Reading SBAR SDN flow-Based monitoring and Application Recognition

概要

• 在sdn下，控制平面基于网络测量的的数据控制网络，而细粒度的管理得益于细粒度的测量数据。针对sdn环境下的细粒度测量（识别具体应用程序），可以实现对细粒度的流量管控。
• 设计了识别系统SBAR，对数据流进行测量，识别出具体应用程序并得到它们的网络数据。针对流分类，SBAR以应用程序协议为参照，使用了机器学习的算法。 针对web和加密流量，使用深度包检测检测包的负载以识别应用程序。同时SBAR利用了OpenFlow提供的测量数据识别应用，交换机利用南向接口向控制器传输数据。最后使用GUI对得到的数据进行整合处理得到全网测量数据。经过验证，SBAR检测的准确率可以达到90%以上（由于使用DPI和ML可能有较大的资源开销和时延）。

Background

• In the Software-Defined Networking (SDN) paradigm, it is essential to perform comprehensive traffic monitoring in order to provide the control plane with an accurate view of the network state.
• This enables to perform such an effective fine-grained network management
  with different purposes (e.g., traffic engineering, security).

Related Work

• NetFlow/IPFIX:There are a plenty of tools based on Netflow that harness the flow-level measurement.
• Flows are often labeled (e.g., by protocol)
  using port-based classification techniques which is gradually obsoleted beacause it is quite common to find very diverse applications operating over
  the same application protocols（无法从端口号分辨出具体的应用程序）
• QoE:the QoE perceived by end-users significantly depends on the type of application and the QoS level provided by the network (e.g., bandwidth, delay).（QoE感知取决于应用程序类型以及QoS级别）
• Deep Packet Inspection (DPI)
  typically achieves very accurate traffic classification by inspecting the packet payloads. However, applying DPI over all the packets traversing a network is often too resource consuming （根据负载分类，资源开销过大）
• Machine Learning (ML) classifiers were proposed with the aim of alleviating the
  processing burden.Use **features* up to the transport layer to classify the traffic, useless when applied to distinguish among different applications generating traffic over the same protocol（根据特征分类，无法从相同协议分辨出不同程序）

Solution

• We present SBAR, a monitoring system compliant with OpenFlow that provides flow-level measurement
• Classify the traffic at two different levels:In the Software-Defined Networking (SDN) paradigm, it is essential to perform comprehensive traffic monitoring in order to provide the control plane with an accurate view of the network state. This
  enables to perform such an effective fine-grained network management with different purposes (e.g., traffic engineering, security).
• (i) every monitored flow is classified by application protocol,

• (ii) for web and encrypted traffic, we apply specific DPI techniques to identify the applications （端口号相同要通过负载分辨出具体的应用程序）
  generating each flow
  

• Reduce the processing overhead in the controller(s) and the memory consumption in switches to maintain the measurements

Implement

Openflow

• Leverage the particularities of OpenFlow networks to efficiently implement a combination of techniques based on ML and DPI to accurately classify the traffic in the controller.
• Leverage the support of OpenFlow to maintain the flow measurements (# of
  packets and bytes, and duration) in the flow tables of the switches
• OpenFlow provides an interface that permits to report the measurements to the controller(s) when some predefined timeouts (idle and hard) expire
• Make use of ultiple tables of OpenFlow
  to decouple the operation of this module from other modules executing
  different network tasks (e.g., forwarding) in the controller.

Others

• Flow sampling using only native features of OpenFlow, which enables to address
  common scalability issues in OpenFlow-based networks.

1. Per-flow classification by application protocols (e.g., SMTP, SSH) using a ML model
2. For web and encrypted flows, it applies specific DPI techniques [1, 2] to identify the applications (e.g., Netflix, Facebook) generating traffic.

• 通过给控制器指定规则，只提取前几个HTTP等协议的包头信息，然后根据某种算法推断出对应的应用程序，节省了开销
• GUI用于处理SBAR得到的flow-level reports infer high-level traffic
  statistics
• 

Advantages

the classification accuracy acheives 90% or higher.

Disadvantages

Because of the DPI and ML, the resource overhead and latency probably are high(I guess)