Generic change detection (almost entirely) in the dataplane

Abstract

Identifying traffic changes accurately sits at the core of many network tasks, from congestion analysis to intrusion detection. Modern systems leverage sketch-based structures that achieve favourable memory-accuracy tradeoffs by maintaining compact summaries of traffic data. Mainly used to detect heavy-hitters (usually the major source of network congestion), some can be adapted to detect traffic changes, but they fail on generality. As their core data structures track elephant flows, they miss to identify mice traffic that may be the main cause of change (e.g., microbursts or low-volume attacks). We present k-meleon, an in-network online change detection system that identifies heavy-changes - instead of changes amongst heavy-hitters only, a subtle but crucial difference. Our main contribution is a variant of the k-ary sketch (a well-known heavy-change detector) that runs on the data plane of a switch. The challenge was the batch-based design of the original. To address it, k-meleon features a new stream-based design that matches the pipeline computation model and fits its tough constraints. A preliminary evaluation shows that k-meleon achieves the same level of accuracy for online detection as the offline k-ary, detecting changes for any type of flow: be it an elephant, or a mouse.