Summary cache: a scalable wide-area web cache sharing protocol
IEEE/ACM Transactions on Networking (TON)
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
The Bloomier filter: an efficient data structure for static support lookup tables
SODA '04 Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms
Time-Decaying Bloom Filters for Data Streams with Skewed Distributions
RIDE '05 Proceedings of the 15th International Workshop on Research Issues in Data Engineering: Stream Data Mining and Applications
SIFT: Snort Intrusion Filter for TCP
HOTI '05 Proceedings of the 13th Symposium on High Performance Interconnects
Creation and Deployment of Data Mining-Based Intrusion Detection Systems
ICMLA '05 Proceedings of the Fourth International Conference on Machine Learning and Applications
Beyond bloom filters: from approximate membership checks to approximate state machines
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Counter braids: a novel counter architecture for per-flow measurement
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Tracking long duration flows in network traffic
INFOCOM'10 Proceedings of the 29th conference on Information communications
High-speed per-flow traffic measurement with probabilistic multiplicity counting
INFOCOM'10 Proceedings of the 29th conference on Information communications
Anomaly detection methods in wired networks: a survey and taxonomy
Computer Communications
Understanding Internet traffic streams: dragonflies and tortoises
IEEE Communications Magazine
Space-Code Bloom Filter for Efficient Per-Flow Traffic Measurement
IEEE Journal on Selected Areas in Communications
Virtual vectors and network traffic analysis
IEEE Network: The Magazine of Global Internetworking
Hi-index | 0.24 |
Maintaining per-flow information and state is a crucial topic in network monitoring. Tracking per-flow state is a relatively new area. Two main approaches have been proposed for tracking state: Binned Duration Flow Tracking (BDFT) and Fingerprint-Compressed Filter Approximate Concurrent State Machine (FCF ACSM). BDFT which uses Bloom filters is time efficient, whereas FCF ACSM using d-left hash tables has near-perfect memory efficiency but has higher computational cost. This paper presents a hybrid method (BDFT-H) by employing the best features of BDFT and FCF ACSM to achieve both time and space efficiency. Performance analysis and comparisons are conducted for BDFT, FCF ACSM, and BDFT-H. These methods are all intended for implementation on high-speed routers where resources such as memory and CPU time are limited. For the computational performance of the three schemes, we find that based on analysis, d-left hashing may require substantially more computational resources than Bloom filters. We also conduct simulations to compare the accuracy of these three schemes and the results show that all three methods can achieve over 99% accuracy on traces of real traffic. The proposed BDFT-H provides the best overall tradeoff between time and space efficiency. Both BDFT and FCF ACSM may have the false positive issue. This paper also presents two additional BDFT extensions: BDFT-FPR (false positive removal) and BDFT-FPC (false positive correction) to deal with the false positive issue. Performance comparisons for BDFT and these two BDFT extensions are also conducted using real traffic traces for comparison.