SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術. 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 nfhuang@cs.nthu.edu.tw

Transcription

1 SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 nfhuang@cs.nthu.edu.tw

2 Contents Introduction to SDN Networks Key Issues of SDN Switches Machine Learning Based Applications Classification Cloud + MLAC + SDN networks Demo (Video) Conclusions 2 / 41

3 Today s routers Routing, management, mobility management, access control, VPNs, Feature Feature OS Custom Hardware Million of lines of source code Billions of gates 6,000 RFCs Bloated Power Hungry Vertically integrated, complex, closed, proprietary Networking industry with mainframe mindset 3 / 41

4 What SDN really is App App App App App App App App App App App Specialized Features Specialized Control Plane Specialized Hardware Control Open Interface Control Plane Plane or or Open Interface Merchant Switching Chips Control Plane Vertically integrated Closed, proprietary Slow innovation Horizontal Open interfaces Rapid innovation 4 / 41

5 OpenFlow Switching OpenFlow Switch specification OpenFlow Switch Controller PC sw Secure Channel hw Flow Table The Stanford Clean Slate Program 5 / 41

6 Flow Table Entry Type 0 OpenFlow Switch Rule Action Stats Packet + byte counters 1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Switch Port + mask MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport The Stanford Clean Slate Program 6 / 41

7 Applications for SDN Networks QoS management Security management Network management BYOD management 7 / 41

8 Contents Introduction to SDN Networks Key Issues of SDN Switches Machine Learning Based Applications Classification Cloud + MLAC + SDN networks Demo (Video) Conclusions 8 / 41

9 Key issues in SDN switches Fast and Accurate Flow Classification Fast SDN Switching Fabric with TCAM based flow table (TACM lookup) Accurate Flow table with accurate flow signatures But only Layer-4 fields are designed in the standard flow table of OpenFlow SDN switches Good for port-based applications FTP (TCP/20-21), DNS (UDP/53), Telnet (TCP/23), Http (TCP/80) Not good enough for port-changing applications P2p sharing, On-line Games, Skype, BT, 9 / 41

10 Key issues in SDN switches We can either classify the traffic with Deep Packet Inspection (DPI) technology High Accuracy But need to maintain the signatures dynamically Unable to classify the encrypted flow Not practical for cloud based platform Or we can use Machine Learning based approach Use statistical attributes of flows to achieve high accuracy identification Without inspecting the packet payload Practical for cloud based platform as only statistical attributes are forwarded to the cloud. 10 / 41

11 Examples of Statistical Attributes MSN login HTTP GET 11 / 41

12 Contents Introduction to SDN Networks Key Issues of SDN Switches Machine Learning Based Applications Classification Cloud + MLAC + SDN networks Demo (Video) Conclusions 12 / 41

13 A Cloud based Applications Classification Service Platform with Machine Learning Algorithms for SDN Networks 基 於 機 器 學 習 演 算 法 之 雲 端 應 用 辨 識 服 務 平 台 與 SDN 網 路 應 用 13 / 41

14 14 / 41

15 Architecture of Traffic Classification Service on Cloud Machine learning virtual machine (LVM) Running training service Classifier virtual machine (CVM) Running classification service LVM management server LVM assignment and monitoring CVM management server CVM assignment and monitoring Client (PCs running the traffic classification client) Computing the statistical attributes of each flow Retrieving the training/classification service. 15 / 41

16 The used machine learning tools-weka Weka -Waikato Environment for Knowledge Analysis (running on single PC/NB) A JAVA-based open source software suite that collects machine learning algorithms for data mining tasks Four kinds of interface Explore: To see data distribution and apply ML algorithm directly. Experimenter: Batch modes for running training-testing evaluation Knowledge Flow: To combine the different ML algorithms component as graph-based processing flow CLI: Command Line Interface 16 / 41

17 The Training Procedure Service instance (server) Rule DB 6 5 Training Machine Learner VM Learner VM Management Server User s PC running training program 17 / 41

18 The Training Service Requesting the training service 1. Client LVM management server LVM assignment 2. Checking the loading and status of each service instance on the LVM 3. IP address & port number of LVM (LVM Management Server Client ) 18 / 41

19 Training The Training Service 4. Training Data (attributes of each flow to train): Client LVM 5.Training phase Training Results 6. Storing the rules (LVM Rule DB) 7. Training result (e.g. number of rules.) Attributes: Two way communications, packet size, packet number, packet time interval, download rate, upload rate,, etc 19 / 41

20 Traffic Classification Procedure Rule Service DB instance (server) 3 3 Machine Learner VM Learner VM Management Server Network Manager s PC with mirrored network traffic 20 / 41

21 Traffic Classification Procedure (cont.) Service instance (server) Rule DB Machine Learner VM Learner VM Management Server Network Manager s PC 21 / 41

22 The Traffic Classification Procedure Requesting the classification service 1. Client CVM management server CVM assignment 2. Checking the loading and status of each service instance on the CVM 3. Loading the classification rules from DB. (Rule DB CVM) 4. CVMs IP address & port number (CVM Management Server Client ) 22 / 41

23 The Traffic Classification Procedure Classification 5. Sending the attributes of flows to classify Client CVMs 6. Receiving the classification result (application id) CVMs Client 23 / 41

24 Client Program for Training 3. Flow attribute computation Flow Processing 2. Header fields & payload Signatur e/port Matching Process- Port Mapping 4. payload inspection or port number mapping 1. Network traffic Packet Decoding Training Data Management Cloud Communication 5. Training data collection 6. Training request 7. VM IP 8. Training data 9. Training result Training SaaS Learner VM Management Server Learner VM 24 / 41

25 Implementation: Client Program Modules Packet decoding module decoding the packet header fields Flow processing module computing flow attributes managing the flow table for storing the flow attributes Signature/port matching and process-port mapping modules (only for training) To identify the original background truth ( Training label). User can choose the signature/port matching or processport mapping as the module to find the original application class for each flow. 25 / 41

26 Implementation: Client Program Modules Training data management module (only for training) collecting the attributes of flows to form the training data set. The cloud communication module Client LVM/CVM Management server Client LVM/CVM 26 / 41

27 The client program (Training) 27 / 41

28 Client Program for Classification 3.. Flow attribute computation Flow Processing 2. Header fields & payload 1. Network traffic Packet Decoding Cloud Communication 4. Flow attributes 5. Classification request 6. VM IP 7. Flow attributes Classifier SaaS Classifier VM Management Server 8. Classification result Classifier VM 28 / 41

29 LVM and CVM management server (Cloud) Machine learning/classifier VM management server graphic user interface (GUI) VM monitoring/closing/opening module The cloud communication module in the LVM and CVM management server 29 / 41

30 Program modules of LVM and CVM (Cloud) The training/classification modules The cloud communication module in the LVM or CVM Grid-based machine learning tools/framework The implementation of the machine learning algorithms on grid environment. 30 / 41

31 Learning VM Management Server Machine Learning VM Management GUI Client Program for Training Learner VM Training request VM IP VM control response Cloud Commu - nication Training request VM IP VM control response VM status VM Monitoring/Closing/ Opening Learning VM Management Server 31 / 41

32 Learning VM Rule DB Store Rules Training data Rules Training Training data Client Program for Training Training result Cloud Commu nication Training result Rules Training parameters & data Grid-based Machine Learning Tools/Framework 32 / 41

33 Classifier VM Management Server Classifier VM Management GUI Classification request Client Program for Classification VM IP Classifier VM VM control response Cloud Commu - nication Classification request VM IP VM control response VM status VM Monitoring/Clo sing/opening 33 / 41

34 Classifier VM Rule DB Load Rules Flow attributes Client Program for Classification Flow application ID Cloud Commu - nication Flow attributes Rules Flow application ID Classification Flow attributes Grid-based Machine Learning Tools/Framework Flow application ID 34 / 41

35 Contents Introduction to SDN Networks Key Issues of SDN Switches Machine Learning Based Applications Classification Cloud + MLAC + SDN networks Demo (Video) Conclusions 35 / 41

36 Cloud + MLAC + SDN (Training) Rule server Cloud (Hicloud) VM Management Server Flow Classifier SDN Controller SDN Switch (Pica8) 36 / 41

37 Cloud + MLAC + SDN (Classification/Management) Rule server Cloud (Hicloud) VM Management Server Flow Classifier Flows SDN Controller Flows SDN Switch (Pica8) 37 / 41

38 Contents Introduction to SDN Networks Key Issues of SDN Switches Machine Learning Based Applications Classification Cloud + MLAC + SDN networks Demo (Video) Conclusions 38 / 41

39 Demo of Applications Training (Video) Demo of Applications Classification and Management with SDN Switch (Video) 39 / 41

40 Conclusions and future works The key issues of SDN networks include fast and accurate flow classification schemes The current SDN switches only support layer-4 flow table. A new service framework of applications classification for SDN networks Cloud based for scalability, reliability Machine Learning based for light communications Global collected application attributes (statistical signatures) database. Early stage application management Currently, this platform is still only a prototype, more training clients need to be installed (the client training software will be released later) to learn the worldwide applications as complete as possible. The accurate of the training and classification of this platform (currently around 80-98% of accuracy) needs also to be enhanced by tuning the machine learning model. 40 / 41

41 未 來 展 望 建 立 全 球 最 完 整 之 網 路 應 用 軟 體 統 計 特 徵 資 料 庫 開 放 式, 眾 志 成 城 (more PCs to run applications) 與 雲 端 平 台 業 者 組 織 合 作 佈 建 此 資 料 庫 (for millions of applications) 可 動 態 擴 增 之 雲 端 應 用 軟 體 訓 練 虛 擬 機 器 (scalable) 可 動 態 擴 增 之 雲 端 應 用 軟 體 辨 識 虛 擬 機 器 (scalable) 提 供 全 球 網 路 應 用 軟 體 即 時 辨 識 服 務 (SaaS) 搭 配 SDN 網 路 提 供 加 值 服 務 QoS, Security, Network Management,, etc 臺 灣 學 術 網 路 或 校 園 網 路 示 範 建 置 41 / 41

42