Tao Qin,Xiaohong Guan,Wei Li.,Pinghui Wang

DOI: https://doi.org/10.1109/ICCW.2008.45

2008-01-01

Abstract:Detecting and measuring the changes of temporal traffic patterns in large scale networks are crucial for effective network management. This paper presents the concept of region flow to aggregate traffic packets. Regions are defined by the IP prefix, and a region flow is a group of packets with the same source and destination region during a time interval. In this way, the number of flows can be reduced significantly and a better extraction of pivotal traffic metrics is generated. Three traffic features: source connection degree, destination connection degree and packet distribution ratio are proposed to capture the dynamic change of the flow patterns between regions and the Renyi cross entropy are applied to measure and detect the changes. The experimental results show that the method proposed in this paper can capture the dynamic traffic features effectively for 10Gbps backbone networks, and can be used for detecting abnormal network behaviors. ©2008 IEEE.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Min Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.10.008

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic pattern characteristics monitoring is useful for abnormal behavior detection and network management. In this paper, we develop a framework for connection degree calculation and measurement in high-speed networks. The bi-directional traffic flow model is employed to aggregate traffic packets, which can reduce the number of flow records and capture user's alternation behavior characteristics. The first order connection degree and joint correlation degree are selected as the features to capture the characteristics of traffic profiles. To perform careful traffic inspection and attack detection, not only the abnormal changes of a single traffic feature but also the correlations between the features are analyzed in the new framework. First, the symmetry of in and out connection degrees is analyzed. And we found that incomplete flows are an important information source for abnormal behavior detection. Second, joint correlation degree can characterize the user's communication profiles and their behavior dynamics, which are employed to perform abnormal detection using measurements based on Renyi cross entropy. Finally, the reversible degree sketch is employed for querying abnormal traffic pattern sources for real-time traffic management. The experimental results based on actual traffic traces collected from Northwest Regional Center of CERNET (China Education and Research Network) show the efficiency of the proposed method. The method based on Renyi entropy can detect abnormal changing points correctly. FNR of the reversible sketch for locating abnormal sources is below 4% and time complexity is constant and less than 4s, which is critical for real-time traffic monitoring.

Yan Tong,Jian Zhang,Wei Chen,Mingdi Xu,Tao Qin

DOI: https://doi.org/10.1007/978-3-319-78139-6_30

2017-01-01

Abstract:Focus on the difficulty of large-scale network traffic monitoring and analysis, this paper proposed the concepts of Group Behavior Flow model to aggregate traffic packets and perform abnormal behavior detection. Based on the flow model the pivotal traffic metrics can be extracted while the number of flow records are reduced significantly. Secondly, we employ the graph model to capture the traffic feature distribution between different group users. And optical flow analysis methods are proposed to extract the dynamic behavior changing features between different groups and achieve the goal of abnormal behavior detection. The experimental results based on actual traffic traces show that the methods proposed in this paper can capture the traffic features effectually in the current 10 Gbps network environment, and achieve the goal of abnormal behavior detection and abnormal source location, which is very important for traffic management.

Xi Chen,Kaoru Irie,David Banks,Robert Haslinger,Jewell Thomas,Mike West

DOI: https://doi.org/10.1080/01621459.2017.1345742

2016-07-10

Abstract:Traffic flow count data in networks arise in many applications, such as automobile or aviation transportation, certain directed social network contexts, and Internet studies. Using an example of Internet browser traffic flow through site-segments of an international news website, we present Bayesian analyses of two linked classes of models which, in tandem, allow fast, scalable and interpretable Bayesian inference. We first develop flexible state-space models for streaming count data, able to adaptively characterize and quantify network dynamics efficiently in real-time. We then use these models as emulators of more structured, time-varying gravity models that allow formal dissection of network dynamics. This yields interpretable inferences on traffic flow characteristics, and on dynamics in interactions among network nodes. Bayesian monitoring theory defines a strategy for sequential model assessment and adaptation in cases when network flow data deviates from model-based predictions. Exploratory and sequential monitoring analyses of evolving traffic on a network of web site-segments in e-commerce demonstrate the utility of this coupled Bayesian emulation approach to analysis of streaming network count data.

Methodology

Tao Qin,Xiaohong Guan,Qiuzhen Huang,Wei Li

DOI: https://doi.org/10.1109/WCICA.2010.5553902

2010-01-01

Intelligent Control and Automation

Abstract:Monitoring and measuring the dynamic changes of the traffic patterns are important for network management. In this paper, we propose the bidirectional flow model to aggregate the traffic packets, which is more efficacious to reflect the alternation character of the users. Then we select the one order and second order connection degree to capture the characteristic of the traffic patterns. The K-L divergence is proposed to measure the changes between the distributions of the degrees at the adjacent time point and decide whether there are abnormal changes. Finally, the China Reminder Theory is employed to design the sketch method for connection degree calculation and the abnormal connection holders query for real time monitoring. The experimental results in an actual networks show that the methods proposed in this paper are efficacious for dynamic change measurement and monitoring in the nowadays network. The remainder sketch methods can calculate the degree quickly and the abnormal connection degree holders can be located exactly, which are important for network management and active defense.

Fei Wu,Xiangdong Jiang,Weizha Ma,Ling Wang,Yundou Jiang,Song Guan,Xuebin Li,Manrui Song,Ming Liu,Meng Yin

DOI: https://doi.org/10.1109/ICCSEC.2017.8446799

2017-01-01

Abstract:Network traffic embodies network behaviors and users' activity patterns, which holds many inherent features and dynamic properties. Feature extraction for network traffic in the network plays an significantly important role in time-frequency synchronization applications. How to accurately extract the hidden properties and features of network traffic has an important impact on network activities, such as network failure positioning, anomaly detection, and performance analysis. To this end, this paper propose a new feature extraction method to characterize network traffic. Firstly, the time-frequency analysis theory is used to transform network traffic in time-frequency synchronization applications to the time-frequency domain. Then the cluster analysis theory is used to dig and extract network traffic feature components. And the k-means analysis method is exploited to refine the hidden features of network traffic in the time domain. Finally, to validate our feature analysis method, we conduct an anomaly detection test. Simulation results show that our approach is promising.

Chao Liu,Mo Zhao,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.1007/s42421-019-00003-x

2019-01-01

Journal of Big Data Analytics in Transportation

Abstract:To discover the spatial and temporal traffic patterns, this paper proposes a spatiotemporal graphical modeling approach, spatiotemporal pattern network (STPN), to explore traffic dynamics in large traffic networks. A measurement based on Granger causality is used to identify the characteristics of spatial and temporal traffic patterns. An anomaly score is estimated to detect and locate traffic incidents in diverse types and severities, and also to quantify the influence of incidents on traffic flow fluctuations. Built upon symbolic dynamics filtering, the proposed approach implements spatial and temporal feature extraction via discovering causal dependencies among road segments using STPN, system-wide pattern learning through an energy-based model, restricted Boltzmann machine, and inference using a newly developed root-cause analysis algorithm. Case studies are carried out using the probe vehicle data collected on Interstate Highway 80 in Iowa and the results show that the proposed approach is capable of (1) discovering and representing causal interactions among sub-systems (e.g., road segment) of a traffic network that provide valuable information for developing and applying customized traffic management strategies, (2) adaptively handling multiple nominal patterns mixed with anomalous data for effectively differentiating abnormal traffic system status and locating traffic incidents, and (3) quantifying the fluctuation of traffic flow and the severity of the detected incident via anomaly scores estimated from traffic speed behaviors. The findings from the case studies reiterate the importance of incorporating both temporal and spatial features for pattern analysis and incident detection. The proposed approach is built for real-time application and can be utilized for on-line incident detection.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Jia Liu,Peng Gao,Jian Yuan,Xuetao Du

DOI: https://doi.org/10.1155/2010/375942

2010-01-01

Journal of Probability and Statistics

Abstract:Mechanisms to extract the characteristics of network traffic play a significant role in traffic monitoring, offering helpful information for network management and control. In this paper, a method based on Random Matrix Theory (RMT) and Principal Components Analysis (PCA) is proposed for monitoring and analyzing large-scale traffic patterns in the Internet. Besides the analysis of the largest eigenvalue in RMT, useful information is also extracted from small eigenvalues by a method based on PCA. And then an appropriate approach is put forward to select some observation points on the base of the eigen analysis. Finally, some experiments about peer-to-peer traffic pattern recognition and backbone aggregate flow estimation are constructed. The simulation results show that using about 10% of nodes as observation points, our method can monitor and extract key information about Internet traffic patterns.

Pengpeng Jiao,Huapu Lu,ShanShan Yang

2004-01-01

Abstract:Dynamic origin-destination (OD) flows are important input data for many real-time traffic management systems and are difficult to obtain. This paper reviewed the evolution process of dynamic OD-flow estimation, extracted knowledge from the on-line or off-line data gathered by an advanced traffic management system (ATMS), put forward ordinary and generalized least-squares estimation methods using time series of traffic counts and other pertinent information, and proposed a bi-level optimization model of dynamic OD-flow estimation for the network. The paper also designed an algorithm to solve the problem. Experimental results show that the model and algorithm are efficient and accurate, and can be applied in online systems.

Chuanhai Liu,S Vander Wiel,Jiahai Yang

DOI: https://doi.org/10.1109/JSAC.2003.814665

IF: 16.4

2003-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The self-similarity of network traffic has been convincingly established based on detailed packet traces. This fundamental result promises the possibility of solving on-line and off-line traffic engineering problems using easily collectible coarse time-scale data, such as simple network management protocol measurements. This paper proposes a statistical model that supports predicting fine time-scale behavior of network traffic from coarse time-scale aggregate measurements. The model generalizes the commonly used fractional Gaussian noise process in two important ways: (1) it accommodates the recurring daily load patterns commonly observed on backbone links and (2) features of long range dependence and self-similarity are modeled only at fine time scales and are progressively damped as the time period increases. Using the data we collected on the Chinese Education and Research Network, we demonstrate that the proposed model fits 5-min data and generates 10-s aggregates that are similar to actual 10-s data.

Yibo XUE,Dawei WANG,Luoshi ZHANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1306030

2014-01-01

Abstract:Along with the rapid development of Internet, the Internet service providers (ISPs) and network manage-ment departments are urgent to analyze the operating state of Internet, in order to guarantee the usability, stability and security of Internet. However, due to the rapidly growing user number, the ever increasing Internet bandwidth, the continuous change of traffic characteristics and the more and more complexity of the new emerging applications, it is facing with more and more challenges for network analysis. Therefore, in order to solve these issues, this paper proposes a novel analysis theory and method, named as network flow field. Network flow field not only concerns the“solid”metrics such as network packets and flows, but also pays more attention to the distribution and trend of network traffic, so it can reveal the traffic distribution and the relationship among network hosts, thus can reflect the social attributes of Internet. Based on the qualitative and quantitative analysis, network flow field theory and method can analyze the network deeply by using a new kind of view, it can not only obtain the basic statistical information of network traffic, bus also dig out its secret and implication information, such as timing relationship, state transition relationship, private network topology, key paths and key nodes, etc. The experimental results show that network flow field theory and method can achieve a good performance. Therefore, network flow field theory can provide the efficient framework and model for network traffic analysis, so as to guide the further research of network manage-ment, analysis and measurement field.

Ja Liu,Depeng Jin,Jian Yuan,Wenzhu Zhang,Li Su,Lieguang Zeng

DOI: https://doi.org/10.1109/ams.2009.9

2009-01-01

Abstract:Mechanisms to extract the characteristics of network traffic play a significant role in the traffic monitoring, offering helpful information for network management and control. In this paper, a method based on random matrix theory (RMT) and principal components analysis (PCA) is proposed for monitoring and analyzing large scale traffic pattern of Internet. Besides the analysis of the largest eigenvalue in RMT, useful information is also extracted from the small eigenvalue by the method based on PCA. And then an appropriate approach is put forward to select some observation points on the base of the eigen analysis. Finally, some experiments about peer-to-peer traffic pattern recognition and backbone aggregate flow estimation are constructed. The simulation results shows that using about 10% nodes as observation points, our method can monitor and extract key information about Internet traffic pattern.

Chi Yuan, ,Zhengbin Li,Yongqi He,Anshi Xu

DOI: https://doi.org/10.1117/12.743767

2007-01-01

Abstract:Understanding network traffic behavior is essential for all aspects of network design and operation, e.g. component design, protocol design, provisioning, operations, administration and maintenance (OAM). A careful study of traffic behavior can lead to improvements in underlying protocols to attain greater efficiencies and higher performance. Many researches have shown that traffic in Ethernet and other networks, either in local or wide area networks, exhibit properties of self-similarity. Several empirical studies on network traffic indicate that this traffic is self-similar in nature. However, the network modeling methods used in current networks have been primarily designed and analyzed under the assumption of the traditional Poisson arrival process. These "Poisson-like" models suggest that the network traffic is smooth, which is inherently unable to capture the self-similar characteristic of traffic. In this paper, after introduce the high performance broadband information network (3Tnet) of China, an aggregation model at access convergence router (ACR) is proposed and analyzed in 3Tnet. We studied the impact of large-scale aggregation applied at the edge of 3Tnet in terms of the self-similarity level observed at the output traffic in presence of self-similar input traffic. Two formulas were presented to describe the changes of Hurst parameter. Using OPNET software simulator, changes of traffic characteristics after large-scale aggregation in 3Tnet was extensive studied. The theoretic analysis results were consistent with the simulation results.

Guodong Fang,Zhihong Deng,Hao Ma

DOI: https://doi.org/10.1109/FSKD.2009.444

2009-01-01

Abstract:To keep the network secure, it is necessary to monitor network traffic timely and effectively. The traditional methods for detecting network anomalies were mainly based on such ways as sampling, counting and aggregating, but they can not solve the problem of getting accurate and effective results well. In this paper we propose a new method that is based on the basic properties of frequent pattern mining problem and makes use of the vertical mining methods to mine frequent patterns from network traffic. Based on this algorithm, we build a prototype system to evaluate our algorithm on huge netflow data of campus network. The experimental result shows that this algorithm can detect network anomalies timely and effectively and can help network administrators achieve more effective monitoring on network.

Minha Lee,Chenfeng Xiong,Zheng Zhu,Weiyi Zhou,Lei Zhang

DOI: https://doi.org/10.1177/0361198119845650

2019-01-01

Transportation Research Record Journal of the Transportation Research Board

Abstract:A vast number of real-time corridor management strategies have been introduced because the dynamics of traffic patterns and increased congestion result in challenging problems on road systems. Although these strategies can offer positive impacts on regional traffic, their evaluation tools are often limited to the scope of one specific corridor. To fill this gap, this study integrates a mesoscopic dynamic traffic assignment simulation model with an existing traffic-responsive ramp metering strategy. This integrated model is suitable for network-wide analysis and large-scale simulation of integrated corridor management strategies. The integrated modeling platform is demonstrated as a practice-ready tool. We present a case study that explores the benefits of metering control under various traffic conditions in a real-world network in Maryland. Both local and network-wide impacts are illustrated in the case study. This is one of the first attempts to simultaneously analyze network-wide traffic impacts and capture minute-by-minute demand–supply interactions under managed corridor strategies. The results indicate that ramp metering is beneficial even under non-recurrent traffic conditions at multiple spatial resolutions.

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Hao Zheng,Yanan Jiang,Chen Tian,Qun Huang,Weichao Li,Yi Wang,Qianyi Huang,Jiaqi Zheng,Rui Xia,Yi Wang,Wanchun Dou,Guihai Chen,Cheng Long

DOI: https://doi.org/10.1109/tsc.2021.3103968

IF: 11.019

2021-01-01

IEEE Transactions on Services Computing

Abstract:Network measurement provides operators an efficient tool for many network management tasks such as performance diagnosis, traffic engineering and intrusion prevention. However, with the rapid and continuous growth of traffic speed, it needs more computing and memory resources to monitor traffic in per-flow or per-packet granularity. Sample-based measurement systems (e.g., NetFlow, sFlow) have been developed to perform coarse-grained measurement, but they may miss part of records, especially for mice flows, which are important for some network management tasks (e.g., anomaly detection, performance diagnosis). To address these issues, data streaming algorithms such as hash tables and sketches have been introduced to balance the trade-off among accuracy, speed, and memory usage. In this article, we present a systematic survey of various data structures, algorithms and systems which have been proposed in recent years to perform fine-grained measurement for high-speed networks. We organize these methods and systems from a software-defined perspective. In particular, we abstract fine-grained network measurement into three-layer architecture. We introduce the responsibility of each layer and categorize existing state-of-the-art works into this architecture. Finally, we conclude the article and discuss the future directions of fine-grained network measurement.

computer science, information systems, software engineering

Xiaodong Zang,Jian Gong,Maoli Wang,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103603

IF: 7.574

2023-04-01

Journal of Network and Computer Applications

Abstract:Discovering and describing IP traffic behavior is becoming more and more significant for efficient network management and security monitoring. Recently, many modeling techniques have been proposed, most of which focused on properties of a single dimension, such as volume-based or spatial-based. Characterizing IP traffic behavior with individual dimension features is often insufficient as they are spatiotemporally correlated. In this paper, we demonstrate that IP traffic behavior can be profiled from the perspective of end users’ access relationship. We find that groups of IPs have similar behavior traits, and with insights from the identified behavior profiles, we can discover malicious traffic behavior in the overwhelming measurement data. To this end, firstly, we extract a collection of features to profile traffic behavior from the dimension of temporal, spatial, category, and intensity. Then, we characterize and model the rhythmic behavior, the cyclical behavior, the access stable behavior, the service diversity behavior, and the hotspot behavior. Finally, we use the open-source dataset, synthetic data, and the real Internet Netflow data collected from the China Education Research Network backbone (CERNET) to empirically validate our proposal. Extensive results demonstrate that the applications of derived traffic patterns can achieve fine-grained traffic monitoring.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Jian Yuan,Kevin Mills

DOI: https://doi.org/10.1016/j.peva.2004.11.003

IF: 2.205

2005-01-01

Performance Evaluation

Abstract:Analyzing spatial-temporal characteristics of traffic in large-scale networks requires both a suitable analysis method and a means to reduce the amount of data that must be collected. Of particular interest would be techniques that reduce the amount of data needed, while simultaneously retaining the ability to monitor spatial-temporal behavior network-wide. In this paper, we propose such a method, motivated by insights about network dynamics at the macroscopic level. We define a weight vector to build up information about the influence of local behavior over the whole network. By taking advantage of increased correlations arising in large networks, this method might require only a few observation points to capture shifting network-wide patterns over time. This paper explains the principles underlying our proposed method, and describes the associated analytical process.