Ahsan Habib, University of California, Berkeley
On-line monitoring of network activity is required to maintain confidence in the security and QoS of networks. However, continuous monitoring of a network domain poses several challenges. First, routers of a network domain need to be polled periodically to collect statistics about delay, loss, and bandwidth. Second, this huge amount of data has to be mined to obtain useful monitoring information. This increases the overhead for high speed core routers, and restricts the monitoring process from scalling to a large number of flows. To achieve scalability, pollng and measurements that involve core routers should be avoided.
This talk presents a network tomography-based distributed network monitoring scheme that uses only edge-to-edge measurements, and scalse to large network domains. In this scheme, the edge routers form an overlay network with their neighboring edge routers. The overlay network is probed intelligently to identify the congested linksin the domain. A major advantage of this monitoring scheme is that when the network is not heavily congested, the monitoring scheme can detect attacks in both directions of all links with O(N) probes, where N is the number of edge routers. Through analytic study and a series of experiments, we show that the proposed scheme can effectively identify the congested links. The congested links are used to capture the misbehaving flows that are violating their service level agreements, or attacking the domain by injecting excessive traffic.