Towards generic traffic change detection in the data plane

Identifying traffic changes accurately sits at the core of many network tasks, from congestion analysis to intrusion detection. Modern telemetry systems perform traffic change detection but restrict their detection to heavy-hitters, failing to identify relevant traffic changes, including microbursts or low-volume attacks. We present k-meleon, an in-switch online change detection system that identifies heavy-changes - instead of changes amongst heavy-hitters only, a subtle but crucial difference. k-meleon is a variant of the k-ary sketch (a well-known heavy-change detector) that leverages programmable switches for detection. To overcome the batch-based design of the original k-ary, k-meleon features a new stream-based design that matches the switch's pipelined computation model and fits its tight constraints. The preliminary evaluation of the current prototype shows the potential of k-meleon in achieving the same level of accuracy for online detection as the offline k-ary.