StreaMon: A software-defined monitoring platform

The fast evolving nature of modern cyber threats and network monitoring as well as the increasing interest in virtualization approaches for more complex network middlebox functionalities call for new, “software-defined”, solutions to virtualize and simplify the programming and deployment of online (stream-based) traffic analysis functions. StreaMon is based on a data-plane abstraction devised to scalably decouple the “programming logic” of a traffic analysis application (tracked states, features, anomaly conditions, etc.) from elementary primitives (counting and metering, matching, events generation, etc), efficiently pre-implemented in the probes, and used as common instruction set for supporting the desired logic. The proposed SDN approach entails platform-independent, portable, multi-tenant online traffic analysis tasks written in a high level language and enables system users to completely virtualize network monitoring functionalities, isolate aggregated traffic flows and run multiple independent applications on a single software instance of the StreaMon platform. We validate our design by developing a prototype and a set of simple (but functionally demanding) use-case applications and by testing them over real traffic traces.