≠nr (the
αn
Consider n such that |n|>1 and |n|>nr. Assume WLOG that nl>0 for 1≦l<r. The probabilities π(p, n, x)>0 are positive if only if |n|≧x≧nr+1 and are as follows:
Therefore, αiSSH(p, n) can be nonzero only for |n|≧i≧nr. These values are computed case by case using Eq. (27).
for some 2≦l≦r−1:
for some 2≦l≦r. If l=2 it is assumed n1>1. If l=r it is assumed nr>0 (because otherwise αnr( ) is not defined.):
9.6 Estimators with Negative Covariances
Lemma 9.6. Let n:F be the
are unbiased selectivities, that is,
E(RANF(f))=w(f)/w(F).
It suffices to show that for each packet v,
E(RANF(v))=1/w(F).
The rank-based view of the sample space is used. Consider a rank assignment and the permutation of the packets according to their order by increasing rank value. Order the flows by the position of their first packet. Then n(F)+1 is the position of the first packet of the (k+1)st flow in this order. The first k flows are the ones included in the sketch.
Consider a packet vεf and a partition of rank assignments over F\{v} (all packets other than v) according to the induced permutation on these packets. For each permutation, a corresponding value of l is defined as follows. If the first k flows in the induced permutation on F\{v} include f, then l is the position of the first packet of the (k+1) st flow. If the first k flows do not include f then l is the position of the first packet of the (k)th flow.
Consider a probability subspace in this partition and the respective value of l. The packet v is counted if and only if its position in the permutation is at most l. The conditional probability (in this subspace) that v is counted is l/w(F). In this case there are l counted packets (n(F)=l) and the adjusted selectivity of v is 1/l. So in this subspace
The effective sampling rate distribution is determined by w(F) and the observed counts n:F={(f, n(f ))}. Consider a partition of the sample space according to n:F, and denote by Ω(L,n:F) the subspace that corresponds to n:F. It will be shown that the estimator A+L(f, n:F, w(F)) is the expectation of the estimator AL(n(f)) over Ω(L,n:F) for Lε
Lemma 9.7. For any flow fεF,
E(AANF(f))=E(w(F)RANF(f))=w(F)n(f)/n(F).
AA
E
Ω
(AANF(f))=EΩ
Lemma 9.8. For any two flows f1≠f2,
E(RANF(f1)RANF(f2))≦ρ(f1)ρ(f2). (Eq. 28)
By definition
From linearity of expectation, a sufficient condition for Eq. (28) is that for any v1εf1 and v2εf2,
E(RANF(v1)RANF(v2))≦1/w(F)2. (Eq. 29)
Consider a partition of the sample space according to the induced permutation on the packets w(F)\{v1, v2}. It is shown that Eq. (29) holds within each subspace. Consider such a permutation and define l as follows. If the first k flows in w(F)\{v1, v2} include both f1 and f2, then l is the position of the first packet of the (k+1)st flow. Otherwise, if the first k−1 flows include exactly one of {f1, f2} (observe that the other cannot be the kth flow), then l is the position of the first packet of the kth flow. Otherwise, (the first k−1 flows do not include either of {f1, f2}), l is the position of the first packet of the (k−1)th flow.
The packets v1 and v2 are both counted (and both are assigned non-zero adjusted selectivities) if and only if they both appear before the lth packet of the induced permutation on w(F)\{v1, v2}, which is equivalent to saying that their positions in the permutation over w(F) is at most l+1. This happens with probability
In this case there are l+1 counted packets and each packet is assigned adjusted selectivity 1/(l+1). Therefore, in this subspace
(The last inequality follows using l<w(F)−1.)
Done this way, the adjusted selectivities assignment depends on the counts and sampling rate. Better estimators (lower variances) are obtained using an assignment that is based on a coarser partition of the sample space. The assignment depends on w(F) and the counts but not on the sampling rate.
Consider an
Lemma 9.9. The following is a correct adjusted selectivities assignment
RA
The distribution of
The number of permutations over F with exactly lε{0, . . . , n(F)−k} ANF-counted packets from S (that is, total of l+k
(Eq. 31)
The probability in Ω(n:F) that exactly e packets from S are counted is the ratio of Eq. (31) and Eq. (30):
Consider the subspace of Ω(n:F) that includes all permutation such that there are l counted packets from S. The probability that a packet cεS is
The probability that a packet cεR is
Hence, for a flow f,
The equality R′ASH(f)≡RASH(f) follows by standard manipulations.
The expectation A′A
The relation A′A
The intuition for this expression is to view the process as the packets in O∪R being subjected to uniform sampling of k packets, and therefore, each packet obtains an adjusted selectivity of 1/k (in R∪O) and adjusted weight of |O∪R|/k and selecting all packets in S and therefore each packet obtains an adjusted selectivity of 1/|S| (in S) and adjusted weight of 1. Therefore, n(f)−1+|O∪R|/k are adjusted weights for f.
It follows from Lemma 9.9 and Lemma 9.4 that
Adjusted count and FSD
The
Accurate summarization of IP traffic is essential for many network operations. The present invention provides summarization algorithms that generate a sketch of the packet streams that allows processing of approximate subpopulation size queries and other aggregates. The algorithms build on existing designs, but are yet able to obtain significantly better estimates through better utilization of available resources and careful derivation of unbiased statistical estimators that have minimum variance with respect to the information they use.
A system and computer-readable medium in accordance with the present invention, which incorporate at least some of the preferred features, is intended to be within the scope of the present invention. The system may be implemented using at least one of a microprocessor, a microcontroller, programmable logic, and/or an application specific integrated circuit (ASIC) with or without software and/or firmware. The computer-readable medium may include a compact disc (CD), digital video disc (DVD), and/or tape, which include instructions that when executed by at least one computing device performs the methods in accordance with the present invention.
Although preferred embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments and that various other changes and modifications may be affected herein by one skilled in the art without departing from the scope or spirit of the invention, and that it is intended to claim all such changes and modifications that fall within the scope of the invention.
The following references are referred to above and incorporated herein by reference: