Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Charging from sampled network usage
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach
Proceedings of the 2001 workshop on New security paradigms
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Traffic classification for application specific peering
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice
ACM Transactions on Computer Systems (TOCS)
Automatically inferring patterns of resource consumption in network traffic
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Flow sampling under hard resource constraints
Proceedings of the joint international conference on Measurement and modeling of computer systems
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Internet traffic classification using bayesian analysis techniques
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A robust system for accurate real-time summaries of internet traffic
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Automated Traffic Classification and Application Identification using Machine Learning
LCN '05 Proceedings of the The IEEE Conference on Local Computer Networks 30th Anniversary
ACM SIGCOMM Computer Communication Review
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Optimal combination of sampled network measurements
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
The power of slicing in internet flow measurement
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
LADS: large-scale automated DDOS detection system
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
ProgME: towards programmable network measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Monitoring streams: a new class of data management applications
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
Fast classification and estimation of internet traffic flows
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Learn more, sample less: control of volume and variance in network measurement
IEEE Transactions on Information Theory
Fast monitoring of traffic subpopulations
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Computer Networks: The International Journal of Computer and Telecommunications Networking
Measurouting: a framework for routing assisted traffic monitoring
INFOCOM'10 Proceedings of the 29th conference on Information communications
Revisiting the case for a minimalist approach for network flow monitoring
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Network DVR: a programmable framework for application-aware trace collection
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
MeasuRouting: a framework for routing assisted traffic monitoring
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.01 |
Flow records gathered by routers provide valuable coarse-granularity traffic information for several measurement-related network applications. However, due to high volumes of traffic, flow records need to be sampled before they are gathered. Current techniques for producing sampled flow records are either focused on selecting flows from which statistical estimates of traffic volume can be inferred, or have simplistic models for applications. Such sampled flow records are not suitable for many applications with more specific needs, such as ones that make decisions across flows As a first step towards tailoring the sampling algorithm to an application's needs, we design a generic language in which any particular application can express the classes of traffic of its interest. Our evaluation investigates the expressive power of our language, and whether flow records have sufficient information to enable sampling of records of relevance to applications. We use templates written in our custom language to instrument sampling tailored to three different applications--BLINC, Snort, and Bro. Our study, based on month-long datasets gathered at two different network locations, shows that by learning local traffic characteristics we can sample relevant flow records near-optimally with low false negatives in diverse applications