Entropy Based Flow Aggregation
Flow measurement evolved into the primary method for measuring the composition of Internet traffic. Cisco’s NetFlow is a widely deployed flow measurement solution that uses a configurable static sampling rate to control processor and memory usage on the router and the amount of reporting flow records generated. But during flooding attacks the memory and network bandwidth consumed by flow records can increase beyond what is available. In this paper, we propose an entropy based flow aggregation algorithm, which not only alleviates the problem in memory and export bandwidth, but also maximizes the accuracy of legitimate flows. Relying on information-theoretic techniques, the algorithm efficiently identifies the clusters of attack flows in real time and aggregates those large number of short attack flows to a few metaflows. Finally, we evaluate our system using real trace files from the Internet.
KeywordsMemory Usage Aggregation Algorithm Security Attack Random Dimension Real Trace
- 2.Estan, C., Keys, K., Moore, D., Varghese, G.: Building a better netflow. In: Proc. SIGCOMM 2004 (2004)Google Scholar
- 3.Hu, Y., Chiu, D.M., Lui, J.: Adaptive flow aggregation - a new solution for robust flow monitoring under security attacks. In: Proc. NOMS 2006 (2006)Google Scholar
- 4.Hu, Y., Chiu, D.M., Lui, J.: Entropy based flow aggregation: Tech. report (2006), http://personal.ie.cuhk.edu.hk/~yhu4/paper/entropy_tech.pdf
- 5.Estan, C., Varghese, G., Fisk, M.: Bitmap algorithms for counting active flows on high speed links. In: Proc. IMC 2003 (2003)Google Scholar