Arpit Gupta

I am an assistant professor in the computer science department at UC Santa Barbara. I received my Ph.D. in computer science from Princeton University.

As a systems researcher, I design and build flexible, scalable, and deployable systems that solve the real-world problems at the intersection of networking, security, and machine learning.

Note: I am looking for self-motivated students to work with me at UCSB. If you are interested in building next-generation intelligent network monitoring and control systems, feel free to drop me an email with your CV.

Selected Publications

2018 Aug	Flexible and Scalable Systems for Network Management Arpit Gupta Ph.D. Thesis abstract Paper Talk Our daily lives are heavily reliant upon Internet-connected devices, services, and applications. This reliance makes it more critical than ever that the underlying networks they depend on be reliable, performant, and secure. At the same time, the increasing complexity and diversity of today's devices, services, and applications have made network management tasks more complicated than ever. Modern network management mandates that operators can systematically monitor what is going on in their networks (network monitoring) and use this information to take real-time preventive or corrective actions (network control). Achieving these goals while also adhering to the limited compute and storage resources available on modern network devices poses significant challenges. The contribution of this dissertation is the design and implementation of two systems that enable flexible and scalable network monitoring and control. The network-monitoring system, Sonata, collects and analyzes network traffic to infer various network events in real time. The network-control system, SDX, enables fine-grained reactive control actions for interdomain traffic without disrupting the existing routing protocols. For each of these two systems, the dissertation focuses on (i) the abstractions that allow network operators to express flexible programs for both network monitoring and control; (ii) the algorithms that make the best use of limited compute and storage resources; and (iii) the systems that combine the high-level abstractions and the low-level algorithms and can be deployed in production settings. The lessons learned from this dissertation can help us develop next-generation network-management systems. More concretely, unlike existing systems that rely solely on a single device-type, this dissertation shows that designing systems that can pool resources from a heterogeneous set of devices (targets) is critical for building flexible and scalable network-management systems. It also demonstrates that as the networking technologies and protocols evolve rapidly with time, it is imperative to design modular systems that can swiftly catch up with these changes. Finally, this research also illustrates that it is crucial to select strategic locations (e.g., Internet exchange points) for deployment to drive innovations in Internet-wide traffic monitoring and control.
2018 Aug	Sonata: Query-Driven Streaming Network Telemetry Arpit Gupta, Rob Harrison, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger ACM SIGCOMM, Budapest, Hungary abstract Paper Talk Code Managing and securing networks requires collecting and analyzing measurement data. Current technologies do not make it easy to do so, typically because they separate data collection (e.g., packet capture or flow monitoring) from the analysis, producing either too much data to answer a general question or too little data to answer a detailed question. This paper presents Sonata, a network telemetry system that exposes a query interface that directs the joint collection and analysis of network traffic. Sonata allows operators to directly express queries in a high-level language, partitions each query into a portion that runs on the switch and another that runs on the streaming analytics platform and refines the query to capture only the traffic that satisfies a query. Sonata allows operators to express real network monitoring tasks using dataflow operators, a compact, familiar programming idiom. Evaluation using traffic traces from a large ISP backbone show that Sonata's ability to compile portions of these queries to the data plane can reduce traffic rates at the stream processor by up to seven orders of magnitude.
2016 Mar	iSDX: An Industrial-Scale Software Defined Internet Exchange Point Arpit Gupta, Robert MacDavid, Rüdiger Birkner, Marco Canini, Nick Feamster, Jennifer Rexford, Laurent Vanbever USENIX NSDI, Santa Clara, CA Winner of Community Award Selected in the Best of the Rest* session at USENIX ATC, 2016* Media Articles: CircleID, ONF Blog, NewIP abstract Paper Talk Code Software-Defined Internet Exchange Points (SDXes) promise to significantly increase the flexibility and function of interdomain traffic delivery on the Internet. Unfortunately, current SDX designs cannot yet achieve the scale required for large Internet exchange points (IXPs), which can host hundreds of participants exchanging traffic for hundreds of thousands of prefixes. Existing platforms are indeed too slow and inefficient to operate at this scale, typically requiring minutes to compile policies and millions of forwarding rules in the data plane. We motivate, design, and implement iSDX, the first SDX architecture that can operate at the scale of the largest IXPs. We show that iSDX reduces both policy compilation time and forwarding table size by two orders of magnitude compared to current state-of-the-art SDX controllers. Our evaluation against a trace from one of the largest IXPs in the world found that iSDX can compile a realistic set of policies for 500 IXP participants in less than three seconds. Our public release of iSDX, complete with tutorials and documentation, is already spurring early adoption in operational networks.
2014 Aug	SDX: A Software Defined Internet Exchange Arpit Gupta, L. Vanbever, M. Shahbaz, S. Donovan, B. Schlinker, N. Feamster, J. Rexford, S. Shenker, R. Clark, E. Katz-Bassett ACM SIGCOMM, Chicago, IL 210+ citations, one of the highest for SIGCOMM 2014 abstract Paper Talk Code BGP severely constrains how networks can deliver traffic over the Internet. Today's networks can only forward traffic based on the destination IP prefix, by selecting among routes offered by their immediate neighbors. We believe Software Defined Networking (SDN) could revolutionize wide-area traffic delivery, by offering direct control over packet-processing rules that match on multiple header fields and perform a variety of actions. Internet exchange points (IXPs) are a compelling place to start, given their central role in interconnecting many networks and their growing importance in bringing popular content closer to end users. To realize a Software Defined IXP (an SDX), we must create compelling applications, such as application-specific peering, where two networks peer only for (say) streaming video traffic. We also need new programming abstractions that allow participating networks to create and run these applications and a runtime that both behaves correctly when interacting with BGP and ensures that applications do not interfere with each other. Finally, we must ensure that the system scales, both in rule-table size and computational overhead. In this paper, we tackle these challenges and demonstrate the flexibility and scalability of our solutions through controlled and in-the-wild experiments. Our experiments demonstrate that our SDX implementation can implement representative policies for hundreds of participants who advertise full routing tables while achieving sub-second convergence in response to configuration changes and routing updates.

Contact

arpitgupta@cs.ucsb.edu

Google Scholar

801 CEPSR, Columbia University

New York, NY

agupta13@github

News

Tweets by glexqsd

2018 Aug	Sonata: Query-Driven Streaming Network Telemetry Arpit Gupta, Rob Harrison, Marco Canini, Nick Feamster, Jennifer Rexford, Walter Willinger ACM SIGCOMM 2018, Budapest, Hungary abstract Paper Talk Code Web Managing and securing networks requires collecting and analyzing measurement data. Current technologies do not make it easy to do so, typically because they separate data collection (e.g., packet capture or flow monitoring) from the analysis, producing either too much data to answer a general question or too little data to answer a detailed question. This paper presents Sonata, a network telemetry system that exposes a query interface that directs the joint collection and analysis of network traffic. Sonata allows operators to directly express queries in a high-level language, partitions each query into a portion that runs on the switch and another that runs on the streaming analytics platform and refines the query to capture only the traffic that satisfies a query. Sonata allows operators to express real network monitoring tasks using dataflow operators, a compact, familiar programming idiom. Evaluation using traffic traces from a large ISP backbone show that Sonata's ability to compile portions of these queries to the data plane can reduce traffic rates at the stream processor by up to seven orders of magnitude.
2017 Apr	Concise Encoding of Flow Attributes in SDN Switches Robert MacDavid, Rüdiger Birkner, Ori Rottenstreich, Arpit Gupta, Nick Feamster, Jennifer Rexford ACM SOSR, Santa Clara, CA Winner of Best Paper Award abstract Paper Talk Code Web BibTeX @inproceedings{macdavid2017concise, title={Concise encoding of flow attributes in SDN switches}, author={MacDavid, Robert and Birkner, Rudiger and Rottenstreich, Ori and Gupta, Arpit and Feamster, Nick and Rexford, Jennifer}, booktitle={Proceedings of the Symposium on SDN Research}, pages={48--60}, year={2017}, organization={ACM} } Network devices such as routers and switches forward traffic based on entries in their local forwarding tables. Although these forwarding tables conventionally make decisions based on a packet header field such as a destination address, tagging flows with sets or sequences of attributes and making forwarding decisions based on these attributes can enable richer network policies. For example, devices at the edge of a network could add a tag to each packet that encodes a set of egress locations, a set of host permissions, or a sequence of middleboxes to traverse; simpler devices in the core of the network could then forward packets based on this tag. Unfortunately, naive construction of these tags can create forwarding tables that grow quadratically with the number of elements in the set or sequence prohibitive for commodity network devices. In this paper, we present PathSets, a compression algorithm that makes such encodings practical. The algorithm encodes sets or sequences (e.g., middlebox service chains, lists of next-hop network devices) in a compact tag that fits in a small packet-header field. Our evaluation shows that PathSets can encode attribute sets and sequences for large networks using tag widths competitive with existing approaches and that the number of forwarding rules grows linearly with the number of attributes encoded.
2016 Mar	iSDX: An Industrial-Scale Software Defined Internet Exchange Point Arpit Gupta, Robert MacDavid, Rüdiger Birkner, Marco Canini, Nick Feamster, Jennifer Rexford, Laurent Vanbever USENIX NSDI, Santa Clara, CA Winner of Community Award Selected in the Best of the Rest* session at USENIX ATC, 2016* Media Articles: CircleID, ONF Blog, NewIP abstract Paper Talk Code Web BibTeX @inproceedings{gupta2016isdx, title={An Industrial-Scale Software Defined Internet Exchange Point.}, author={Gupta, Arpit and MacDavid, Robert and Birkner, R{\"u}diger and Canini, Marco and Feamster, Nick and Rexford, Jennifer and Vanbever, Laurent}, booktitle={NSDI}, pages={1--14}, year={2016} } Software-Defined Internet Exchange Points (SDXes) promise to significantly increase the flexibility and function of interdomain traffic delivery on the Internet. Unfortunately, current SDX designs cannot yet achieve the scale required for large Internet exchange points (IXPs), which can host hundreds of participants exchanging traffic for hundreds of thousands of prefixes. Existing platforms are indeed too slow and inefficient to operate at this scale, typically requiring minutes to compile policies and millions of forwarding rules in the data plane. We motivate, design, and implement iSDX, the first SDX architecture that can operate at the scale of the largest IXPs. We show that iSDX reduces both policy compilation time and forwarding table size by two orders of magnitude compared to current state-of-the-art SDX controllers. Our evaluation against a trace from one of the largest IXPs in the world found that iSDX can compile a realistic set of policies for 500 IXP participants in less than three seconds. Our public release of iSDX, complete with tutorials and documentation, is already spurring early adoption in operational networks.
2015 May	Kinetic: Verifiable Dynamic Network Control Hyojoon Kim, Joshua Reich, Arpit Gupta, Muhammad Shahbaz, Nick Feamster, Russ Clark USENIX NSDI, Oakland, CA 60+ citations abstract Paper Talk Code Web BibTeX @inproceedings{kim2015kinetic, title={Kinetic: Verifiable Dynamic Network Control.}, author={Kim, Hyojoon and Reich, Joshua and Gupta, Arpit and Shahbaz, Muhammad and Feamster, Nick and Clark, Russell J}, booktitle={NSDI}, pages={59--72}, year={2015} } Network conditions are dynamic; unfortunately, current approaches to configuring networks. Network operators need tools to express how a network's data-plane behavior should respond to a wide range of events and changing conditions, ranging from unexpected failures to shifting traffic patterns to planned maintenance. Yet, to update the network configuration today, operators typically rely on a combination of manual intervention and ad hoc scripts. In this paper, we present Kinetic, a domain specific language and network control system that enables operators to control their networks dynamically in a concise, intuitive way. Kinetic also automatically verifies the correctness of these control programs with respect to user-specified temporal properties. Our user study of Kinetic with several hundred network operators demonstrates that Kinetic is intuitive and usable, and our performance evaluation shows that realistic Kinetic programs scale well with the number of policies and the size of the network.
2014 Aug	SDX: A Software Defined Internet Exchange Arpit Gupta, L. Vanbever, M. Shahbaz, S. Donovan, B. Schlinker, N. Feamster, J. Rexford, S. Shenker, R. Clark, E. Katz-Bassett ACM SIGCOMM, Chicago, IL 210+ citations, one of the highest for SIGCOMM 2014 abstract Paper Talk Code Web BibTeX @inproceedings{gupta2014sdx, title={SDX: A Software Defined Internet Exchange}, author={Gupta, Arpit and Vanbever, Laurent and Shahbaz, Muhammad and Donovan, Sean P. and Schlinker, Brandon and Feamster, Nick and Rexford, Jennifer and Shenker, Scott and Clark, Russ and Katz-Bassett, Ethan}, booktitle={SIGCOMM}, year={2014}, organization={ACM} } BGP severely constrains how networks can deliver traffic over the Internet. Today's networks can only forward traffic based on the destination IP prefix, by selecting among routes offered by their immediate neighbors. We believe Software Defined Networking (SDN) could revolutionize wide-area traffic delivery, by offering direct control over packet-processing rules that match on multiple header fields and perform a variety of actions. Internet exchange points (IXPs) are a compelling place to start, given their central role in interconnecting many networks and their growing importance in bringing popular content closer to end users. To realize a Software Defined IXP (an SDX), we must create compelling applications, such as application-specific peering, where two networks peer only for (say) streaming video traffic. We also need new programming abstractions that allow participating networks to create and run these applications and a runtime that both behaves correctly when interacting with BGP and ensures that applications do not interfere with each other. Finally, we must ensure that the system scales, both in rule-table size and computational overhead. In this paper, we tackle these challenges and demonstrate the flexibility and scalability of our solutions through controlled and in-the-wild experiments. Our experiments demonstrate that our SDX implementation can implement representative policies for hundreds of participants who advertise full routing tables while achieving sub-second convergence in response to configuration changes and routing updates.
2012 Dec	WiFox: Scaling WiFi Performance for Large Audience Environments Arpit Gupta, Jeongki Min, Injong Rhee ACM CoNEXT, Nice, France 50+ citations Media Articles: Engadget, Slashdot, Techcrunch, NBC News, Telegraph abstract Paper Talk Code Web BibTeX @inproceedings{gupta2012wifox, title={WiFox: Scaling WiFi Performance for Large Audience Environments}, author={Gupta, Arpit and Min, Jeongki and Rhee, Injong}, booktitle={Proceedings of the Eigth COnference on emerging Networking EXperiments and Technologies, CoNEXT}, volume={12}, year={2012} }

2018	Network-Wide Heavy Hitter Detection with Commodity Switches Rob Harrison, Qizhe Cai, Arpit Gupta, Jennifer Rexford ACM SOSR, Los Angeles, CA abstract Paper Web Many network monitoring tasks identify subsets of traffic that stand out, eg., top-kk flows for a particular statistic. A Protocol Independent Switch Architecture (PISA) switch can identify these "heavy hitter" flows directly in the data plane, by aggregating traffic statistics across packets and comparing against a threshold. However, network operators often want to identify interesting traffic on a network-wide basis. To bridge the gap between line-rate monitoring and network-wide visibility, we present a distributed heavy-hitter detection scheme for networks modeled as one-big switch. We use adaptive thresholds and approximate data structures to perform threshold monitoring and distinct counting directly in the data plane. We implement our system using the P4 language and Barefoot's Tofino hardware switch, and evaluate it using real-world packet traces. We demonstrate that our solution can accurately detect network-wide statistics with up to 75% savings in communication overhead.
2018	Preserving Privacy at IXPs Xiaohe Hu, Arpit Gupta, Nick Feamster, Aurojit Panda, Scott Shenker Under Submission abstract Web Autonomous systems (ASes) on the Internet increasingly rely on Internet Exchange Points (IXPs) for peering. IXPs provide the physical infrastructure including a fabric required to interconnect ASes. A single IXP may interconnect several 100s or 1000s of participants (ASes) all of which might peer with each other. This requires each participant to maintain a BGP session with every other participant in an IXP and poses a scaling challenge. IXPs have addressed this challenge through the use of route servers. When route servers are used IXP participants outsource parts of their policy to the route server and maintain a single BGP session with it. The route server is responsible for implementing parts of each participant policies -- often export and import policies. While route servers allow IXPs to scale, they require participants to trust the IXP and reveal their policies, a drastic change from the accepted norm where all policies are kept private. In this paper we look at techniques to build route servers which provide the same functionality as existing route servers (thus providing scalability) without requiring participants to reveal their policies thus preserving the status quo and enabling wider adoption of IXPs. Prior work has looked at secure multi-party computation (SMPC) as a means of implementing such route servers however this affects performance and reduces policy flexibility. In this paper we take a different tack and build on trusted execution environments (TEEs) such as Intel SGX to keep policies private. We present results from an initial route server implementation that runs under Intel SGX and show that our approach has 20× better performance than SMPC based approaches. Furthermore, we demonstrate that the additional privacy provided by our approach comes at minimal cost and our implementation is at worse 2.1× slower than a current route server implementation (and in some situations up to 2× faster).
2017 Apr	SDX-Based Flexibility or Internet Correctness? Pick Two! Rüdiger Birkner, Arpit Gupta, Nick Feamster, Laurent Vanbever ACM SOSR, Santa Clara, CA abstract Paper Talk Code Web BibTex @inproceedings{birkner2017sdx, title={SDX-Based Flexibility or Internet Correctness?: Pick Two!}, author={Birkner, R{\"u}diger and Gupta, Arpit and Feamster, Nick and Vanbever, Laurent}, booktitle={Proceedings of the Symposium on SDN Research}, pages={1--7}, year={2017}, organization={ACM} } Software-Defined Internet eXchange Points (SDXes) are recently gaining momentum, with several SDXes now running in production. The deployment of multiple SDXes on the Internet raises the question of whether the interactions between these SDXes will cause correctness problems, since SDX policies can deflect traffic away from the default BGP route for a prefix, effectively breaking the congruence between the control plane and data plane. Although one deflection on a path will never cause loops to occur, combining multiple deflections at different SDXes can lead to persistent forwarding loops that the control plane never sees. In this paper, we introduce SIDR, a coordination framework that enables SDXes to verify the end-to-end correctness (i.e., loop freedom) of an SDX policy. The challenge behind SIDR is to strike a balance between privacy, scalability, and flexibility. SIDR addresses these challenges by: (i) not requiring SDXes to disclose the flow space their SDX policies act on, only the next-hop they deflect to; and (ii) minimizing the number of SDXes that must exchange state to detect correctness problems. SIDR manages to preserve the flexibility of SDX policies by activating the vast majority of the safe policies, the policies that do not create a loop. We implemented SIDR on the SDX platform and showed its practical effectiveness: SIDR can activate 91% of all safe policies while preserving privacy and scalability and can perform correctness checks in about one second.
2016 Nov	Network Monitoring as a Streaming Analytics Problem Arpit Gupta, Rüdiger Birkner, Marco Canini, Nick Feamster, Chris Mac-Stoker, Walter Willinger ACM HotNets, Atlanta, GA abstract Paper Talk Code Web BibTex @inproceedings{gupta2016network, title={Network Monitoring as a Streaming Analytics Problem}, author={Gupta, Arpit and Birkner, R{\"u}diger and Canini, Marco and Feamster, Nick and Mac-Stoker, Chris and Willinger, Walter}, booktitle={Proceedings of the 15th ACM Workshop on Hot Topics in Networks}, pages={106--112}, year={2016}, organization={ACM} } Programmable switches make it easier to perform flexible network monitoring queries at line rate, and scalable stream processors make it possible to fuse data streams to answer more sophisticated queries about the network in real-time. Unfortunately, processing such network monitoring queries at high traffic rates requires both the switches and the stream processors to filter the traffic iteratively and adaptively so as to extract only that traffic that is of interest to the query at hand. Others have network monitoring in the context of streaming; yet, previous work has not closed the loop in a way that allows network operators to perform streaming analytics for network monitoring applications at scale. To achieve this objective, Sonata allows operators to express a network monitoring query by considering each packet as a tuple and efficiently partitioning each query between the switches and the stream processor through iterative refinement. Sonata extracts only the traffic that pertains to each query, ensuring that the stream processor can scale traffic rates of several terabits per second. We show with a simple example query involving DNS reflection attacks and traffic traces from one of the world's largest IXPs that Sonata can capture 95% of all traffic pertaining to the query, while reducing the overall data rate by a factor of about 400 and the number of required counters by four orders of magnitude.
2016 Mar	Authorizing Network Control at Software Defined Internet Exchange Points Arpit Gupta, Nick Feamster, Laurent Vanbever ACM SOSR, Santa Clara, CA abstract Paper Talk Code Web BibTex @inproceedings{gupta2016authorizing, title={Authorizing network control at software defined internet exchange points}, author={Gupta, Arpit and Feamster, Nick and Vanbever, Laurent}, booktitle={Proceedings of the Symposium on SDN Research}, pages={16}, year={2016}, organization={ACM} } Software Defined Internet Exchange Points (SDXes) increase the flexibility of interdomain traffic delivery on the Internet. Yet, an SDX inherently requires multiple participants to have access to a single, shared physical switch, which creates the need for an authorization mechanism to mediate this access. In this paper, we introduce a logic and mechanism called FLANC (A Formal Logic for Authorizing Network Control), which authorizes each participant to control forwarding actions on a shared switch and also allows participants to delegate forwarding actions to other participants at the switch (e.g., a trusted third party). FLANC extends â€œsaysâ€ and â€œspeaks forâ€ logic that have been previously designed for operating system objects to handle expressions involving network traffic flows. We describe FLANC, explain how participants can use it to express authorization policies for realistic interdomain routing settings, and demonstrate that it is efficient enough to operate in operational settings.
2014 Mar	Peering at the Internet's Frontier: A First Look at ISP Interconnectivity in Africa Arpit Gupta, M. Calder, N. Feamster, M. Chetty, E. Calandro, E. Katz-Bassett PAM, Los Angeles, CA 50+ citations abstract Paper Talk Code BibTex @inproceedings{gupta2014peering, title={Peering at the Internet's Frontier: A First Look at ISP Interconnectivity in Africa.}, author={Gupta, Arpit and Calder, Matt and Feamster, Nick and Chetty, Marshini and Calandro, Enrico and Katz-Bassett, Ethan}, booktitle={PAM}, pages={204--213}, year={2014} } In developing regions, the performance to commonly visited destinations is dominated by the network latency, which in turn depends on the connectivity from ISPs in these regions to the locations that host popular sites and content. We take a first look at ISP interconnectivity between various regions in Africa and discover many circuitous Internet paths that should remain local often detour through Europe. We investigate the causes of circuitous Internet paths and evaluate the benefits of increased peering and better cache proxy placement for reducing latency to popular Internet sites.

Conferences

Workshops & Short Papers

Selected Publications

Contact

Blog

Making the 'Net' Work!

Network Monitoring with Sonata

Programmatic Control with SDX