Adaptive Load-Aware Sampling for Network Monitoring on Multicore Commodity Hardware

TL;DR

This paper introduces an adaptive sampling algorithm for network traffic monitoring that dynamically adjusts to traffic volume and processing capacity, optimizing DPI system performance on multicore hardware.

Contribution

It presents a novel adaptive sampling method that improves network traffic analysis efficiency by aligning sampling rates with current traffic and processing capabilities.

Findings

Effective on a 10G link with real traffic

Enhances DPI system throughput and accuracy

Compatible with multicore hardware setups

Abstract

Many current traffic monitoring systems employ deep packet inspection (DPI) in order to analyze network traffic. These systems include intrusion detection systems, software for network traffic accounting, traffic classification, or systems for monitoring service-level agreements. Traffic volumes and link speeds of current enterprise and ISP networks transform the process of inspecting traffic payload into a challenging task. In this paper we propose a novel adaptive sampling algorithm that selects the maximum number of packets from the network that the DPI system is able to consume. Our algorithm adapts its sampling rate according to the network traffic currently observed, and the number of packets that a monitoring application is able to process. It can be used in conjunction with current multicore-aware network traffic analysis setups, which allow for exploiting current multi-core hardware. We show the applicability of our algorithm with live-tests on a heavily used 10G link with real network monitoring tools.