This paper describes BigBen, a network telemetry processing system designed to enable accurate and timely reporting of Internet events (e.g., outages, attacks and configuration changes). BigBen is distinct from other Internet-wide event detection systems in its use of passive measurements of Network Time Protocol (NTP) traffic. We describe the architecture of BigBen, which includes (i) a distributed NTP traffic collection component, (ii) an Extract Transform Load (ETL) component, (iii) an event identification component, and (iv) a visualization and reporting component. We also describe a cloud-based implementation of BigBen developed to process large NTP data sets and provide daily event reporting. We demonstrate BigBen on a 15.5TB corpus of NTP data. We show that our implementation is efficient and could support hourly event reporting. We show that BigBen identifies a wide range of Internet events characterized by their location, scope and duration. We compare the events detected by BigBen vs. events detected by a large active probe-based detection system. We find only modest overlap and show how BigBen provides details on events that are not available from active measurements. Finally, we report on the perspective that BigBen provides on Internet events that were reported by third parties. In each case, BigBen confirms the event and provides details that were not available in prior reports, highlighting the utility of the passive, NTP-based approach.

中文翻译：

---

BigBen：用于整个Internet的事件监视的遥测处理

本文介绍了BigBen，这是一种网络遥测处理系统，旨在准确，及时地报告Internet事件（例如，中断，攻击和配置更改）。BigBen在使用被动测量网络时间协议（NTP）流量方面与其他Internet范围事件检测系统截然不同。我们描述了BigBen的体系结构，其中包括（i）分布式NTP流量收集组件，（ii）提取转换负载（ETL）组件，（iii）事件标识组件以及（iv）可视化和报告组件。我们还描述了BigBen的基于云的实现，该实现被开发为处理大型NTP数据集并提供每日事件报告。我们在15.5TB的NTP数据集上演示了BigBen。我们证明了我们的实施是有效的，并且可以支持每小时的事件报告。我们证明，BigBen可以识别范围广泛，以其位置，范围和持续时间为特征的Internet事件。我们将BigBen检测到的事件与大型基于主动探针的检测系统检测到的事件进行比较。我们发现只有很小的重叠，并展示了BigBen如何提供活动测量无法提供的事件的详细信息。最后，我们以BigBen提供的关于第三方报告的Internet事件的观点进行报告。在每种情况下，BigBen都会确认事件并提供以前的报告中未提供的详细信息，从而突出显示了基于NTP的被动方法的实用性。我们发现只有很小的重叠，并展示了BigBen如何提供活动测量无法提供的事件的详细信息。最后，我们以BigBen提供的关于第三方报告的Internet事件的观点进行报告。在每种情况下，BigBen都会确认事件并提供以前的报告中未提供的详细信息，从而突出显示了基于NTP的被动方法的实用性。我们发现只有很小的重叠，并展示了BigBen如何提供活动测量无法提供的事件的详细信息。最后，我们以BigBen提供的关于第三方报告的Internet事件的观点进行报告。在每种情况下，BigBen都会确认事件并提供以前的报告中未提供的详细信息，从而突出显示了基于NTP的被动方法的实用性。