Monitoring of Spatial-Aggregated IP-Flow Records
This paper describes a new approach for analyzing large volumes of IP flow related data. One current solution for monitoring IP traffic is based on selecting a subset of flow related information that summarizes communication endpoints, volume, status and time parameters. Commonly known as NetFlow records, the recent development of a standardized protocol and data format, as well as the support from all major vendors, did make the processing, collecting and analysis of flow records possible on all available routers. However, on high traffic backbone routers, this adds to a huge quantity of data that makes its analysis difficult, both in terms of computational resources and in terms of scientific methods. We present a new approach that leverages spatial and temporal aggregated flow information. The objective is to detect traffic anomalies and to characterize network traffic. Our method is based on the use of special tree like data structures that capture both temporal and spatial aggregation and thus is computational efficient. The conceptual framework of our approach is based on the definition of appropriate similarity and distance functions for this purpose.
KeywordsSupport Vector Machine Kernel Function Intrusion Detection Intrusion Detection System Network Address Translation
Unable to display preview. Download preview PDF.
- 4.Culotta, A., Sorensen, J.: Dependency Tree Kernels for Relation Extraction. In: 42nd Annual Meeting on Association for Computational Linguistics, Barcelona, Spain (2004)Google Scholar
- 5.Estan, C.: Building a better NetFlow. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 245–256 (2004)Google Scholar
- 6.Foukarakis, M.: Flexible and High-Performance Anonymization of NetFlow Records using Anontoo. In: SECURECOMM Conference (2007)Google Scholar
- 7.Gaertner, T.: A survey of kernels for structured Data. SIGKDD Explorations (2003)Google Scholar
- 8.Jinsong, W.: P2P Traffic Identification Based on NetFlow TCP Flag. In: Proceedings of the 2009 International Conference on Future Computer and Communication, pp. 700–703 (2009)Google Scholar
- 10.Kaizaki, R., Nakamura, O., Murai, J.: Characteristics of Denial of Service Attacks on Internet using Aguri. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 849–857. Springer, Heidelberg (2003)Google Scholar
- 11.Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel Traffic Classification in the Dark. In: ACM SIGCOMM 2005, Philadelphia, Pennsylvania, USA (2005)Google Scholar
- 13.Krmicek, V.: NetFlow Based System for NAT Detection. In: Proceedings of the 5th International Student Workshop on Emerging Networking Experiments and Technologies (2009)Google Scholar
- 14.Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: ACM SIGCOMM 2005, Philadelphia, Pennsylvania, USA (2005)Google Scholar
- 17.Schoelkopf, B., Smola, J.: Learning with kernels, ch. 1-3, pp. 1–78. MIT Press, Cambridge (2002)Google Scholar
- 18.Sommer, R.: NetFlow: Information loss or win? In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, pp. 173–174 (2002)Google Scholar