Localizing the sources of performance problems in large enterprise networks is extremely challenging. Dependencies are numerous, complex and inherently multi-level, spanning hardware and software components across the network and the computing infrastructure. To exploit these dependencies for fast, accurate problem localization, we introduce an Inference Graph model, which is welladapted to user-perceptible problems rooted in conditions giving rise to both partial service degradation and hard faults. Further, we introduce the Sherlock system to discover Inference Graphs in the operational enterprise, infer critical attributes, and then leverage the result to automatically detect and localize problems. To illuminate strengths and limitations of the approach, we provide results from a prototype deployment in a large enterprise network, as well as from testbed emulations and simulations. In particular, we find that taking into account multi-level structure leads to a 30 % improvement in fault localization, as compared to two-level approaches.

IP networks today require massive effort to configure and manage. Ethernet is vastly simpler to manage, but does not scale beyond small local area networks. This paper describes an alternative network architecture called SEATTLE that achieves the best of both worlds: The scalability of IP combined with the simplicity of Ethernet. SEATTLE provides plug-and-play functionality via flat addressing, while ensuring scalability and efficiency through shortest-path routing and hash-based resolution of host information. In contrast to previous work on identity-based routing, SEAT-TLE ensures path predictability and stability, and simplifies network management. We performed a simulation study driven by real-world traffic traces and network topologies, and used Emulab to evaluate a prototype of our design based on the Click and XORP open-source routing platforms. Our experiments show that SEAT-TLE efficiently handles network failures and host mobility, while reducing control overhead and state requirements by roughly two orders of magnitude compared with Ethernet bridging.

While wide-area Internet traffic has been heavily studied for many years, the characteristics of traffic inside Internet enterprises remain almost wholly unexplored. Nearly all of the studies of enterprise traffic available in the literature are well over a decade old and focus on individual LANs rather than whole sites. In this paper we present a broad overview of internal enterprise traffic recorded at a medium-sized site. The packet traces span more than 100 hours, over which activity from a total of several thousand internal hosts appears. This wealth of data---which we are publicly releasing in anonymized form---spans a wide range of dimensions. While we cannot form general conclusions using data from a single site, and clearly this sort of data merits additional in-depth study in a number of ways, in this work we endeavor to characterize a number of the most salient aspects of the traffic. Our goal is to provide a first sense of ways in which modern enterprise traffic is similar to wide-area Internet traffic, and ways in which it is quite different.

Abstract. Stealthy malware, such as botnets and spyware, are hard to detect because their activities are subtle and do not disrupt the network, in contrast to DoS attacks and aggressive worms. Stealthy malware, however, does communicate to exfiltrate data to the attacker, to receive the attacker’s commands, or to carry out those commands. Moreover, since malware rarely infiltrates only a single host in a large enterprise, these communications should emerge from multiple hosts within coarse temporal proximity to one another. In this paper, we describe a system called TĀMD (pronounced “tamed”) with which an enterprise can identify candidate groups of infected computers within its network. TĀMD accomplishes this by finding new communication “aggregates ” involving multiple internal hosts, i.e., communication flows that share common characteristics. We describe characteristics for defining aggregates—including flows that communicate with the same external network, that share similar payload, and/or that involve internal hosts with similar software platforms—and justify their use in finding infected hosts. We also detail efficient algorithms employed by TĀMD for identifying such aggregates, and demonstrate a particular configuration of TĀMD that identifies new infections for multiple bot and spyware examples, within traces of traffic recorded at the edge of a university network. This is achieved even when the number of infected hosts comprise only about 0.0097 % of all internal hosts in the network. 1

Abstract — Because Ethernet bridging does not scale, most enterprise networks consist of small Ethernet-based subnets interconnected by IP routers. Although Ethernet’s flat addressing and transparent bridging allow each subnet to run with minimal configuration, interconnecting subnets at the IP level introduces significant management overhead that increases with the size of the network. As an alternative, we propose a scalable and efficient zero-configuration enterprise (SEIZE) networking architecture. SEIZE provides plug-and-play capability via globally unique flat addressing, while ensuring scalability and efficiency through shortest-path routing and hash-based location resolution. Switches perform location resolution on demand and can cache the results to optimize routing paths and to reduce the number of location-resolution requests. We present a design overview of SEIZE and show that it attains the best of Ethernet and IP. I.

Email has become an integral and sometimes overwhelming part of users ’ personal and professional lives. In this paper, we measure the flow and frequency of user email toward the identification of communities of interest (COI)–groups of users that have a common bond. If detectable, such associations will be useful in automating email management, e.g., topical classification, flagging important missives, and SPAM mitigation. An analysis of a large corpus of university email is used to drive the generation and validation of algorithms for automatically determining COIs. We examine the effect of the structure and transience of COIs with the algorithms and validate algorithms using user-labeled data. Our analysis shows that the proposed algorithms correctly identify email as being sent from the human-identified COI with high accuracy. The structure and characteristics of COIs are explored analytically and broader conclusions about email use are posited. 1.

This paper presents the Leslie Graph, a simple yet powerful abstraction describing the complex dependencies between network, host and application components in modern networked systems. It discusses challenges in the discovery of Leslie Graphs, their uses, and describes two alternate approaches to their discovery, supported by some initial feasibility results. 1

Most existing distributed denial-of-service (DDoS) mitigation proposals are reactive in nature, i.e., they are deployed to limit the damage caused by attacks after they are detected. In contrast, we present PRIMED, a proactive approach to DDoS mitigation that allows users to specify to their ISP a priori their (dis)interest in receiving traffic from particular network entities. Our solution employs communities of interest (COIs) to capture the collective past behavior of remote network entities and uses them to predict future behavior. Specifically, ISPs construct a network-wide bad COI that contains network entities who exhibited unwanted behavior in the past, and per-customer good COIs containing remote network entities that have previously engaged in legitimate communication with the customer. Our system uses these derived sets together with customer-specific policies to proactively mitigate DDoS attacks using existing router mechanisms. Indeed, preliminary lab testing shows that our approach is deployable on modern edge router platforms without degrading packet forwarding performance. This implies that our approach offers DDoS protection at a truly massive scale, i.e., every customer access link. Simulation results show that our approach improves protection against 91–93 % of actual DDoS attacks on real customers—providing complete protection against 38–53 % of such attacks—while slightly increasing vulnerability in only 5–7 % of attacks.

We present Chorus, a high-level parallel programming model suitable for irregular, heap-manipulating applications like mesh refinement and epidemic simulations, and JChorus, an implementation of the model on top of Java. One goal of Chorus is to express the dynamic and instance-dependent patterns of memory access that are common in typical irregular applications. Its other focus is locality of effects: the property that in many of the same applications, typical imperative commands only affect small, local regions in the shared heap. Chorus addresses dynamism and locality through the unifying abstraction of an object assembly: a local region in a shared data structure equipped with a short-lived, speculative thread of control. The thread of control in an assembly can only access objects within the assembly. While objects can migrate from assembly to assembly, such migration is local—i.e., objects only move from one assembly to a neighboring one—and does not lead to aliasing. Programming primitives include a merge operation, by which an assembly merges with an adjacent assembly, and a split operation, which splits an assembly into smaller ones. Our abstractions are race and deadlock-free, and inherently data-centric. We demonstrate that Chorus and JChorus allow natural programming of several important applications exhibiting irregular data-parallelism. We also present an implementation of JChorus based on a many-to-one mapping of assemblies to lower-level threads, and report on preliminary performance numbers.

We present a model for shared-memory parallel programming that makes shared objects (“resources”) the drivers of heap-manipulating parallel computations. The model aims to syntactically capture patterns of spatial locality in heap updates and to express the maximum amount of logical parallelism in computations. To achieve this, we take a “resources’-eye ” view of parallel operations on the heap. Resources are now viewed as active entities arranged in a network that is the heap. While they actively change their data content and links to other resources, each change is local and restricted to a spatial “neighborhood”. Global computations are phrased as massively parallel compositions of these local operations. Our programming abstractions include operations that merge neighboring resources into larger resources and split complex resources into simpler ones. These abstractions are composable and directly encode heap-allocated data structures and spatial separation among resources. The model is data-race free even though it does not explicitly use locks. We demonstrate that the model allows easy, and easily parallelizable, programming of several important applications exhibiting irregular data-parallelism. In particular, it faithfully expresses the parallelism inherent in many natural processes and thus seems ideal for scientific and multimedia applications modeling them.