Showing papers by "Jia Wang published in 2008"

Troubleshooting chronic conditions in large IP networks

Abstract: Chronic network conditions are caused by performance impairing events that occur intermittently over an extended period of time. Such conditions can cause repeated performance degradation to customers, and sometimes can even turn into serious hard failures. It is therefore critical to troubleshoot and repair chronic network conditions in a timely fashion in order to ensure high reliability and performance in large IP networks. Today, troubleshooting chronic conditions is often performed manually, making it a tedious, time-consuming and error-prone process.In this paper, we present NICE (Network-wide Information Correlation and Exploration), a novel infrastructure that enables the troubleshooting of chronic network conditions by detecting and analyzing statistical correlations across multiple data sources. NICE uses a novel circular permutation test to determine the statistical significance of correlation. It also allows flexible analysis at various spatial granularity (e.g., link, router, network level, etc.). We validate NICE using real measurement data collected at a tier-1 ISP network. The results are quite positive. We then apply NICE to troubleshoot real network issues in the tier-1 ISP network. In all three case studies conducted so far, NICE successfully uncovers previously unknown chronic network conditions, resulting in improved network operations.

Shedding light on the glue logic of the internet routing architecture

Abstract: Recent studies reveal that the routing structures of operational networks are much more complex than a simple BGP/IGP hierarchy, highlighted by the presence of many distinct instances of routing protocols. However, the glue (how routing protocol instances interact and exchange routes among themselves) is still little understood or studied. For example, although Route Redistribution (RR), the implementation of the glue in router software, has been used in the Internet for more than a decade, it was only recently shown that RR is extremely vulnerable to anomalies similar to the permanent route oscillations in BGP. This paper takes an important step toward understanding how RR is used and how fundamental the role RR plays in practice. We developed a complete model and associated tools for characterizing interconnections between routing instances based on analysis of router configuration data. We analyzed and characterized the RR usage in more than 1600 operational networks. The findings are: (i) RR is indeed widely used; (ii) operators use RR to achieve important design objectives not realizable with existing routing protocols alone; (iii) RR configurations can be very diverse and complex. These empirical discoveries not only confirm that the RR glue constitutes a critical component of the current Internet routing architecture, but also emphasize the urgent need for more research to improve its safety and flexibility to support important design objectives.

ViAggre: Making Routers Last Longer!

Abstract: This paper presents ViAggre (Virtual Aggregation), a “configuration-only” approach to shrinking the routing table on routers. ViAggre applies to legacy routers and can be adopted independently and autonomously by any ISP. ViAggre is effectively a scalability technique that allows an ISP to modify its internal routing such that individual routers in the ISP’s network only maintain a part of the global routing table. We find that ViAggre can shrink the routing table on routers by more than an order of magnitude while imposing negligible traffic stretch.

Method and apparatus for providing statistical event correlation in a network

Abstract: A method and apparatus for providing event correlation in a network are disclosed. For example, the method extracts a plurality of events of interest from a database, and creates one or more event time series from the plurality of events of interest, wherein each of the one or more event time series comprises a set of events of a same type and of a same location that occur within a given time period. The method forms one or more composite events from the one or more event time series, and performs one or more pair-wise correlations for at least one of: the event time-series, or the one or more composite events. The method then identifies one or more pair-wise correlations that are statistically significant.

System and method to select monitors that detect prefix hijacking events

Abstract: Method, system and computer-readable medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix are disclosed. The method includes assigning each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The method further includes iteratively merging a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The method also includes ranking each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the method includes determining a highest ranked candidate prefix hijack monitor of each of the processed number of clusters.

Method and apparatus for providing detection of internet protocol address hijacking

Abstract: A method and apparatus for detecting an address hijacking in a network are disclosed. For example, the method sends one or more traceroute packets to a target prefix, wherein the target prefix comprises one or more destination Internet Protocol (IP) addresses, and records traceroute data received for the one or more traceroute packets sent to the target prefix. The method then determines one or more hop count distance measurements for the target prefix, and determines if there are one or more changes in the one or more hop count distance measurements for the target prefix.

Measurement-Based Validation of a Simple Model for Panoramic Profiling of Subnet-Level Network Data Traffic

Abstract: A system and method for profiling subnet-level aggregate network data traffic is disclosed. The system allows a user to define a collection of features that combined characterize the subnet-level aggregate traffic behavior. Preferably, the features include daily traffic volume, time-of-day behavior, spatial traffic distribution, traffic balance in flow direction, and traffic distribution in type of application. The system then applies machine learning techniques to classify the subnets into a number of clusters on each of the features, by assigning a membership probability vector to each network thus allowing panoramic traffic profiles to be created for each network on all features combined. These membership probability vectors may optionally be used to detect network anomalies, or to predict future network traffic.

Managing network traffic for improved availability of network services

Abstract: Managing network traffic to improve availability of network services by classifying network traffic flows using flow-level statistical information and machine learning estimation, based on a measurement of at least one of relevance and goodness of network features. Also, determining a network traffic profile representing applications associated with the classified network traffic flows, and managing network traffic using the network traffic profile. The flow-level statistical information includes packet-trace information and is available from at least one of Cisco NetFlow, NetStream or cflowd records. The classification of network flows includes tagging packet-trace flow record data based on defined packet content information. The classifying of network flows can result in the identification of a plurality of clusters based on the measurement of the relevance of the network features. Also, the classification of network traffic can use a correlation-based measure to determine the goodness of the network features.

Interdomain network aware peer-to-peer protocol

Abstract: A method includes receiving network distance information, receiving a request from a client for an identity of a peer providing content, and identifying a first peer and a second peer providing the content. The network distance information includes a compilation of network distance information provided by a plurality of service providers. The method further includes determining that a network distance between the first peer and the client is less than a network distance between the second peer and the client based on the network distance information, and providing the identity of the first peer to the client.

Estimating origin-destination flow entropy

Abstract: The preferred embodiments of the present invention are directed to estimating entropy of origin-destination (OD) data flows in a network. To achieve this, first and second sketches are created corresponding to ingress (i.e. origin) and egress (i.e. destination) flows. The sketches allow estimating entropy associated with data streams as well as entropy associated with an intersection of two or more of the data streams, which provides a mechanism for estimating the entropy OD flows in a network.

Method and apparatus for filtering packets using an approximate packet classification

Abstract: A method and apparatus that enables approximate packet classification by using both an exact packet classification method and an inexact packet classification method are disclosed. For example, the method filters a plurality of packets using an exact packet classification method when a processing load is below or equal to a threshold, and filters the plurality of packets by dynamically switching between the exact packet classification method and an inexact packet classification method when the processing load is above the threshold.

STRID: Scalable Trigger-Based Route Incidence Diagnosis

Abstract: As the Internet steadily increases in importance, it is still based on a quite fragile routing design. From network operators perspective it is therefore crucial to detect end-to- end path performance due to routing outages early to either mitigate them directly or contact other entities to mitigate them. In this work we demonstrate the feasibility of a real-time tool for detecting degraded forwarding performance due to routing problems. Our tool passively monitors the traffic within the network and actively probes paths for which the TCP traffic characteristics indicate a possible routing problem. More importantly, our tool focuses on detecting routing events that actually affect network traffic, which from the network operators' perspective is most relevant. The experimental results based on large-scale measurement in the Internet indicate that our tool effectively detects a significant number of routing outages and forwarding loops.

A Dirty-Slate Approach to Routing Scalability

Abstract: This paper presents Virtual Aggregation, an architecture that attempts to tackle the Internet routing scalability problem. Our approach does not require any changes to router software and routing protocols and can be deployed by any ISP without the cooperation of other ISPs. Hence, Virtual Aggregation is a configuration-only solution. The key insight here is to use divide-and-conquer so that default-free zone routers don’t need to maintain the entire routing table. Instead, an ISP can modify its internal routing such that individual routers in its network only maintain a part of the routing table. We evaluate the application of Virtual Aggregation to a few tier-1 and tier-2 ISPs and show that it can reduce routing table size on individual routers by an order of magnitude while imposing almost no traffic stretch and very little increase in router load. We also deploy Virtual Aggregation across two different testbeds comprising of Cisco and Linux routers. Finally, we detail some shortcomings of the proposed design and discuss alternative designs that alleviate some of these. However, in spite of the limitations, we believe that the simplicity of the proposal and its possible short-term impact on routing scalability suggest that it is an alternative worth considering.

LOCK: Locating Countermeasure-Capable Prefix Hijackers

Abstract: Prefix hijacking is known as one of the security threats on today’s Internet. A number of measurement based solutions have been proposed to detect prefix hijacking even ts. In this paper we take these solutions one step further by addres sing the problem of locating the attacker in each of the detected hijacking event. Being able to locate an attacker is critical for deciding at the earliest time the proper mitigation mechani sms to invoke to limit the impact of the attack and successfully stopping the attack. In this paper, we propose a robust scheme named LOCK, LOcating Countermeasure-capable hijacKers, for locating the prefix hijacker ASes based on distributed data-plane Internet measurements. LOCK locates each attacker AS by actively monitoring paths to the victim prefix from a small number of carefully selected monitors distributed on the Internet. More importantly, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate the data-plane path before a packet reaches the hijacker, an d that the data-plane paths to victim prefix “converge” around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurem nts and experiments to evaluate the performance of LOCK against three sets of hijacking attacks: synthetic attacks, recons tructed previously known attacks, and controlled attacks on the Int ernet. Our evaluation results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy of over 90%.