Guodong Li,Tao Qin,Wei Li

DOI: https://doi.org/10.1109/iccsnt.2011.6182135

2011-01-01

Abstract:Analysis and measurement of traffic features are crucial for effective network management and traffic control. In this paper we proposed several traffic flow models to aggregate traffic packets in multi-scales and entropy to measure the feature distribution hierarchically, and then seek for the important features and appropriate scale for traffic monitoring. DFlow model is a group of packets with identical triples: source address, destination address and destination port, and HFlow the same source and destination addresses. By removing traffic features from the NetFlow model, the aggregation scales are extended. Source and Destination addresses are selected to investigate the traffic characters with different flow models. The experimental results using actual traffic show that the number of flows is reduced when the aggregation scale is extended, and the entropy of normal traffic addresses is stable along with the monitoring time. On the other hand, the entropy of destination address is increased when the aggregation scales extended. Investigations into the traffic show that this is caused by the widely used of HTTP and Point to Point protocols. Analysis of the worm scanning traffic shows that the abnormal behavior patterns are more regularly than normal behavior and traffic features have the same entropy with different flow models. The results also show that the appropriate scale for traffic monitoring is the Dflow model, which reduced the data records by more than 30% while retain the traffic characters.

Yufeng Chen,Yabo Dong,Zhengtao Xiang,Dongming Lu

DOI: https://doi.org/10.1109/chinacom.2008.4685032

2008-01-01

Abstract:To obtain a trade-off between veracity and complexity when simulating TCP traffic, a hybrid simulating framework is proposed based on the packet-level simulation and aggregated control. The aggregated TCP traffic of access network in the gateway is proposed as simulated object, instead of the traffic generated at individual host or session level. The framework is divided into four parts: traffic generator, transmission controller, traffic sink and network. The traffic with self-similarity or multi-fractal property at application level is generated by traffic generator. The transmission controller sends packets to traffic sink based on aggregated control. The transmission controller also sends control information to traffic generator according to the status of network, and the traffic generator decides how to change the generating mode of traffic. The simulation results of non-congestion case and congestion case show the validity of the framework. The time cost shows our simulating framework possesses better performance.

Guang Cheng,Jian Gong,Yongning Tang

DOI: https://doi.org/10.1109/E2EMON.2007.375315

2007-01-01

Abstract:Online flow distribution monitoring is critical in instruction detection. However, high-speed traffic monitoring is significantly challenging for a monitoring system with limited resources (e.g., memory and processing cycles). Flow and packet sampling techniques are commonly adopted to tackle this problem. Flow sampling are reduce the variance of the estimators in short flows; However, it increases the estimated error for the heavy-tailed flow. On the other hand, passive sampling presents an opposite results. In this paper, we propose a novel flow sampling approach by taking advantage of both packet and flow sampling techniques. An effective flow estimator is also introduced to estimate flow distributions. Extensive simulations are conducted with real traffic data from CERNET backbone network traffic traces to evaluate the system performance and compare it with other traffic sampling approaches.

Yong Gan,Yong Zhang,Depei Qian

DOI: https://doi.org/10.1109/wicom.2009.5302469

2009-01-01

Abstract:The characteristic of network traffic volume is a crucial guidance for the network capacity of transferring online, and also a key parameter for network efficient and planning. Unfortunately, it is more difficult to measure full traffic trace with the advent of high speed network, so the investigation of traffic sampling measure becomes the focus of the study of high speed network traffic measurement. This paper analysis and study on sampling measurement technology, and then introduces an adaptive sampling measurement in detail. It is an improvement over fixed granularity systematic sampling. In course of measurement, the adaptive sampling algorithm adjusts the sampling granularity according to the packet arrival interval automatically. In this way, the adaptive sampling is much more accurate and economical than the static sampling method.

Guang Cheng,Yongning Tang,Wei Ding

DOI: https://doi.org/10.1007/978-3-540-72590-9_129

2007-01-01

Abstract:One crucial challenge in network flow monitoring is how to accurately and efficiently monitor the large volume of network flows. Several approaches proposed to address this challenge either lack flexibility adapting to greatly varying network traffic (e.g. sNetFlow), or require intensive computing resources (e.g. ANF). In this paper, we propose a novel double-sampling and hold approach for network flow monitoring to tackle this challenge. We take a coarse-grained packet sampling to initially reduce the total number of monitored packets; then, an enhanced fine-grained sample and hold algorithm (ESHA) is adopted to selectively add packets into flow cache. By optimally adjusting the ESHA sampling rate and taking Early Removal flow cache management scheme, the flow information can be maximized with given limited system resources. Extensive simulation and experiment studies show that our approach can significantly improve both the accuracy and efficiency in network flow monitoring than other methods.

Xiaoguo Zhang,Wei Ding

DOI: https://doi.org/10.4304/jnw.9.6.1416-1425

2014-01-01

Abstract:A great number of researches on network flow characteristics show a large proportion of the network flows are single-packet flows. However, almost all existing flow termination strategies have no optimization for single-packet flows, so the efficiency of flow-aggregation is lower. Based on in-depth study of flow characteristics and TCP protocol specifications, we find the packet status, packet arrival interval and SYN packet size can identify single-packet flows accurately, and then propose a flow-aggregation accelerating strategy for TCP traffic that aims to quickly identify single-packet flows. We build efficiency model and accuracy model to compare our strategy performance with others and make a lot of experiments on the traces collected from a main channel in the CERNET during the latest five years. The results prove our strategy can greatly improve the efficiency of flow-aggregation at the cost of very little loss of accuracy

Guolin Sun,Bruce Mareri,Guisong Liu,Xiufen Fang,Wei Jiang

DOI: https://doi.org/10.3837/tiis.2017.10.003

2017-01-01

KSII Transactions on Internet and Information Systems

Abstract:Today, smart grids, smart homes, smart water networks, and intelligent transportation, are infrastructure systems that connect our world more than we ever thought possible and are associated with a single concept, the Internet of Things (IoT). The number of devices connected to the IoT and hence the number of traffic flow increases continuously, as well as the emergence of new applications. Although cutting-edge hardware technology can be employed to achieve a fast implementation to handle this huge data streams, there will always be a limit on size of traffic supported by a given architecture. However, recent cloudbased big data technologies fortunately offer an ideal environment to handle this issue. Moreover, the ever-increasing high volume of traffic created on demand presents great challenges for flow management. As a solution, flow aggregation decreases the number of flows needed to be processed by the network. The previous works in the literature prove that most of aggregation strategies designed for smart grids aim at optimizing system operation performance. They consider a common identifier to aggregate traffic on each device, having its independent static aggregation policy. In this paper, we propose a dynamic approach to aggregate flows based on traffic characteristics and device preferences. Our algorithm runs on a big data platform to provide an end-to-end network visibility of flows, which performs high-speed and high-volume computations to identify the clusters of similar flows and aggregate massive number of mice flows into a few meta-flows. Compared with existing solutions, our approach dynamically aggregates large number of such small flows into fewer flows, based on traffic characteristics and access node preferences. Using this approach, we alleviate the problem of processing a large amount of micro flows, and also significantly improve the accuracy of meeting the access node QoS demands. We conducted experiments, using a dataset of up to 100,000 flows, and studied the performance of our algorithm analytically. The experimental results are presented to show the promising effectiveness and scalability of our proposed approach.

Rui Zhang,Nick Koudas,Beng Chin Ooi,Divesh Srivastava

DOI: https://doi.org/10.1145/1066157.1066192

2005-01-01

Abstract:ABSTRACTMonitoring aggregates on IP traffic data streams is a compelling application for data stream management systems. The need for exploratory IP traffic data analysis naturally leads to posing related aggregation queries on data streams, that differ only in the choice of grouping attributes. In this paper, we address this problem of efficiently computing multiple aggregations over high speed data streams, based on a two-level LFTA/HFTA DSMS architecture, inspired by Gigascope.Our first contribution is the insight that in such a scenario, additionally computing and maintaining fine-granularity aggregation queries (phantoms) at the LFTA has the benefit of supporting shared computation. Our second contribution is an investigation into the problem of identifying beneficial LFTA configurations of phantoms and user-queries. We formulate this problem as a cost optimization problem, which consists of two sub-optimization problems: how to choose phantoms and how to allocate space for them in the LFTA. We formally show the hardness of determining the optimal configuration, and propose cost greedy heuristics for these independent sub-problems based on detailed analyses. Our final contribution is a thorough experimental study, based on real IP traffic data, as well as synthetic data, to demonstrate the effectiveness of our techniques for identifying beneficial configurations.

JF Wang,L Li,MT Zhou,FJ Xu,FC Sun

DOI: https://doi.org/10.1109/glocom.2004.1378260

2004-01-01

Abstract:Collecting network traffic is becoming a more challenging task in passive network measurement due to the rapid growth of link speed. Flow-based network traffic capture and storage is an efficient way for high-speed network measurement. Based on the statistical investigation of the correlations between flow size and the maximum packet interinterval time of consecutive packets within a flow, we obtain the empirical conditional distribution functions for some popular TCP protocol-based application flows, and then propose a probability-guaranteed adaptive timeout algorithm (PGAT) for flow termination decision. The assessment criteria for the flow termination decision algorithm is systematically developed. Comparisons on flow generation ratio, flow intact ratio, and mean flow extra retaining time metrics indicate that the PGAT algorithm can obtain more attractive performance than other schemes.

Han Zhang,Wei Ding

DOI: https://doi.org/10.1109/CSIE.2009.615

2009-01-01

Abstract:Aggregate flow is the base methodology of network measurement and the orientation of next generation network management. For the same data, different flow specifications lead to different results, and the costs also vary significantly. To analyze the correlations among specifications, we select seven wide used specifications and calculate their single disparity degree and comprehensive similarity degree based on seven metrics: average flow number per second, average active flow number per second, average hold flow number per second, average flow recreate time, recreate flow number, unique flow number and aggregate flow cost. Comprehensive evaluation standard shows that the difference among flow specifications is less than 20%, and the specification of 16sec-5-tuple is significantly similar with 15sec-NetFlow. Moreover, the similarity between specifications of 2-tuple and 3-tuple granularity with the same timeout value is great, while 3-tuple costs comparatively less. We also summarize the correlations between specifications from the perspective of all the single metrics.

Shouxi Luo,Hongfang Yu,Le Min Li

DOI: https://doi.org/10.1109/icccn.2014.6911781

2014-01-01

Abstract:In OpenFlow-based SDN, flow tables are TCAM-hungry and commodity switches suffer from limited concrete flow table size. One method for coping with the limitations is to use aggregation schemes to reduce the number of flow entries required to represent the same forwarding semantics. Unfortunately, the aggregation retards table updates and lengthens the updating time. During which, the data plane is inconsistent with the control plane, forwarding errors such as Reachability Failures, Forwarding Loops, Traffic Isolation and Leakage are prone to occur. Since network updates take place frequently in practice, the aggregation scheme must be efficient enough. In this paper we propose offline FFTA (Fast Flow Table Aggregation) and its online improver iFFTA to shrink the flow table size and to provide practical fast updates. iFFTA is the first online non-prefix aggregation scheme. Extensive experiments demonstrate: (1) FFTA is about 200× faster than the previously published best non-prefix aggregation scheme without loss of compression ratio on offline aggregation; and (2) iFFTA achieves about 3× faster than FFTA on online update incorporations with a loss of an acceptable compression ratio per update. Thus the user could make a combination use of FFTA and iFFTA for table aggregations: call iFFTA usually and recall the efficient FFTA once the switch is running out of concrete flow table space.

Guang Cheng,Jun Yu

DOI: https://doi.org/10.1145/3095786.3095790

2017-01-01

Abstract:OpenFlow provides a statistics collection scheme for per-flow and aggregate metrics at a user-specified frequency. However, periodic polling for flow statistics cannot well balance the tradeoff between measurement accuracy and limited control channel bandwidth. To further discuss the resource/accuracy tradeoff, this paper extends OpenFlow protocol to add sampling action for each monitoring flow entry, and systematically sample the matching packets to infer the flow-level statistics. Although traffic sampling can somehow be error-prone, it will provide near-real-time measurements of flow dynamics and determine its accurate polling frequency, which the polling-based approach cannot achieve. In this paper, we propose a per-flow sampling solution to instruct the controller to adaptively adjust polling frequency, then evaluate it in the context of link utilization monitoring.

Jing Li,Chengchen Hu,Bin Liu

2005-01-01

Abstract:In order to provide high quality network management, traffic scheduling and network security, we need the per flow traffic information. However, in a highspeed net link, the flows number is so large that it is infeasible to gather and process all flows’ information accurately and efficiently. Several studies showed that a small percentage of flows account for most of the total network throughput. Therefore, monitoring just the highspeed flows is an efficient and practical method in traffic control. Before being able to monitor large flows, they must be distinguished first. Several papers have studied the problem of finding large flows, but the methods are either too complicated or request relatively too much memory and computation resources. In this paper, we present and analyze a simple but efficient algorithm to figure out the elephant flows. The proposed method only need few counters and can figure out nearly all the predefined large flows.

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

CAI Shao-min,DING Wei,ZHANG Jun

DOI: https://doi.org/10.3969/j.issn.1001-7445.2011.z1.007

2011-01-01

Abstract:According to the requirement of NetFlow aggregation in NBOS system,an adaptive Hash algorithm for NetFlow aggregation based on the data character of the NetFlow and season model character of the network traffic was designed and realized.By comparison with other hash algorithms,it is proved to be the best algorithm in the performance of the uniformity,collision rate and calculating speed,so it can meet the needs of high-speed network traffic measurements.The adaptability of this algorithm makes it possible to be used in any situation that NBOS installs.

Chen Lou,Yu-E Sun,He Huang,Yang Du,Shigang Chen,Guoju Gao,Hongli Xu

DOI: https://doi.org/10.1109/ipccc55026.2022.9894330

2022-01-01

Abstract:Per-flow size measurement is a fundamental problem in network engineering and plays a pivotal role in many practical applications. Constrained by on-chip memory resources and packet processing speed, most existing solutions use compact data structures (i.e., sketches) to perform the line-speed measurement. However, sketches share the record units (bits/counters) among flows, inevitably introducing noises to each flow’s measurement result. Although they adopt an average denoising strategy to remove noises from the raw estimations, the accuracy for medium flows is still lacking. This paper complements the prior art and presents a novel per-flow size measurement method, Adaptive Denoising (ADN), which can provide more accurate estimates for online and offline queries. For an online query, we use the collected flow records for real-time estimation. For an offline query, we model the propagation of noises based on the optimization algorithm to produce flow size estimation with much better accuracy. Experimental results based on real Internet traffic traces show that our measurement solutions outperform the state-of-the-art approaches and reduce the mean absolute error by around one order of magnitude under the same on-chip memory usage.

Zhuo Li,Ziyu Liu,Jindian Liu,Yu Zhang,Teng Liang,Kaihua Liu

DOI: https://doi.org/10.1016/j.comcom.2024.04.020

IF: 5.047

2024-01-01

Computer Communications

Abstract:Network measurements are indispensable for efficient network management. As a probabilistic data structure, sketch is widely used in network measurements. To adapt to the skewed and dynamic distribution of network traffic, most of the existing sketch-based schemes separate large and small flows either by asymmetric structures or multilayer structures. However, the former approach requires further accuracy of measurement due to increased errors of small flows. And the latter approach limits the throughput due to the increased hash calculations for large flows. To this end, a novel sketch, called AGC Sketch, is proposed in this paper. By storing the large flows and small flows separately while maintaining the small flows, it can not only adapt to the skewed network traffic to achieve efficient memory utilization, but also accurately estimate the size of flows with high throughput. Moreover, AGC Sketch is implemented on CPU and OVS platform. The experimental results show that AGC Sketch greatly reduces the error by 90% for flow size estimation compared with the state-of-the-art schemes.

Chengchen Hu,Bin Liu,Sheng Wang,Jia Tian,Yu Cheng,Yan Chen

DOI: https://doi.org/10.1109/tcomm.2011.112311.100622

IF: 6.166

2012-01-01

IEEE Transactions on Communications

Abstract:Sampling technology has been widely deployed in network measurement systems to control memory consumption and processing overhead. However, most of the existing methods suffer from large errors for the estimation of small-size flows. To address this problem, we propose an adaptive non-linear sampling (ANLS) method for flow size estimation. Instead of statically pre-configuring the sampling rate, ANLS dynamically adjusts the sampling rate for each flow according to the value of a corresponding counter. A smaller sampling rate is utilized when the counter value is large, while a larger sampling rate is employed for a smaller counter. In this paper, the unbiased flow size estimation, the relative error, and the required counter size are studied through theoretical analysis and experimental evaluations. The analysis and experiments demonstrate that ANLS can significantly improve the estimation accuracy (particularly for small-size flows), and save memory consumption, while maintaining processing overhead comparable to existing methods. Moreover, we validate the design of ANLS by implementing an FPGA-based prototype, which is capable of measuring traffic throughput up to 26.5 Gbps.

Chen Hu,Shen Wang,Jinping Tian,B. Liu,Yu Cheng,Y. Chen

DOI: https://doi.org/10.1109/infocom.2007.14

2008-01-01

Abstract:Sampling technology has been widely deployed in measurement systems to control memory consumption and processing overhead. However, most of the existing sampling methods suffer from large estimation errors in analyzing small-size flows. To address the problem, we propose a novel adaptive non-linear sampling (ANLS) method for passive measurement. Instead of statically configuring the sampling rate, ANLS dynamically adjusts the sampling rate for a flow depending on the number of packets having been counted. We provide the generic principles guiding the selection of sampling function for sampling rate adjustment. Moreover, we derive the unbiased flow size estimation, the bound of the relative error, and the bound of required counter size for ANLS. The performance of ANLS is thoroughly studied through theoretic analysis and experiments under synthetic/real network data traces, with comparison to several related sampling methods. The results demonstrate that the proposed ANLS can significantly improve the estimation accuracy, particularly for small-size flows, while maintain a memory and processing overhead comparable to existing methods.

Tao Qin,Xiaohong Guan,Wei Li.,Pinghui Wang

DOI: https://doi.org/10.1109/ICCW.2008.45

2008-01-01

Abstract:Detecting and measuring the changes of temporal traffic patterns in large scale networks are crucial for effective network management. This paper presents the concept of region flow to aggregate traffic packets. Regions are defined by the IP prefix, and a region flow is a group of packets with the same source and destination region during a time interval. In this way, the number of flows can be reduced significantly and a better extraction of pivotal traffic metrics is generated. Three traffic features: source connection degree, destination connection degree and packet distribution ratio are proposed to capture the dynamic change of the flow patterns between regions and the Renyi cross entropy are applied to measure and detect the changes. The experimental results show that the method proposed in this paper can capture the dynamic traffic features effectively for 10Gbps backbone networks, and can be used for detecting abnormal network behaviors. ©2008 IEEE.