BeauCoup Outline - njkrichardson/BeauCoup GitHub Wiki

Background

We start by outlining the problem addressed by BeauCoup and the desiderata of a system that addresses these problems.

Additional wikis consider:

  • The algorithmic aspect of BeauCoup, discussing how BeauCoup simultaneously executes a set of queries and outputs alerts subject to constraints on memory size and memory accesses per packet.
  • The BeauCoup compiler, which automatically determines the parametric configuration of a query's coupon collection scheme given a query, a threshold, and an average number of coupons activated per packet.
  • Engineering related considerations for development constraints.

Problem and Solution Desiderata

Idealized network administration would empower analysts to simultaneously track many queries (roughly, question/category classes) on the packet data in transit across a network switch. A straightforward formulation of these queries involves specifying two mappings: one from packets to keys, and a derivative mapping which, given a query type and a key, maps to an attribute. Concretely, a working example of a query is the detection of "super spreaders", where a key mapping would map an ingress packet to a source IP, and an attribute mapping would map the packet to a destination IP. By considering the number of unique attributes that are mapped to, given a key, one can configure alarm systems to flag keys (source IPs) that appear responsible for super spreading.

The status quo for analysis tools includes capabilities to monitor a single query or multiple queries with homogenous key/attribute definitions. BeauCoup is a system designed to monitor many heterogenous queries, whilst respecting the memory constraints imposed by the switch architectures. Empirically, BeauCoup matches the performance of existing systems with only a quarter of the memory pressure.

Formally, the desiderata laid out by the BeauCoup paper specifies that we want a system which simultaneously executes a set of queries and outputs alerts, subject to a given maximum memory size and a maximum number of accesses per packet.