Sketch Acceleration on FPGA and its Applications in Network Anomaly Detection

Sketch, a highly accurate data stream summarization technique, has gained much interest in the research community in recent years. Because of its sub-linear memory complexity, Sketch-based techniques consume significantly less memory than the traditional per-item-state techniques for processing high throughput data streams. One of the major applications of Sketch is in network anomaly detection, which is critical for network management and security in both Internet and data centers. In these applications, throughput is a key performance metric. Due to the low memory complexity, Sketch-based techniques can be supported by the fast on-chip storage of the state-of-the-art computing platforms to achieve high throughput. In this work, we first propose a generic architecture on FPGA to accelerate Sketch and adopt it to 2 widely used Sketches: Count-min Sketch and K-ary Sketch. We propose online Sketch-based algorithms for 2 key network anomaly detection tasks: heavy hitter detection and heavy change detection. We adopt the proposed generic architecture for Sketch to accelerate these online algorithms. The post place-and-route results on a state-of-the-art FPGA show that our generic architecture can accelerate both Count-min Sketch and K-ary Sketch to over 150 Gbps, demonstrating significant throughput performance improvements compared with other Sketch acceleration techniques. Our architectures for online anomaly detection tasks sustain 100-150 Gbps throughput for various system configurations.

[1]  S. Muthukrishnan,et al.  How to Summarize the Universe: Dynamic Maintenance of Quantiles , 2002, VLDB.

[2]  Gordon J. Brebner,et al.  400 Gb/s Programmable Packet Parsing on a Single FPGA , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[3]  Carsten Lund,et al.  Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications , 2004, IMC '04.

[4]  Gaogang Xie,et al.  SF-sketch: slim-fat-sketch with GPU assistance , 2017, ArXiv.

[5]  Rajeev Rastogi,et al.  Processing complex aggregate queries over data streams , 2002, SIGMOD '02.

[6]  Alok N. Choudhary,et al.  Real-time feature extraction for high speed networks , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[7]  Divesh Srivastava,et al.  Finding Hierarchical Heavy Hitters in Data Streams , 2003, VLDB.

[8]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[9]  Theophilus Wellem,et al.  Accelerating Sketch-Based Computations with GPU: A Case Study for Network Traffic Change Detection , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[10]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[11]  J. Gregory Steffan,et al.  Composing Multi-Ported Memories on FPGAs , 2014, TRETS.

[12]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[13]  Gregory T. Byrd,et al.  High-throughput sketch update on a low-power stream processor , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[14]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[15]  M. V. Ramakrishna,et al.  Efficient Hardware Hashing Functions for High Performance Computers , 1997, IEEE Trans. Computers.

[16]  Natalie D. Enright Jerger,et al.  Efficient and programmable ethernet switching with a NoC-enhanced FPGA , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[17]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[18]  Danny Wen-Yaw Chung,et al.  A hardware-accelerated infrastructure for flexible sketch-based network traffic monitoring , 2016, 2016 IEEE 17th International Conference on High Performance Switching and Routing (HPSR).

[19]  S. Muthukrishnan,et al.  One-Pass Wavelet Decompositions of Data Streams , 2003, IEEE Trans. Knowl. Data Eng..

[20]  Hargyo Tri Nugroho,et al.  Implementing On-line Sketch-Based Change Detection on a NetFPGA Platform , 2010 .

[21]  Gustavo Alonso,et al.  A flexible hash table design for 10GBPS key-value stores on FPGAS , 2013, 2013 23rd International Conference on Field programmable Logic and Applications.

[22]  Sudipto Guha,et al.  Fast, small-space algorithms for approximate histogram maintenance , 2002, STOC '02.

[23]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[24]  Viktor K. Prasanna,et al.  Enabling High Throughput and Virtualization for Traffic Classification on FPGA , 2015, 2015 IEEE 23rd Annual International Symposium on Field-Programmable Custom Computing Machines.

[25]  Baohua Yang,et al.  Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection , 2014, IEEE Transactions on Computers.

[26]  Viktor K. Prasanna,et al.  High throughput and programmable online trafficclassifier on FPGA , 2013, FPGA '13.