Seamless Dynamic Reconfiguration of Flow Meters: Requirements and Solutions
In this paper, we investigate the need for seamless dynamic reconfiguration of flow meters. Flow monitoring has become a primary measurement approach for various network management and security applications. Sampling and filtering techniques are usually employed in order to cope with the increasing bandwidth in today’s backbone networks. Additionally, low level analysis features can be used if CPU and memory resources are available. Obviously, the configuration of such algorithms depends on the (estimated) network load. In case of changing traffic pattern or varying demands on the flow analyzers, this configuration needs to be updated. Hereby it is essential to lose as little information, i.e. packet or flow data, as possible. We contribute to this domain by presenting an architecture for seamless reconfiguration without information loss, which we integrated into the monitoring toolkit Vermont. Additionally, we integrated support for situation awareness using module specific resource sensors. In a number of experiments, we evaluated the performance of Vermont and similar flow monitors.
Unable to display preview. Download preview PDF.
- 1.Carle, G., Dressler, F., Kemmerer, R.A., König, H., Kruegel, C., Laskov, P.: Manifesto — Perspectives Workshop: Network Attack Detection and Defense. In: Dagstuhl Perspectives Workshop 08102 — Network Attack Detection and Defense 2008, Schloss Dagstuhl, Wadern, Germany (March 2008)Google Scholar
- 2.Lampert, R.T., Sommer, C., Münz, G., Dressler, F.: Vermont — A Versatile Monitoring Toolkit Using IPFIX/PSAMP. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany, IEEE (September 2006) 62–65Google Scholar
- 3.Claise, B.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 5101, IETF (January 2008)Google Scholar
- 4.Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., Claise, B.: IPFIX Mediation: Problem Statement. Internet-Draft (work in progress) draftietf-ipfix-mediators-problem-statement-00.txt, IETF (May 2008)Google Scholar
- 6.Jung, J., Paxson, V., Berger, A.W., lakrishnan, H.B.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA (May 2004)Google Scholar
- 7.Bernaille, L., Teixeira, R.: Early Application Identification. In: 2nd International Conference On Emerging Networking Experiments And Technologies (CoNext 2006), Lisboa, Portugal (December 2006)Google Scholar
- 9.Wagner, A., Dübendorfer, T., Hämmerle, L., Plattner, B.: Identifying P2P Heavy-Hitters from Network-Flow Data. In: 2nd CERT Workshop on Flow Analysis (FloCon 2005), Pittsburgh, Pennsylvania (September 2005)Google Scholar
- 10.Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: 14th USENIX Security Symposium, Baltimore, MD (July 2005)Google Scholar