Communication-Efficient
Distributed Monitoring of
Thresholded Counts
Ram Keralapura, UC-Davis
Graham Cormode, Bell Labs
Jai Ramamirtham, Bell Labs
Introduction


Monitoring is critical to managing distributed
networked systems
Main challenges:



Continuous
Distributed
Resource-constrained environments
June 28, 2006
Ram Keralapura, UCDavis
2
Thresholded Counts



New fundamental class of problems
“Tracking counts for an event beyond a given
threshold value with user-specified accuracy”
Motivating scenarios:



Total # of connections to a server when it exceeds
the normal operational condition (ex, DDoS attacks)
Total traffic to a particular destination prefix when it
exceeds the pre-defined limit
Tracking the total number of cars on a highway
June 28, 2006
Ram Keralapura, UCDavis
3
Thresholded Counts (cont’d)

Two key properties


Threshold value
User specified tracking accuracy
0  Nˆ  T when N  T
(1   ) N  Nˆ  N when N  T
June 28, 2006
Ram Keralapura, UCDavis
4
System Architecture

m remote sites (or monitors) and a coordinator site (or
central node)
Non-continuous updates
cv,1
Counts can be
positive, negative,
or fractional
Ignore network
delays and
losses
Local thresholds at remote sites
Remote Site m
Remote Site 1
Coordinator Site
(Central Node)
Remote Site 2
Remote Site i
cv,2
June 28, 2006
cv , m
Ram Keralapura, UCDavis
cv ,i
5
Approach


Every remote monitor i, maintains a set of
local thresholds: ti, j , j  0,1,2...
Local count at monitor i, should always lie
between two neighboring thresholds
ti,f (i )  Ni  ti,f (i )1

Global estimate at the central node: Nˆ 
m
t
i,f (i )
i 1
June 28, 2006
Ram Keralapura, UCDavis
6
Approach (cont’d)

Maximum error in the global estimate should
satisfy:
m
0
 (t
i,f (i ) 1
 ti,f (i ) )  N when N  T
i 1

Two methods to set local thresholds


Static thresholding
Adaptive thresholding
June 28, 2006
Ram Keralapura, UCDavis
7
Static Thresholding

Problem: For given values T and  , we have
to determine t i , j , j  [0, ) such that,
j  0 : ti, j 1  ti, j and ti,0  0
m
 (t
i,f (i ) 1
i 1
June 28, 2006
 ti,f (i ) )  
m
t
m
i,f (i )
i 1
Ram Keralapura, UCDavis
when
t
i,f (i ) 1
T
i 1
8
N
Uniform
T
N̂
Max error =
N3
T
N
2T
m
T
m
N̂
N2
N1
0
Monitor-1
Monitor-2
N3
Monitor-3
Central Node
Blended threshold assignment
N
Proportional
N
Max error =
(1   )
N3
2
N̂
T
N
N̂
(1   )
1
0 Monitor-1
N1
N2
Monitor-2
Monitor-3
N3
Central Node
Static Thresholding (cont’d)
Blended threshold assignment
T
ti , j  (1   )ti , j 1  (1   )
where 0    1
m
ti ,0  0 and when   1, ti ,1  1
   0  uniform threshold assignment
   1  proportional threshold assignment
 Complexity:
 m


N


O
log1     1  
T


 

June 28, 2006
Ram Keralapura, UCDavis
10
Adaptive Thresholding


Every monitor maintains only two threshold
values: tiL and tiH
Problem: For given values T and  , and a
threshold violation from monitor k , determine t iH
for all the monitors such that,
i : tiH  tiL
m
t
i 1
June 28, 2006
iH
 tiL  
m
t
m
iL
when
i 1
Ram Keralapura, UCDavis
t
iH
T
i 1
11
T
Slack
t3H
N̂
t1H
t2H
t1L
Monitor-1
Nˆ  (1 )T
t3L
t2L
Monitor-2
Central Node
Monitor-3
Basic Adaptive Algorithm
N̂
t3H
T
t1H
t3L
Nˆ  (1 )T
t2H
t1L
Monitor-1
t2L
Monitor-2
Monitor-3
Central Node
Experimental Setup



Built a simulator with m monitoring nodes and
a central node
Implemented all the static and adaptive
algorithms
Data set: Public traces from NLANR
June 28, 2006
Ram Keralapura, UCDavis
13
Count Accuracy
June 28, 2006
Ram Keralapura, UCDavis
14
Validating the Theoretical Model
[T ,  , N ]
[T ,  , N ]
June 28, 2006
Ram Keralapura, UCDavis
15
Comparing Costs – Static and Adaptive Cases
[T ,  , N ]
June 28, 2006
Ram Keralapura, UCDavis
16
Related Work



Top-k monitoring [Babcock et al]
Heavy-hitter definition
Adaptive filters for continuous queries [Olston et al]


Distributed triggers [Jain et al]



Distributed continuous queries but does not address the
thresholded counts problem
Simplified version of the thresholded counts problem
Randomized algorithms with statistical guarantees
Geometric approach for threshold functions
[Sharfman et al]

Focus is mainly on non-linear functions
June 28, 2006
Ram Keralapura, UCDavis
17
Summary




We defined a fundamental class of problems
called “Thresholded Counts”
We proposed algorithms to address the
problem – static and adaptive
Analyzed the complexities of these algorithms
and provided proofs
Using experiments, we showed the
effectiveness of our algorithms
June 28, 2006
Ram Keralapura, UCDavis
18
Future Work

Building the monitoring system for real
networks to explore the practical aspects of
our framework



Address scalability issues


Sensor networks
IP network monitoring
For example, hierarchical monitoring architecture
Extend for different query types with
thresholded nature

For example, arithmetic combinations
June 28, 2006
Ram Keralapura, UCDavis
19
Thank you!!
Questions??
Contact: rkeralapura@ucdavis.edu
June 28, 2006
Ram Keralapura, UCDavis
20