a software design and algorithms for multicore capture in data center forensics

.

On the Way IN: DC Forensics

M.Zhanikeev -- [email protected] -- Design and Algorithms for Multicore Capture in Data Center Forensics-- http://bit.do/marat140603 -- 2/28...

2/28

.

Forensics Basics

.(traditional) Forensics Stages.....

.... are collection, examination, analysis, and reporting

• many challenges in data centers

• collection: realtime is really really really difficult

• examiation: you can't examine what you can't collect, also flexibility is important

• analysis: deeper form of examination, same problems

• reporting: that part is actually easy, but DCs have no standards◦ one standard is offered later in this presentation


3/28

.

Forensics : All is Traffic

.Statement..

.All information in data centers can be reduced to the traffic form• logs are information carried on packets

• logging, storage, etc. are distributed -- have to be communicate usingtraffic

• a corrolary: if something is not traffic, it might be useful to convert it intotraffic


4/28

.

Practical DC Forensics

• we wantDeep Packet Inspection (DPI) back on the table

• we want to not use sampling, but capture everything• we want to differentiate attention spent to different classes oftraffic◦ called context-based sampling◦ probability of capture/inspection depends on current context

• note: all these are gradually removed from practice for infeasibility


5/28

.

Conventional Multicore


6/28

.

Generic Multicore Design


7/28

.

Generic Multicore Capture

• 2 roles: manager andcore

• traditional parallelprocessing: messagepassing or sharedmemory 05 06

05 M.Aldinucci+2 "FastFlow: Efficient Parallel Streaming Applications on Multi-core" U.Pisa Techreport (2009)

06 R.Brightwell "Workshop on Managed Many-Core Systems" 1st Managed Many-Core Systems (2008)


8/28

.

Conventional Shortcomings.Reality is.....

.

... that traditional parallel processing designs are extremely inefficienton multicore

• overhead from parallelization is too high

• unit of processing is too small

• streamline designs are rare but are recently discussed in BigData 08

.The solution is.....

.... to use a lockfree (message-less) parallelization design

08 R.Chen+2 "Tiled-MapReduce: Optimizing Resource Usages ... on Multicore with Tiling" 19th PACT (2010)


9/28

.

Conventional → Proposed

• spawn, but don't wait to merge

• collect results form corescontinuously to avoid lumps

• get used to not being able tocommunicate to cores (nomessages)◦ relatively short tasks diminish this

effect 02

02

myself+0 "Experiments with Practical On-Demand Multi-Core

Packet Capture" APNOMS (2013)


10/28

.

Proposal : the New Multicore


11/28

.

Proposal : Mission Statement

.Proposal Components..

.

• lockfree design

• tasks-into-cores packing problem and optimization

• implementation that support lockfree design

• remember: the easiest way to aggregate traffic is to use IP address prefixes• again, generic, so we do not care about the contents


12/28

.

Proposal : Shared Memory

• communication happens over

shared memory04

• C/C++ implementationis common, but will work inother languages as well

• shared memory is persistent,but cores come and go

04 K.Michael "The Linux Programming Interface" No Starch Press (2010)


13/28

.

Proposal : DLL is Key.DLL stands for.....

.... Double Linked List• common in C/C++designs

• extremely flexible --you can swapelements byreassigning pointers

• sidewaysDLL is a methodto avoid collisions inhashing


14/28

.

Optimization


15/28

.

Optimization Targets

• few cores, many data units• need to pack latter into former

• moreover: scheduling problem, which is packing but along the timeline

• moreover(2) : when packing, do you randomize input or not -- hashing


16/28

.

Prefix Packing Problem

minimize w1count(P) + w2max(M) + w3var(C)

subject of k1 < pi < k2 ∀ pi ∈ P.

Hashkey - 32 bits 0 -

k1 (shortest) k2

(longest)

Effective range

Core0 Core1 Core2 …

p (prefix)

p1 p3

p2 p4 p5 p6 p8

p7 m (max)

n

Prefix Packing Problem

• prefix length between k1 and k2s◦ hashkey or raw◦ fixed in each run in this paper

• pi is a pack (group) of items

• n total items, mapped to set M ofprefixes in each of m cores

• C a set of item counts c acrossprefixes,


17/28

.

Prefix Packing GA Heuristic

• Generic Algorithm (GA) 12

• chromosome is a tuple of prefixes packed into one core

gi = ⟨pi,1, pi,2, ..., pi,m⟩. (1)

• one gene (whole solution) is a tuple containing all chromosomes

Gj = ⟨g1, g2, ..., gn⟩. (2)

12 D.Knysh+1 "Parallel Genetic Algorithms: a Survey and Problem State of the Art" IJCSS (2010)


18/28

.

Analysis


19/28

.

Analysis Setup

• actual packet traces -- trace-based simulation 16

• input: 2 cases -- hashing verus raw

• items are individual packets◦ packets arepacked into prefixes◦ prefixes arepacked into cores

• the above GA optimization heuristic

16 myself "MAWI Working Group Traffic Archive" http://mawi.wide.ad.jp/mawi (2014)


20/28

.

Analysis (1) Cores

0 1 2 3 4 5 6 7 8 9Time sequence

4.64.74.84.9

55.15.25.35.45.5

log(

max

item

cou

nt /

cor

e) 1 core

2 cores

3 cores4 cores

5 cores6 cores

7 cores


21/28

.

Analysis (2) Hashing

0 0.2 0.4 0.6 0.8 1Increasing cutoff parameter

0

40

80

120

160

200

240

Num

ber o

f uni

que

pref

ixes

hashedraw


22/28

.

Forensics 2.0


23/28

.

Forensics 2.0• reporting part: let's use sketches from data streaming 11

Core 1

Core 1

Core X

TABID Manager

Now(replay)

….

BIG DATA TIMELINE Cursor

Time Direction

One Sketch One Sketch One Sketch Start End End End

Read/prepare

Shared Memory

Start

11 M.Sung+3 "Scalable and Efficient Data Streaming Algorithms for Detecting Common Content..." ICDE (2006)M.Zhanikeev -- [email protected] -- Design and Algorithms for Multicore Capture in Data Center Forensics-- http://bit.do/marat140603 -- 24/28

...

24/28

.

Wrapup

• a natively multicore technology is proposed

• performance is opitimized using a packing heuristic• raw input is found to be preferable to randomization

• future topics:1. variable-length prefixes2. optimization along the timeline3. jitter minimization (fewer reasignments)4. further lookup optimiation -- fast hashing


25/28

.

That’s all, thank you ...


26/28

.

[01] myself+0 (2013)...community-based architecture for measuring E2E QoS at DCcIJCSE

[02] myself+0 (2013)Experiments with Practical On-Demand Multi-Core Packet CaptureAPNOMS

[03] myself+1 (2013)A Graphical Method for Detection of Flash Crowds in TrafficTelecom. Systems (TM)

[04] K.Michael (2010)The Linux Programming InterfaceNo Starch Press

[05] M.Aldinucci+2 (2009)FastFlow: Efficient Parallel Streaming Applications on Multi-coreU.Pisa Techreport


26/28

.

[06] R.Brightwell (2008)Workshop on Managed Many-Core Systems1st Managed Many-Core Systems

[07] X.Sui+3 (2010)Parallel Graph Partitioning on Multicore Architectures23rd LCPC

[08] R.Chen+2 (2010)Tiled-MapReduce: Optimizing Resource Usages ... on Multicore with Tiling19th PACT

[09] I.Machdi+2 (2009)Executing parallel TwigStack algorithm on a multi-core system11th IIWAS

[10] S.Stoichev+1 (2009)Parallel Algorithm for Integer Sorting with Multi-Core ProcessorsIT and Control

[11] M.Sung+3 (2006)M.Zhanikeev -- [email protected] -- Design and Algorithms for Multicore Capture in Data Center Forensics-- http://bit.do/marat140603 -- 26/28

...

26/28

.

Scalable and Efficient Data Streaming Algorithms for Detecting Common Content...ICDE

[12] D.Knysh+1 (2010)Parallel Genetic Algorithms: a Survey and Problem State of the ArtIJCSS

[13] Luca Deri (2009)Modern Packet Capture and Analysis: Multi-Core, Multi-Gigabit, and BeyondIM

[14] myself (2014)MCoreMemory project pagehttps://github.com/maratishe/mcorememory

[15] myself (2013)Rings-on-Cores project pagehttps://github.com/maratishe/ringsNcores

[16] myself (2014)MAWI Working Group Traffic Archive


26/28

.

http://mawi.wide.ad.jp/mawi


27/28

.

Extras (1) Per-Unit Cost

Hashing

Increasing Per-Unit Cost

Manager

Prefix Matching

Cores that do not match

Process

Stage 1 Stage 2 Stage 3


27/28

.

Extras (2) Share Memory Trick


28/28

a software design and algorithms for multicore capture in data center forensics

Technology

data center forensics

generic multicore design

generic multicore capture

multicore overhead

new multicore

parallelization design

forensics basics

lockfree design tasks