Decentralized and Scalable Analysis of High-speed IP Traffic (DaSAHIT)

High-speed network links become a challenge to traditional centralized IP traffic analysis due to the high demand of hardware resources which are limited and costly. Thus, the DaSAHIT project (Decentralized and Scalable Analysis of High-speed IP Traffic) will develop a scalable and distributed architecture for collecting, analyzing, and storing IP traffic data with the highest necessary level of accuracy in real-time. The key idea is to utilize resources of a large number of nodes, which collaboratively process and store traffic data in a highly decentralized, flexible, and robust manner. Mechanisms to be developed will provide a high level of self-configuration such that new nodes may be added or removed easily to or from the analysis network. This approach will leverage the resources of cheap, unreliable, and otherwise unused nodes and can reduce the high cost of high-speed traffic analysis.

General Information

Reference: SNF Project 200021-118128 / 1
Source of funding: Swiss National Science Foundation
Project Duration: January 1, 2008 - December 31, 2009
Official Project Home Page:
http://www.csg.uzh.ch/research/dasahit

Project Overview

Although existing work alleviates some of these high-speed packet processing problems related to the high demand of hardware resources, sampling mechanisms are not very effective or accurate in scenarios, where complete information is required or no compromise can be made on the accuracy, such as intrusion detection or usage-based charging. Dedicated network monitoring tasks proposed, like flow processing or detection of flow paths within networks, show the major drawback of a lack of flexibility to adapt to processing workloads due to changes in the current load of the network link to be analyzed and the current processing capacity of the analysis network. They also lack scalability with respect to higher link speeds, mainly due to a limited degree of work distribution.

Therefore, DaSAHIT will develop appropriate self-configuration mechanisms in order to automate the joining and leaving of nodes to or from the analysis network. The resulting monitoring and analysis platform will form the basis for real-time traffic analysis scenarios such as flow accounting, flow path monitoring, or intrusion detection. To show the applicability of the proposed approach, the developed mechanisms will be demonstrated based on the IP flow accounting scenario.

This work is highly relevant to future accounting systems, since it develops alternative mechanisms to packet analysis for high-speed network links. The approach will lead to a better efficiency of core network processes such as routing and switching by removing the burden of packet inspection. At the same time the resulting platform will lead to better analysis results by leveraging processing capabilities of multiple, otherwise unused nodes in order to minimize the sampling rate.

Publications

  • Cristian Morariu, Burkhard Stiller: A Distributed Architecture for IP Traffic Analysis. 1st Internationmal Conference on Autonomous Infrastructure, Management, and Security (AIMS 2007), June 21-22, 2007, Oslo, Norway, Edts.: A. K. Bandara, M. Burgess, Lecture Notes in Computer Science (LNCS), Vol. 4543, ISBN 3-540-72985-2, Springer, Berlin, pp 216-220.
  • Cristian Morariu, Manuel Feier, Burkhard Stiller: LINUBIA: A Linux-supported User-based IP Accounting, 18th IFIP/IEEE International Workshop on Distributed Systems: Operation and Management (DSOM 2007), October 29-31, 2007, San José, California, U.S.A. Edts.: Alexander Clemm, Lisandro Granville, Rolf Stadler, Lecture Notes in Computer Science (LNCS), Vol. 4785, ISBN: 3-540-75693-0, Springer, Berlin, pp 229-241.

UZH Personnel

Contact

Inquiries may be directed to the local Swiss project management:

Prof. Dr. Burkhard Stiller
University of Zürich, IFI
Binzmühlestrasse 14
CH-8050 Zürich
Switzerland
Phone: +41 44 635 67 10
Fax: +41 44 635 68 09