Flow measurement evolved into the primary method for measuring the composition of Internet traffic. Cisco’s NetFlow is a widely deployed flow measurement solution that uses a configurable static sampling rate to control processor and memory usage on the router and the amount of reporting flow records generated. But during flooding attacks the memory and network bandwidth consumed by flow records can increase beyond what is available. In this paper, we propose an entropy based flow aggregation algorithm, which not only alleviates the problem in memory and export bandwidth, but also maximizes the accuracy of legitimate flows. Relying on information-theoretic techniques, the algorithm efficiently identifies the clusters of attack flows in real time and aggregates those large number of short attack flows to a few metaflows. Finally, we evaluate our system using real trace files from the Internet.


Memory Usage Aggregation Algorithm Security Attack Random Dimension Real Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
    Estan, C., Keys, K., Moore, D., Varghese, G.: Building a better netflow. In: Proc. SIGCOMM 2004 (2004)Google Scholar
  3. 3.
    Hu, Y., Chiu, D.M., Lui, J.: Adaptive flow aggregation - a new solution for robust flow monitoring under security attacks. In: Proc. NOMS 2006 (2006)Google Scholar
  4. 4.
    Hu, Y., Chiu, D.M., Lui, J.: Entropy based flow aggregation: Tech. report (2006),
  5. 5.
    Estan, C., Varghese, G., Fisk, M.: Bitmap algorithms for counting active flows on high speed links. In: Proc. IMC 2003 (2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Yan Hu
    • 1
  • Dah-Ming Chiu
    • 1
  • John C. S. Lui
    • 1
  1. 1.The Chinese University of Hong KongHong Kong

Personalised recommendations