Lei Gao,Jiahai Yang,Hui Zhang,Bin Zhang

DOI: https://doi.org/10.1109/APNOMS.2011.6077019

2011-01-01

Abstract:The fine-grained flow level measurement is getting increasing demand in recent years. Though it fails to be a generic solution for its biased sampling, NetFlow is promising for its compatibility with major routers and its convenience to perform direct flow level measurement of both IPv4 and IPv6 traffic. Traditional flow level measurement systems based on NetFlow are mostly centralized and each of them independently performs traffic analysis of its local flow records without any coordination in a large-scale network, suffering from unbalancing workload and bad scalability. In this paper we present the design, implementation and evaluation of FlowInfra which is a fault-resilient scalable infrastructure for network-wide flow measurement of pure IPv6 flow records from NetFlow v9 exports. Through the assessment of its performance and flexible features, we show that FlowInfra achieved enhanced ability and robustness to perform network-wide flow level measurement and satisfied the goal for IPv6 network operation and management with better scalability.

Shen Wenchao,Chen Yanjiao,Zhang Qianli,Chen Yang,Deng Beixing,Li Xing,Lv Guohan

DOI: https://doi.org/10.1109/CCCM.2009.5270414

2009-01-01

Abstract:Our understanding of IPv6 usage is quite limited. In this paper, we carry out a detailed analysis of Netflow records collected from a China Tier-1 ISP. Many aspects related to traffic attributes and deployment issues are investigated: application types, transitional technologies, interface identifier assignment schemes, etc. Dominating of video streaming and P2P traffic as well as the widely use of random identifiers for privacy are most peculiar characteristics in China's IPv6 networks. To have a better understanding of how IPv6 network is used, we studied users' behavior from several perspectives, such as the traffic volume produced by each user, number of applications he uses and the frequency he uses IPv6 networks. Results show that IPv6 is only effectively used by a small fraction of the users. On the whole, our study suggests that from our vantage point, China's IPv6 network is in the transitional phase from the initial experimental period to practical application. ©2009 IEEE.

Xi Sun,Xiang Chen,Di Wang,Zhengyan Zhou,Xinyue Jiang,Wenhai Wang,Chunming Wu,Haifeng Zhou

DOI: https://doi.org/10.1109/secon58729.2023.10287419

2023-01-01

Abstract:How to satisfy the latency and reliability requirements of flow data transfer is an essential problem. To address this problem, we propose RFT, a framework that aims to satisfy the user-specified latency and reliability requirements of flow data transfer, especially in the situation where the network resources are insufficient. Firstly, we formulate the problem of satisfying the user-specified latency and reliability requirements of data transfer via mixed integer linear programming (MILP), and a heuristic algorithm is then designed to solve it in a polynomialtime. Secondly, to satisfy these requirements under insufficient network resources, we proposed a greedy-based algorithm used to select the minimum number of links added to the network, which can be deployed with low cost, especially in production networks such as data centers. Finally, we have implemented RFT on a 64$\times$100 Gbps Intel Barefoot Tofino switch. Our experimental results indicate that RFT satisfies the user-specified latency and reliability requirements in all test cases at acceptable costs, even when the network resources are insufficient.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.3837/tiis.2014.04.009

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

Hongyan Liu,Xi Sun,Xiang Chen,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.jnca.2024.103904

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Modern network measurement employs several measurement points in the substrate network. These points perform measurement tasks to measure traffic and report real-time events to monitoring servers in the control plane. These servers convert events to flow statistics and report them to network management applications, which require both low latency (i.e., collecting events within a limited time deadline) and high reliability (i.e., bounding the probability of event loss). However, existing solutions fail to satisfy the two requirements because they ignore the transmission latency and reliability when collecting events from measurement points to monitoring servers. In this paper, we propose Terra, a framework that aims to offer low-latency and reliable event collection. Terra provides a near-optimal heuristic that guides each measurement point to select monitoring servers to receive its events and corresponding network paths for transferring events with timeliness and reliability guarantee. We have implemented Terra on a 64 × 100Gbps Tofino-based switch. We conduct testbed experiments to demonstrate the effectiveness of Terra in practice. The results indicate that Terra offers low-latency and reliable event collection while preserving high application-level accuracy.

Yibo XUE,Dawei WANG,Luoshi ZHANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1306030

2014-01-01

Abstract:Along with the rapid development of Internet, the Internet service providers (ISPs) and network manage-ment departments are urgent to analyze the operating state of Internet, in order to guarantee the usability, stability and security of Internet. However, due to the rapidly growing user number, the ever increasing Internet bandwidth, the continuous change of traffic characteristics and the more and more complexity of the new emerging applications, it is facing with more and more challenges for network analysis. Therefore, in order to solve these issues, this paper proposes a novel analysis theory and method, named as network flow field. Network flow field not only concerns the“solid”metrics such as network packets and flows, but also pays more attention to the distribution and trend of network traffic, so it can reveal the traffic distribution and the relationship among network hosts, thus can reflect the social attributes of Internet. Based on the qualitative and quantitative analysis, network flow field theory and method can analyze the network deeply by using a new kind of view, it can not only obtain the basic statistical information of network traffic, bus also dig out its secret and implication information, such as timing relationship, state transition relationship, private network topology, key paths and key nodes, etc. The experimental results show that network flow field theory and method can achieve a good performance. Therefore, network flow field theory can provide the efficient framework and model for network traffic analysis, so as to guide the further research of network manage-ment, analysis and measurement field.

Zhen Chen,Lingyun Ruan,Junwei Cao,Yifan Yu,Xin Jiang

DOI: https://doi.org/10.1109/tst.2013.6574679

2013-01-01

Tsinghua Science & Technology

Abstract:The archiving of Internet traffic is an essential function for retrospective network event analysis and forensic computer communication. The state-of-the-art approach for network monitoring and analysis involves storage and analysis of network flow statistic. However, this approach loses much valuable information within the Internet traffic. With the advancement of commodity hardware, in particular the volume of storage devices and the speed of interconnect technologies used in network adapter cards and multi-core processors, it is now possible to capture 10 Gbps and beyond real-time network traffic using a commodity computer, such as n2disk. Also with the advancement of distributed file system （such as Hadoop, ZFS, etc.） and open cloud computing platform （such as OpenStack, CloudStack, and Eucalyptus, etc.）, it is practical to store such large volume of traffic data and fully in-depth analyse the inside communication within an acceptable latency. In this paper, based on well- known TimeMachine, we present TIFAflow, the design and implementation of a novel system for archiving and querying network flows. Firstly, we enhance the traffic archiving system named TImemachine+FAstbit （TIFA） with flow granularity, i.e., supply the system with flow table and flow module. Secondly, based on real network traces, we conduct performance comparison experiments of TIFAflow with other implementations such as common database solution, TimeMachine and TIFA system. Finally, based on comparison results, we demonstrate that TIFAflow has a higher performance improvement in storing and querying performance than TimeMachine and TIFA, both in time and space metrics.

Fuliang Li,Changqing An,Jiahai Yang,Jianping Wu,Hui Zhang

DOI: https://doi.org/10.1016/j.comcom.2013.09.014

IF: 5.047

2014-01-01

Computer Communications

Abstract:Our understanding of IPv6 traffic cannot keep up with the growth of IPv6 traffic. Unraveling the characteristics of traffic is essential for network scale expansion, network technology selection, network management and security enhancement. In this paper, we conduct a comprehensive study of IPv6 traffic based on the packet-level traces of a nation-wide pure IPv6 network - CERNET2, and track user behaviors in 6TUNET, one of the largest campus network in CERNET2, by binding IP address with user name. We first analyze the usage and development of IPv6 network, especially user behaviors and new technologies, e.g. the efficiency of fine-grained source address validation technology which is widely deployed in CERNET2. Then we investigate the distribution of the aggregate traffic and the results reveal that traffic distribution is highly skewed among protocols, ports, applications and hosts. We pay particular attention to dominating protocols, ports, applications and hosts, as well as special protocols of IPv6 network, e.g. the usage of extension headers, which supplement the simplified basic header of IPv6. At last, we model the skewness in traffic distribution and present the dynamics of the traffic from the aspects of traffic prediction and inference. Based on the analysis, we obtain a comprehensive knowledge of IPv6 traffic which, we believe, can provide an experimental basis for IPv6 network operators and researchers.

Lei Gao,Jiahai Yang,Hui Zhang,Donghong Qin,Bin Zhang

DOI: https://doi.org/10.1109/noms.2012.6211949

2012-01-01

Abstract:With IPv4 addresses quickly dwindling, the Internet is forcing an evolution of itself. During the long term transition from IPv4 to IPv6, what's going on in IPv6 world becomes unknown for network operators and researchers. In this paper, we propose a heuristic algorithm to identify p2p traffic accurately and implement traffic classification based on Netflow v9 exports to illustrate what applications Chinese IPv6 users are really running. Additionally, we present a detailed study of p2p traffic over IPv6 and advice ISPs to localize p2p traffic at the AS level for future IPv6 traffic management and network resources planning, leaving modeling traffic behavior and deeper classification of IPv6 traffic as our future work.

Liu Bin,Lin Chuang,Qiao Jian,He Jianping,Peter Ungsunan

DOI: https://doi.org/10.1016/j.comnet.2007.12.004

IF: 5.493

2008-01-01

Computer Networks

Abstract:In this paper, a flow analysis and monitoring system based on NetFlow is introduced. The system is built on a Browser–Server framework, aimed at enterprise networks. Data collection and display are separated into two modules, which makes the system clearly demarcated and easy to deploy. The data collection module receives and analyzes NetFlow-exported packets and inserts per flow record information into the Oracle database. The display module acts as a J2EE web server, fetches real-time or history traffic information from the database and shows it to web users. In addition to the above-mentioned functions, the most important part of the system is an IDS. A real-time anomalous traffic monitoring module with a stable matching pattern algorithm and two traffic statistic based intrusion detection algorithms – one algorithm is based on variance similarity while the other is based on Euclidean distance – are embedded in the system to detect worm and other malicious attacks. With the aim of identifying anomalous network traffic simply and effectively, a proved “join” strategy is also designed along with the two traffic statistic based intrusion detection algorithms. The whole IDS module is able to run with low computational complexity and high detection accuracy. Finally, we conduct experiments to verify the performance of our system.

Hao Zheng,Yanan Jiang,Chen Tian,Qun Huang,Weichao Li,Yi Wang,Qianyi Huang,Jiaqi Zheng,Rui Xia,Yi Wang,Wanchun Dou,Guihai Chen,Cheng Long

DOI: https://doi.org/10.1109/tsc.2021.3103968

IF: 11.019

2021-01-01

IEEE Transactions on Services Computing

Abstract:Network measurement provides operators an efficient tool for many network management tasks such as performance diagnosis, traffic engineering and intrusion prevention. However, with the rapid and continuous growth of traffic speed, it needs more computing and memory resources to monitor traffic in per-flow or per-packet granularity. Sample-based measurement systems (e.g., NetFlow, sFlow) have been developed to perform coarse-grained measurement, but they may miss part of records, especially for mice flows, which are important for some network management tasks (e.g., anomaly detection, performance diagnosis). To address these issues, data streaming algorithms such as hash tables and sketches have been introduced to balance the trade-off among accuracy, speed, and memory usage. In this article, we present a systematic survey of various data structures, algorithms and systems which have been proposed in recent years to perform fine-grained measurement for high-speed networks. We organize these methods and systems from a software-defined perspective. In particular, we abstract fine-grained network measurement into three-layer architecture. We introduce the responsibility of each layer and categorize existing state-of-the-art works into this architecture. Finally, we conclude the article and discuss the future directions of fine-grained network measurement.

computer science, information systems, software engineering

Zongyi Zhao,Xingang Shi,Arpit Gupta,Qing Li,Zhiliang Wang,Bin Xiong,Xia Yin

DOI: https://doi.org/10.1109/iwqos52092.2021.9521284

2021-01-01

Abstract:Flow-based network measurement enables operators to perform a wide range of network management tasks in a scalable manner. Recently, various algorithms have been proposed for flow record collection at very high speed. However, they all focus on processing traffic in a short time window, but overlook the fact that flow measurements are typically needed continuously for unlimited time. To this end, we propose a new algorithm named SuperFlow to support continuous and accurate flow record collection at very high speed by monitoring the flow activeness and exporting the inactive records from the data plane automatically. Our data structures and the corresponding algorithms are carefully designed and analyzed, so the above goal is achieved with limited memory and bandwidth consumption. We implement SuperFlow on both x86 CPU and state-of-the-art PISA target. Comprehensive experiments show that SuperFlow consistently outperforms its competitors significantly. Especially, compared with the best competitor, it records around 136.7% more flows, reduces the error in flow size estimation by 51.5%, and reduces the memory or bandwidth consumption by up to 71.0%, while bringing only negligible throughput degradation.

Zongyi Zhao,Xingang Shi,Xia Yin,Zhiliang Wang

DOI: https://doi.org/10.48550/arXiv.1812.01846

2018-12-05

Abstract:Collecting flow records is a common practice of network operators and researchers for monitoring, diagnosing and understanding a network. Traditional tools like NetFlow face great challenges when both the speed and the complexity of the network traffic increase. To keep pace up, we propose HashFlow, a tool for more efficient and accurate collection and analysis of flow records. The central idea of HashFlow is to maintain accurate records for elephant flows, but summarized records for mice flows, by applying a novel collision resolution and record promotion strategy to hash tables. The performance bound can be analyzed with a probabilistic model, and with this strategy, HashFlow achieves a better utilization of space, and also more accurate flow records, without bringing extra complexity. We have implemented HashFlow, as well as several latest flow measurement algorithms such as FlowRadar, HashPipe and ElasticSketch, in a P4 software switch. Then we use traces from different operational networks to evaluate them. In these experiments, for various types of traffic analysis applications, HashFlow consistently demonstrates a clearly better performance against its state-of-the-art competitors. For example, using a small memory of 1 MB, HashFlow can accurately record around 55K flows, which is often 12.5% higher than the others. For estimating the sizes of 50K flows, HashFlow achieves a relative error of around 11.6%, while the estimation error of the best competitor is 42.9% higher. It detects 96.1% of the heavy hitters out of 250K flows with a size estimation error of 5.6%, which is 11.3% and 73.7% better than the best competitor respectively. At last, we show these merits of HashFlow come with almost no degradation of throughput.

Networking and Internet Architecture

Zongyi Zhao,Xingang Shi,Zhiliang Wang,Qing Li,Han Zhang,Xia Yin

DOI: https://doi.org/10.1109/tpds.2021.3099442

IF: 5.3

2022-05-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Traditional tools like NetFlow face great challenges as both the speed and the complexity of the network traffic increase. To keep the pace up, we propose HashFlow for more efficient and accurate collection of flow records. HashFlow keeps large flows in its main flow table and uses an ancillary table to summarize the other flows when the main table is full. With our flow collision resolution and flow record promotion schemes, a flow in the ancillary table is promoted back to the main flow table with a guaranteed probability when it becomes large enough. These operations can be performed highly efficiently, so HashFlow can keep up with ultra-high traffic speed. We implement HashFlow in a Tofino switch, and using traces from different operational networks, we compare its performance against some state-of-the-art flow measurement algorithms. Our experiments show that, for various types of traffic analysis applications, HashFlow consistently demonstrates clearly better performance than its competitors. For example, the performance of HashFlow in flow size estimation, flow size distribution estimation and heavy hitter detection is up to 21, 60 and 35 percent better than those of the best competitors respectively, and these merits of HashFlow come with almost no degradation of throughput.

computer science, theory & methods,engineering, electrical & electronic

ZHANG Jin,LIU Qingrang,SI Liang,WU Jiangxing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.10.004

2007-01-01

Abstract:Explicit measurement of per-flow traffic is difficult in backbone networks because it needs large high-speed memories.The main contribution of this paper is a new flow traffic measurement algorithm based on two-layer memory hierarchy.Such memory hierarchy is constructed by small high-speed memory on the first layer and large low-speed memory on the second layer.Illumined by Quasi-Zipf’s law of network flow size,the measurement algorithm inclines to save the state information of flows with heavy traffic in layer-one memory and that of flows with light traffic in layer-two memory.The two-layer memory hierarchy makes a better tradeoff between space and speed compared with large high-speed memories.It shows experimentally that the algorithm proposed in this paper has a smaller and fairer estimation error.

Hao Wu,Peilong Liu,Kai Liu,Jian Yan,Linling Kuang

DOI: https://doi.org/10.1109/iccc56324.2022.10065692

2022-01-01

Abstract:Based on software-defined networking (SDN), many online service providers deploy novel online traffic engineering (TE) schemes in their data center networks. The online TE epoch usually ranges from several hundred milliseconds to a few minutes, which is shorter than the duration of some flows. These flows may suffer inconsistent quality-of-service (QoS) between TE epochs, which leads to degradation in flow utility functions and the total network utility. Although effective in packet-level QoS improvement, conventional TCP variants and queueing designs cannot address the QoS inconsistency since flow-level information, including flow service history and flow utility function, is not considered. This paper proposes a flow-level traffic scheduling (FLTS) method to improve flow QoS consistency and network utility. We propose a flow measurement mechanism that factors the service history and residual demand into the flow priorities. For background flows, we establish a G/G/1 queueing model in traffic sources and propose a traffic rate control mechanism to minimize the queueing time. Simulation results demonstrate that FLTS outperforms two typical conventional approaches with an 18% to 29% improvement in network utility under heavy traffic loads.

Zhen Chen,Xi Shi,Ling-Yun Ruan,Feng Xie,Jun Li

DOI: https://doi.org/10.1109/ICCCN.2012.6289215

2012-01-01

Abstract:Archiving Internet traffic is an essential function for retrospective network event analysis. The state-of-art approach for network monitoring and analysis is storing and analyzing the statistics of network flows. However this approach loses much valuable information inside Internet traffic. With the advancement of commodity hardware, especially the volume of storage device and the speed of interconnect technologies used in network adapter card, now it is practical to capture 10Gbps real-time network traffic with a commodity computer. In this context, this paper presents the design and implementation of a novel system for archiving and querying network flows. A flow granularity indexing and storage mechanism is proposed, and the bitmap index database is utilized to store index information. Based on real network traces, we demonstrate that the system has a higher performance in storing and querying with respect to both time and space metrics compared with traditional methods.

Tao Qin,Xiaohong Guan,Wei Li.,Pinghui Wang

DOI: https://doi.org/10.1109/ICCW.2008.45

2008-01-01

Abstract:Detecting and measuring the changes of temporal traffic patterns in large scale networks are crucial for effective network management. This paper presents the concept of region flow to aggregate traffic packets. Regions are defined by the IP prefix, and a region flow is a group of packets with the same source and destination region during a time interval. In this way, the number of flows can be reduced significantly and a better extraction of pivotal traffic metrics is generated. Three traffic features: source connection degree, destination connection degree and packet distribution ratio are proposed to capture the dynamic change of the flow patterns between regions and the Renyi cross entropy are applied to measure and detect the changes. The experimental results show that the method proposed in this paper can capture the dynamic traffic features effectively for 10Gbps backbone networks, and can be used for detecting abnormal network behaviors. ©2008 IEEE.

Weisheng Si,Balume Mburano,Wei Xing Zheng,Tie Qiu

DOI: https://doi.org/10.48550/arXiv.2012.00877

2021-07-02

Abstract:Infrastructure networks such as the Internet backbone and power grids are essential for our everyday lives. With the prevalence of cyber-attacks on them, measuring their robustness has become an important issue. To date, many robustness metrics have been proposed. It is desirable for a robustness metric to possess the following three properties: considering global network topologies, strictly increasing upon link additions, and having a quadratic complexity in terms of the number of nodes on sparse networks. This paper proposes to use Average Network Flow (ANF) as a robustness metric, and proves that it increases strictly, and gives an algorithm to compute ANF with a quadratic complexity by leveraging Gomory-Hu trees. Thus, with ANF intrinsically considering global network topologies, ANF is unveiled to be a new robustness metric satisfying those three properties. Moreover, this paper compares ANF with seven existing representative metrics, showing that each metric has its own characteristics, so there is no silver bullet in measuring network robustness and it is recommended to apply several metrics together to gain a comprehensive view. Finally, by experimenting on the scenarios in which network topologies preserve the same numbers of nodes and links, some interesting behaviors of robustness metrics are reported.

Social and Information Networks,Networking and Internet Architecture

Tianyu Cui,Chang Liu,Gaopeng Gou,Junzheng Shi,Gang Xiong

DOI: https://doi.org/10.48550/arXiv.2204.09539

2022-04-20

Networking and Internet Architecture

Abstract:Since the lack of IPv6 network development, China is currently accelerating IPv6 deployment. In this scenario, traffic and network structure show a huge shift. However, due to the long-term prosperity, we are ignorant of the problems behind such outbreak of traffic and performance improvement events in accelerating deployment. IPv6 development in some regions will still face similar challenges in the future. To contribute to solving this problem, in this paper, we produce a new measurement framework and implement a 5-month passive measurement on the IPv6 network during the accelerating deployment in China. We combine 6 global-scale datasets to form the normal status of IPv6 network, which is against to the accelerating status formed by the passive traffic. Moreover, we compare with the traffic during World IPv6 Day 2011 and Launch 2012 to discuss the common nature of accelerating deployment. Finally, the results indicate that the IPv6 accelerating deployment is often accompanied by an unbalanced network status. It exposes unresolved security issues including the challenge of user privacy and inappropriate access methods. According to the investigation, we point the future IPv6 development after accelerating deployment.