Fast payload-based flow estimation for traffic monitoring and network security

Authors:
Fang Hao;Murali Kodialam;T. V. Lakshman;Hui Zhang
Affiliations:
Bell Labs, Holmdel, NJ;Bell Labs, Holmdel, NJ;Bell Labs, Holmdel, NJ;NEC Laboratories America, Princeton, NJ
Venue:
Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
Year:
2005

Citing 7
Cited 1

New directions in traffic measurement and accounting

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Bitmap algorithms for counting active flows on high speed links

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Honeycomb: creating intrusion detection signatures using honeypots

ACM SIGCOMM Computer Communication Review
Real-Time Detection of Hidden Traffic Patterns

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Implementing and testing a virus throttle

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

Resilient workload manager: taming bursty workload of scaling internet applications

ICAC-INDST '09 Proceedings of the 6th international conference industry session on Autonomic computing and communications industry session

Quantified Score

Hi-index	0.00

Visualization

Abstract

Real-time IP flow estimation has many potential applications in network management, monitoring, security, and traffic engineering. Existing techniques typically rely on flow definitions being constrained as subsets of the fields in packet headers. This makes flow-membership tests relatively inexpensive. In this paper, we consider a more general flow estimation problem that needs complex packet-payload based tests for flow-membership. An example is to estimate traffic with common strings in the payload and detect potential virus signatures for early alarm generation. We develop a fast, memory efficient algorithm for solving this problem as a variant of the longest common subsequence problem. This is done via an application of Rabin fingerprinting in combination with Bloom Filters. Both analysis and simulation show the effectiveness of the developed method.