Monitoring of Spatial-Aggregated IP-Flow Records

  • Cynthia Wagner
  • Gerard Wagener
  • Radu State
  • Thomas Engel
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 85)


This paper describes a new approach for analyzing large volumes of IP flow related data. One current solution for monitoring IP traffic is based on selecting a subset of flow related information that summarizes communication endpoints, volume, status and time parameters. Commonly known as NetFlow records, the recent development of a standardized protocol and data format, as well as the support from all major vendors, did make the processing, collecting and analysis of flow records possible on all available routers. However, on high traffic backbone routers, this adds to a huge quantity of data that makes its analysis difficult, both in terms of computational resources and in terms of scientific methods. We present a new approach that leverages spatial and temporal aggregated flow information. The objective is to detect traffic anomalies and to characterize network traffic. Our method is based on the use of special tree like data structures that capture both temporal and spatial aggregation and thus is computational efficient. The conceptual framework of our approach is based on the definition of appropriate similarity and distance functions for this purpose.


Support Vector Machine Kernel Function Intrusion Detection Intrusion Detection System Network Address Translation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Burges, C.J.C.: A tutorial on support vector machines for pattern recognition. Data Mining and Knowledge Discovery 2(2), 121–167 (1998)CrossRefGoogle Scholar
  2. 2.
    Cho, K., Kaizaki, R., Kato, A.: Aguri: An aggregation-based traffic profiler. In: Smirnov, M., Crowcroft, J., Roberts, J., Boavida, F. (eds.) QofIS 2001. LNCS, vol. 2156, pp. 222–242. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Cifarelli, C., Nieddu, L., Seref, O., Pardalos, P.M.: K.-T.R.A.C.E.: A kernel k-means procedure for classification. Computers and Operations research 34(10), 3154–3161 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Culotta, A., Sorensen, J.: Dependency Tree Kernels for Relation Extraction. In: 42nd Annual Meeting on Association for Computational Linguistics, Barcelona, Spain (2004)Google Scholar
  5. 5.
    Estan, C.: Building a better NetFlow. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 245–256 (2004)Google Scholar
  6. 6.
    Foukarakis, M.: Flexible and High-Performance Anonymization of NetFlow Records using Anontoo. In: SECURECOMM Conference (2007)Google Scholar
  7. 7.
    Gaertner, T.: A survey of kernels for structured Data. SIGKDD Explorations (2003)Google Scholar
  8. 8.
    Jinsong, W.: P2P Traffic Identification Based on NetFlow TCP Flag. In: Proceedings of the 2009 International Conference on Future Computer and Communication, pp. 700–703 (2009)Google Scholar
  9. 9.
    Kahn, L., Awad, M., Thuraisungham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. The VLDB Journal 16(4), 507–521 (2007)CrossRefGoogle Scholar
  10. 10.
    Kaizaki, R., Nakamura, O., Murai, J.: Characteristics of Denial of Service Attacks on Internet using Aguri. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 849–857. Springer, Heidelberg (2003)Google Scholar
  11. 11.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel Traffic Classification in the Dark. In: ACM SIGCOMM 2005, Philadelphia, Pennsylvania, USA (2005)Google Scholar
  12. 12.
    Karpilovsky, E.: Quantifying the Extent of IPv6 Deployment. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 13–22. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Krmicek, V.: NetFlow Based System for NAT Detection. In: Proceedings of the 5th International Student Workshop on Emerging Networking Experiments and Technologies (2009)Google Scholar
  14. 14.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: ACM SIGCOMM 2005, Philadelphia, Pennsylvania, USA (2005)Google Scholar
  15. 15.
    McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow Clustering using Machine Learning. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 205–214. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Paredes-Oliva, I.: Portscan Detection with Sampled NetFlow. In: Papadopouli, M., Owezarski, P., Pras, A. (eds.) TMA 2009. LNCS, vol. 5537, pp. 26–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Schoelkopf, B., Smola, J.: Learning with kernels, ch. 1-3, pp. 1–78. MIT Press, Cambridge (2002)Google Scholar
  18. 18.
    Sommer, R.: NetFlow: Information loss or win? In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, pp. 173–174 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Cynthia Wagner
    • 1
  • Gerard Wagener
    • 1
  • Radu State
    • 1
  • Thomas Engel
    • 1
  1. 1.University of Luxembourg FSTC and SnT 

Personalised recommendations