UNIVERSITY OF NIVERSITY OF MASSACHUSETTS ASSACHUSETTS , A , AMHERST • MHERST • Department of Computer Science Department of Computer Science Hyperion: High Volume Stream Archival for Restrospective Querying Peter Desnoyers and Prashant Shenoy University of Massachusetts
25
Embed
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Hyperion: High Volume Stream Archival for Restrospective Querying Peter Desnoyers.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Hyperion: High Volume Stream Archival for Restrospective
Querying
Peter Desnoyers and Prashant ShenoyUniversity of Massachusetts
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Packet monitoring with history
Packet monitor: capture and search packet headers
E.g.: Snort, tcpdump, Gigascope
… with history:Capture, index, and store packet headersInteractive queries on stored data
Provides new capabilities:Network forensics:
When was a system compromised? From where? How?
Management:After-the-fact debugging
monitor
storage
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Challenges
Speed
Storage rate, capacityto store data without loss, retain long enough
Queriesmust search millions of packet records
Indexing in real timefor online queries
Commodity hardware
For each linkmonitored
1 gbit/s x 80% ÷ 400 B/pkt
= 250,000 pkts/s
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Existing approaches
Packet monitoring with history requires a new system.
Event rates
ArchiveIndex, query
CommodityHW
Streaming query systems (GigaScope, Bro, Snort)
Yes No No Yes
Peer-to-peer systems (MIND, PIER)
No Yes Yes Yes
Conventional DBMS No Yes Yes Yes
CoMo Yes Yes No Yes
Proprietary systems* ? Yes Yes No
*Niksun NetDetector, Sandstorm NetInterceptor
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Outline of talk
Introduction and MotivationDesignImplementationResultsConclusions
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Hyperion Design
Multiple monitor systemsHigh-speed storage systemLocal indexDistributed index for query routing
Monitor/capture
Storage
Index
Distributedindex
Hyperion node
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Storage Requirements
Real-timeWrites must keep up or data is lost
PrioritizedReads shouldn’t interfere with writes
AgingOld data replaced by new
Stream storageDifferent behavior
Typical app
Hyperion
Likely deletes Newest files
Oldest data
File size Random, small
Streaming
Sequential reads
yes no
Behavior:Typical app. vs. Hyperion
Packet monitoring is different from typical applications
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Log structured stream storage
Goal: minimize seeksdespite interleaved writes on multiple streams
Log-structured file system minimizes seeks
Interleave writes at advancing frontier
free space collected by segment cleaner
A
disk position
1: A
A
But:General-purpose segment cleaner performs poorly on streams
Write frontier
C
2: C3: A
B
4: B
C
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
Hyperion StreamFS
How to improve on a general-purpose file system?
Rely on application use patterns
Eliminate un-needed features
StreamFS – log structure with no segment cleaner.
No deletes (just over-write)
No fragmentation
No segment cleaning overhead
Operation:Write fixed-size segment
Advance write frontier to next segment ready for deletion
skip
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
StreamFS Design
RecordSingle write, packed into:
Segment Fixed-size, single stream, interleaved into:
RegionContains:
Region mapIdentifies segments in region
Used when write frontier wraps
DirectoryLocate streams on disk
Region map
record
segment
region
directoryStream_A
…
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science
StreamFS optimizations
Data RetentionControl how much history saved Lets filesystem make delete decisions
Speed balancingWorst-case speed set by slowest tracksSolution: interleave fast and slow sectionsWorst-case speed now set by average track
New data
ReservationOld data is deleted
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science