Zhen Chen,Lingyun Ruan,Junwei Cao,Yifan Yu,Xin Jiang

DOI: https://doi.org/10.1109/tst.2013.6574679

2013-01-01

Tsinghua Science & Technology

Abstract:The archiving of Internet traffic is an essential function for retrospective network event analysis and forensic computer communication. The state-of-the-art approach for network monitoring and analysis involves storage and analysis of network flow statistic. However, this approach loses much valuable information within the Internet traffic. With the advancement of commodity hardware, in particular the volume of storage devices and the speed of interconnect technologies used in network adapter cards and multi-core processors, it is now possible to capture 10 Gbps and beyond real-time network traffic using a commodity computer, such as n2disk. Also with the advancement of distributed file system （such as Hadoop, ZFS, etc.） and open cloud computing platform （such as OpenStack, CloudStack, and Eucalyptus, etc.）, it is practical to store such large volume of traffic data and fully in-depth analyse the inside communication within an acceptable latency. In this paper, based on well- known TimeMachine, we present TIFAflow, the design and implementation of a novel system for archiving and querying network flows. Firstly, we enhance the traffic archiving system named TImemachine+FAstbit （TIFA） with flow granularity, i.e., supply the system with flow table and flow module. Secondly, based on real network traces, we conduct performance comparison experiments of TIFAflow with other implementations such as common database solution, TimeMachine and TIFA system. Finally, based on comparison results, we demonstrate that TIFAflow has a higher performance improvement in storing and querying performance than TimeMachine and TIFA, both in time and space metrics.

Zhen Chen,Lin-yun Ruan,Jun Li,Shuai Ding,Fu-ye Han,Hang Li,Wen-yu Dong

2014-01-01

Abstract:With the popularity of Internet applications and widespread use of mobile Internet, the Internet traffic maintains a rapid growth over the past decades. Internet traffic archival system (ITAS) for packets or flow records becomes more and more widely used in network monitor, network troubleshooting, user behavior and experience analysis etc. In this paper, we survey the design and implementation of several typical traffic archival systems. We analyze and compare the architectures and key technologies backing up Internet traffic archival system, and summarize the key technologies which include packet/flow capturing, packet/flow storage and bitmap index encoding algorithm, and dive into the packet/flow capturing technologies. Then, we propose the design and implementation of TiFaflow traffic archival system. Finally, we summarize and discuss the future direction of Internet traffic archival systems.

Chao Jiang,Jinlin Wang,Yang Li

DOI: https://doi.org/10.3390/electronics10020191

IF: 2.9

2021-01-01

Electronics

Abstract:Historical network traffic retrieval, both at the packet and flow level, has been applied in many fields of network security, such as network traffic analysis and network forensics. To retrieve specific packets from a vast number of packet traces, it is an effective solution to build indexes for the query attributes. However, it brings challenges of storage consumption and construction time overhead for packet indexing. To address these challenges, we propose an efficient indexing scheme called IndexWM based on the wavelet matrix data structure for packet indexing. Moreover, we design a packet storage format based on the PcapNG format for our network traffic collection and retrieval system, which can speed up the extraction of index data from packet traces. Offline experiments on randomly generated network traffic and actual network traffic are performed to evaluate the performance of the proposed indexing scheme. We choose an open-source and widely used bitmap indexing scheme, FastBit, for comparison. Apart from the native bitmap compression method Word-Aligned Hybrid (WAH), we implement an efficient bitmap compression method Scope-Extended COMPAX (SECOMPAX) in FastBit for performance evaluation. The comparison results show that our scheme outperforms the selected bitmap indexing schemes in terms of time consumption, storage consumption and retrieval efficiency.

Puguang Liu,Shuhui Chen,Baokang Zhao

DOI: https://doi.org/10.1109/icocn59242.2023.10236164

2023-01-01

Abstract:Network traffic utilization finds extensive applications in network management, network security, IT business, and various other fields. The traffic utilization process comprises three stages: traffic collection, traffic storage, and traffic analysis application. The network traffic storage system serves as the fundamental foundation for traffic utilization. However, the rapid growth in network performance and the diversification of network applications pose significant challenges to the design of network traffic storage systems, including concerns over traffic storage overhead and traffic processing overhead. In this paper, we introduce an efficient network traffic storage system design, which applies three algorithms—compression, decompression, and sorting—to achieve storage efficiency and traffic query efficiency. Furthermore, we explore the utilization of efficient hardware to accelerate these key algorithms. Additionally, we provide a preliminary evaluation of the effect of hardware acceleration.

Robert Schweller,Zhichun Li,Yan Chen,Yan Gao,Ashish Gupta,Yin Zhang,Peter Dinda,Ming-Yang Kao,Gokhan Memik

DOI: https://doi.org/10.1109/INFOCOM.2006.203

2006-01-01

Abstract:A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space.To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.

Jiale Chen,Xingshu Chen,Liangguo Chen,Xiao Lan,Yonggang Luo

DOI: https://doi.org/10.1109/globecom54140.2023.10437924

2023-01-01

Abstract:Network packets record communication behaviors and details, which is important for security audits, attack detection, and forensic analysis. For the effectiveness and timeliness of security analysis, it is necessary to fully store network packets and build an efficient packet index. However, the existing packet indexing algorithms based on the radix tree ignore the distribution characteristics of network traffic and use internal nodes with the same capacity for index construction, resulting in wasted disk space and poor retrieval performance. As a solution, $w$ e propose ANTI, an adaptive network traffic indexing algorithm similar to Adaptive Radix Tree, which can adaptively switch internal nodes with different capacity according to the density of network traffic and compress the common prefix and distinct suffix of traffic attributes to balance the index construction performance and space utilization. We also implement a packet-aware network traffic archiving and indexing system to achieve full packet archival, efficient indexing, and fast retrieval. Finally, we empirically evaluate ANTI in IPv4 (IPv6) traffic scenarios, and the results confirm the effectiveness of ANTI as well as the benefit of adopting ANTI for enhancing indexing and retrieval performance compared with other state-of-art algorithms.

Kuai Xu,Feng Wang,Supratik Bhattacharyya,Zhi-Li Zhang

DOI: https://doi.org/10.1109/dsn.2007.10

2007-01-01

Abstract:This paper presents the design and implementation of a real-time behavior profiling system for high-speed Internet links. The profiling system uses flow-level information from continuous packet or flow monitoring systems, and uses data mining and information-theoretic techniques to automatically discover significant events based on the communication patterns of end-hosts. We demonstrate the operational feasibility of the system by implementing it and performing extensive benchmarking of CPU and memory costs using a variety of packet traces from OC-48 links in an Internet backbone network. To improve the robustness of this system against sudden traffic surges such as those caused by denial of service attacks or worm outbreaks, we propose a simple yet effective filtering algorithm. The proposed algorithm successfully reduces the CPU and memory cost while maintaining high profiling accuracy.

Aoying Zhou,Ying Yan,Xueqing Gong,Jianlong Chang,Dai

DOI: https://doi.org/10.1109/icde.2008.4497625

2007-01-01

Abstract:Network traffic monitoring have been gaining attentions due to its importance in telecom industry. However, the monitoring systems deployed in telecom operators are usually too slow because of their disk-based processing approach. To address this problem, an online network traffic monitoring system, named SMART, is designed and developed. The system converts different formats of raw Netflow data (Netflow IPv5, IPv7 and IPv9) to user-defined control flows through combination and filtering. It can compute top-k frequent flows with sliding window, detects burst on arbitrary attributes, and presents results visually to users. The system could be used to replace the traditional offline monitoring system used in Shanghai Telecom. In its daily operation, it is shown that the processing speed achieves 30,000 flows per second. The basis of advanced streaming algorithms and design of robust system architecture enable SMART to achieve good performance.

Tian Pan,Xiaoyu Guo,Chenhui Zhang,Junchen Jiang,Hao Wu,Bin Liu

DOI: https://doi.org/10.1109/infcom.2012.6195535

2012-01-01

Abstract:Today's Internet applications exhibit increased diversity, while the Internet routers are still oblivious to this trend. To improve the end-to-end application QoS, one solution is to embed the application information explicitly in packet headers, but it will bring global changes. Another local solution is router-assisted traffic differentiation. To achieve this, the functionalities including packet identification and flow tracking inside the router are required. While most existing studies focus on the former, fewer efforts are put on the later. Given a large flow table is involved, how to track millions of concurrent flows in a cost-effective manner on a router's line card raises a great space-time challenge. To address this, we design an on-chip/off-chip flow tracking system to accommodate millions of flows and achieve the throughput at tens of Gigabits. By exploiting temporal locality and heavy-tailedness of Layer-4 traffic, we design the Adaptive Least Frequently Evicted (ALFE) replacement policy to catch elephant flows, therefore maintain a high cache hit rate. To alleviate performance penalty due to the cache misses, we organize the flow table in a fixed-allocated manner to fully utilize modern DRAM's burst feature. We have implemented a research prototype using FPGA for performance evaluation. The experiment results show that our system can reach 80% hit rate with a small-sized cache of 16K entries, while achieving 70Mpps throughput. This enables backbone line rate processing. Further, more than 40% power saving can be achieved by our system, which is fast and accurate with only 3% FPGA resource usage.

Jun Li,Shuai Ding,Ming Xu,Fuye Han,Xin Guan,Zhen Chen

DOI: https://doi.org/10.1109/ICNDC.2011.20

2011-01-01

Abstract:With the proliferation of network applications and user groups, the network stream data scale are getting larger and larger. To manage and analyze the massive data to get better service for end users (a.k.a. network optimization) or understanding of impacts of new network applications are attracting many researchers. This paper focuses on the storage and real-time retrieval of network traffic for analysis. We address this problem by integrating Time Machine and FastBit as a real-time querying and storage of massive stream data system, named TIFA. TIFA is designed for operation in Gbps network, accompanied with UTM as a module or an independent device. It leverages multiple large volume storages, and can achieve Ten TB level in volume. It has been proved useful in the performance of querying and storage of massive stream data in the experiments.

Changqing An,Jiahai Yang,Fang Meng

DOI: https://doi.org/10.1109/icct.2006.341800

2006-01-01

Abstract:Network traffic characteristics in operational network is crucial to network design and operation. As the network bandwidth grows, it's difficult for capturing and storing a detailed record for every packet. In this paper we present a traffic capture system which is implemented at network processor. Both lab experiment and real network operation prove that the capture system is able to process gigabit line rate with a good stability. A data compression method focusing on IPv6 address redundancy and combining flow and packet information together is given for IPv6 trace and alleviates the data storage pressure. Tests show it can compress the storage several fold without losing detailed trace information.

LI Wei,XIAO Zong-shui,LIU Peng,XU Cheng-qiang

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.23.054

2006-01-01

Abstract:Network traffic measurement is a fundamental work in network management,while research on measurement architecture is regarded as a base and an important approach.The characteristics of traditional traffic measurement methods are analyzed,primary prob-lems in traffic measurement of high-speed network are investigated.To prove its practicability,with the flow-mergence method adopted,a new traffic measurement architecture based on distributed probes for high-speed IP network is proposed which is developed based on Linux and open-source software.Its framework,characteristics and merits are also analyzed.The architecture provided an applied platform and an analysis interface for high-speed traffic measurement.We believe there is a nice future in its application.

Yinjun Wu,Zhen Chen,Junwei Cao,Haoxun Li,Chenxing Li,Yijie Wang,Wenxun Zheng,Jiahui Chang,Jing Zhou,Ziwei Hu,Jinghong Guo

DOI: https://doi.org/10.1109/lcomm.2016.2551719

IF: 3.5529

2016-01-01

IEEE Communications Letters

Abstract:Traffic archival, an indispensable task for network analysis, has suffered from a huge amount of data. These rapid growing data can exceed storage capacity and thwart real-time analysis. In order to take insight from Internet traffic, bitmap indexing is applied in this field. However, raw bitmap indexes can consume more space and longer delay for loading larger indexes into memory. This leads to the invention of various bitmap index compression algorithms to save storage and ensure query efficiency. This paper proposes a new algorithm called common affix merging with partition. By merging common affixes in a bit sequence, it saves more storage and conducts at least one order of magnitude faster bitwise operations when compared with ROARING, WAH, CONCISE, and COMPAX. In practice, besides bitwise operations, a query should also contain the operations of loading index files into memory. The experimental results demonstrate that the speedup is still considerable even taking loading time into consideration.

Chuan Xu -,Weiren Shi -,Qingyu Xiong -

DOI: https://doi.org/10.4156/jcit.vol6.issue4.27

2011-01-01

Journal of Convergence Information Technology

Abstract:Recently, it is becoming increasingly difficult to implement effective systems for real-time network monitoring for large variety of applications including accounting, traffic identification and abnormal detection. The current solutions have to resort to custom capturing hardware that usually comes with high cost, and software-based capturing solutions, such as libpcap, cannot cope with 10Gbps link rates. In this article, we propose an architecture customized for parallel execution of packet analysis using commodity multi-core processor which now broadly implemented in personal computer. On our approach, the packets are dispatched with similar properties to same core and partitioned into several parts, which allows threads maintained in each core for concurrent execution. Numerical results based on real Campus network traffic data are presented to demonstrate the good performance and effectiveness of our system.

Fengyu Wang,Xiaochun Yun,Weidong Shen

DOI: https://doi.org/10.3321/j.issn:1002-0470.2006.03.003

2006-01-01

Abstract:Through analyzing the problems of traditional network traffic measurement system, a passive network traffic measurement system is designed based on zero-copy packet capture, raw device storage and so on. The performance and the precision of network traffic measurement are improved greatly. This system is suitable for the traffic measurement of 1 Gb/s network.

Robert Schweller,Zhichun Li,Yan Chen,Yan Gao,Ashish Gupta,Yin Zhang,Peter Dinda,Ming-Yang Kao,Gokhan Memik

2006-01-01

Abstract:A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space. To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.

SHEN Wen-chao,YANG Bo,L(U) Guo-han,YAN Cheng,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.033

2007-01-01

Abstract:Cisco Netflow is widely used in many areas such as traffic monitoring,network security,etc.Most of high-end routers today can export Netflow,but their fixed format lacks some valuable information and cannot be customized.This paper covers the design and implementation of a high speed flow aggregation system based on commodity PC and general-purpose network cards.By modifying the network card driver,no packet copy in the RAM is achieved.By implementing a software based traffic scheduler,traffic from one network card is assigned to several CPUs for parallel process.This improves the system performance drastically.Netflow v9 format is used.According to the performance test,the system can process traffic from a single Gigabit link with 1 000 000 pps very well.

Zhen CHEN,Hong-jian LIU

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.04.005

2014-01-01

Abstract:Nowadays, with the pervasive usage of computer and Internet, the amount of Internet traffic is increasing dramatically. Traffic monitor is essential in network security and traffic forensic analysis. To monitor the flow, we are able to record the flow information of traffic, such as source IP, destination IP, source Port, destination Port, Protocol field, and timestamp etc. With this information, one can collect the statistics of traffic and conduct further analysis of attack pattern etc. However, the amount of flow information increases very fast. Searching a specified IP address could be low efficiency if we do not index flow information completely. As we know, inverted index is the key method of a practical search engine. Thus, this paper applies the idea of inverted index and index compress algorithm to the net flow information retrieval. After the analysis and experiment, the result shows that inverted index method is feasible in flow information retrieval and can improve the query performance as expected.

ZHANG Xiao-xiao,TANG Yong,SU Jin-shu,CHEN Shu-hui

2011-01-01

Abstract:With the rapid increase of network traffic and the development of network applications,network traffic monitor and analysis becomes more and more difficult.This paper described the design and of implementation of a high-speed real-time Network Traffic Analysis System,named NTAS.It used PF_RING-based network traffic capture mechanism to capture network traffic,implementing intact network session management and protocols identification based on Deterministic Finite Automation(DFA).NTAS outperformed current similar system in terms of performance and protocol-recognition accuracy.Experiment results show that NTAS can real-time monitor and analyze network traffic in high-speed network environment.

Yun-long MA,Qian-li ZHANG,Ji-long WANG

2013-01-01

Abstract:To deal with the large-scale traffic capture and management in high speed network,the performance of IPFIX system was studied.An optimized architecture was proposed and implemented based on improved binary information integration to collect data and improved multi-layer hash algorithm to storage data.This system was deployed in Tsinghua university campus network and can scale to the 10 GB network traffic collection and accurate pricing.