Entropy based adaptive flow aggregation

Authors:
Yan Hu;Dah-Ming Chiu;John C. S. Lui
Affiliations:
Department of Information Engineering, Chinese University of Hong Kong, Shatin, N.T., Hong Kong;Department of Information Engineering, Chinese University of Hong Kong, Shatin, N.T., Hong Kong;Department of Computer Science and Engineering, Chinese University of Hong Kong, Shatin, N.T., Hong Kong
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2009

Citing 19
Cited 5

Elements of information theory

Elements of information theory
Charging from sampled network usage

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Adaptive random sampling for load change detection

SIGMETRICS '02 Proceedings of the 2002 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
New directions in traffic measurement and accounting

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
An information-theoretic approach to traffic matrix estimation

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Estimating flow distributions from sampled flow statistics

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Bitmap algorithms for counting active flows on high speed links

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Inverting sampled traffic

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Building a better NetFlow

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
FlowScan: A Network Traffic Flow Reporting and Visualization Tool

LISA '00 Proceedings of the 14th USENIX conference on System administration
The CoralReef Software Suite as a Tool for System and Network Administrators

LISA '01 Proceedings of the 15th USENIX conference on System administration
A robust system for accurate real-time summaries of internet traffic

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
An information-theoretic approach to network monitoring and measurement

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Access path based source address validation in mobile IPv6

NPC'11 Proceedings of the 8th IFIP international conference on Network and parallel computing
Efficient multidimensional aggregation for large scale monitoring

lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Review: A survey of network flow applications

Journal of Network and Computer Applications
Scalable identification and measurement of heavy-hitters

Computer Communications
Data summarization for network traffic monitoring

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Internet traffic flow measurement is vitally important for network management, accounting and performance studies. Cisco's NetFlow is a widely deployed flow measurement solution that uses a configurable static sampling rate to control processor and memory usage on the router and the amount of reporting flow records generated. But during flooding attacks the memory and network bandwidth consumed by flow records can increase beyond what is available. Currently available countermeasures have their own problems: 1) reject new flows when the cache is full--some legitimate new flows will not be counted; 2) export not-terminated flows to make room for new ones--this will exhaust the export bandwidth; and 3) adapt the sampling rate to traffic rate--this will reduce the overall accuracy of accounting, including legitimate flows. In this paper, we propose an entropy based adaptive flow aggregation algorithm. Relying on information-theoretic techniques, the algorithm efficiently identifies the clusters of attack flows in real time and aggregates those large number of short attack flows into a few metaflows. Compared to currently available solutions, our solution not only alleviates the problem in memory and export bandwidth, but also significantly improves the accuracy of legitimate flows. Finally, we evaluate our system using both synthetic trace file and real trace files from the Internet.