Kuai Xu,Feng Wang,Supratik Bhattacharyya,Zhi-Li Zhang

DOI: https://doi.org/10.1109/dsn.2007.10

2007-01-01

Abstract:This paper presents the design and implementation of a real-time behavior profiling system for high-speed Internet links. The profiling system uses flow-level information from continuous packet or flow monitoring systems, and uses data mining and information-theoretic techniques to automatically discover significant events based on the communication patterns of end-hosts. We demonstrate the operational feasibility of the system by implementing it and performing extensive benchmarking of CPU and memory costs using a variety of packet traces from OC-48 links in an Internet backbone network. To improve the robustness of this system against sudden traffic surges such as those caused by denial of service attacks or worm outbreaks, we propose a simple yet effective filtering algorithm. The proposed algorithm successfully reduces the CPU and memory cost while maintaining high profiling accuracy.

Ting Li,Jason Liu

DOI: https://doi.org/10.1145/2667222

IF: 0.851

2015-01-01

ACM Transactions on Modeling and Computer Simulation

Abstract:To reduce the computational complexity of large-scale network simulation, one needs to distinguish foreground traffic generated by the target applications one intends to study from background traffic that represents the bulk of the network traffic generated by other applications. Background traffic competes with foreground traffic for network resources and consequently plays an important role in determining the behavior of network applications. Existing background traffic models either operate only at coarse time granularity or focus only on individual links. There is little insight on how to meaningfully apply realistic background traffic over the entire network. In this article, we propose a method for generating background traffic with spatial and temporal characteristics observed from real traffic traces. We apply data clustering techniques to describe the behavior of end hosts as a function of multidimensional attributes and group them into distinct classes, and then map the classes to simulated routers so that we can generate traffic in accordance with the cluster-level statistics. The proposed traffic generator makes no assumption on the target network topology. It is also capable of scaling the generated traffic so that the traffic intensity can be varied accordingly in order to test applications under different and yet realistic network conditions. Experiments show that our method is able to generate traffic that maintains the same spatial and temporal characteristics as in the observed traffic traces.

Jie Xu,Wei Ding,Jian Gong,XiaoDong Zang

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.114

2016-01-01

Abstract:There are hundreds of billions packets passing through the network, how to analyse these big data is an arduous task. In this paper we proposed a new scheme based on cluster algorithm to explore the backbone network traffic pattern. Two new traffic features are introduced to assist the analysing process. These two novel attributes can represent the flow effectively cooperated with a new flow similarity measurement method proposed in this paper and they are insensitive to the random fluctuation of traffic size. The traffic pattern will be uncovered by a cluster algorithm derived from k-means. Real world traffic captured from a border router is used to test this new method. The result shows that our novel flow attributes and similarity measurement method perform well on the traffic analysis and four traffic patterns are uncovered.

Chi Yuan, ,Zhengbin Li,Yongqi He,Anshi Xu

DOI: https://doi.org/10.1117/12.743767

2007-01-01

Abstract:Understanding network traffic behavior is essential for all aspects of network design and operation, e.g. component design, protocol design, provisioning, operations, administration and maintenance (OAM). A careful study of traffic behavior can lead to improvements in underlying protocols to attain greater efficiencies and higher performance. Many researches have shown that traffic in Ethernet and other networks, either in local or wide area networks, exhibit properties of self-similarity. Several empirical studies on network traffic indicate that this traffic is self-similar in nature. However, the network modeling methods used in current networks have been primarily designed and analyzed under the assumption of the traditional Poisson arrival process. These "Poisson-like" models suggest that the network traffic is smooth, which is inherently unable to capture the self-similar characteristic of traffic. In this paper, after introduce the high performance broadband information network (3Tnet) of China, an aggregation model at access convergence router (ACR) is proposed and analyzed in 3Tnet. We studied the impact of large-scale aggregation applied at the edge of 3Tnet in terms of the self-similarity level observed at the output traffic in presence of self-similar input traffic. Two formulas were presented to describe the changes of Hurst parameter. Using OPNET software simulator, changes of traffic characteristics after large-scale aggregation in 3Tnet was extensive studied. The theoretic analysis results were consistent with the simulation results.

Tao-Wei Chiou,Shi-Chun Tsai,Yi-Bing Lin

DOI: https://doi.org/10.1007/s00500-013-1218-0

IF: 3.732

2014-01-21

Soft Computing

Abstract:Profiling network traffic pattern is an important approach for tackling network security problem. Based on campus network infrastructure, we propose a new method to identify randomly generated domain names and pinpoint the potential victim groups. We characterize normal domain names with the so called popular 2gram (2 consecutive characters in a word) to distinguish between active and nonexistent domain names. We also track the destination IPs of sources IPs and analyze their similarity of connection pattern to uncover potential anomalous group network behaviors. We apply the Hadoop technique to deal with the big data of network traffic and classify the clients as victims or not with the spectral clustering method.

computer science, artificial intelligence, interdisciplinary applications

Jian Ye,Gaolei Fei,Wenkai Qi,Yunpeng Zhou,Guangmin Hu

DOI: https://doi.org/10.1109/globecom54140.2023.10437163

2023-01-01

Abstract:In this work, we revisit a classical network tomography problem of inferring a tree topology using end-to-end measurements, with two key differences: (i) instead of relying on the correlation of source-to-destination end-to-end probe packets routing behaviors, we leverage round-trip network traffic behavior characteristics, which enables us to therefore utilize passive measurements and require only source node without available to destination nodes; (ii)rather than assuming that the network is stationary and uses only a single network performance parameter, we leverage network traffic behavior in addition to network performance parameters. Our key idea is to uncover multiple features that can reveal the network topology by exploring the traffic behavior and features observed during data transmission in the network. We then infer the network topology by combining these features through iterative optimization. Simulation and real network experiments demonstrate that our method accurately infers the network topology using network traffic behaviors, with only one source detection node.

YUAN Xiao-fang,WANG Dong,XIE Gao-gang

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.13.008

2009-01-01

Abstract:There is great value in network traffic data as a way to understand not only how the Internet and its application have evolved in practice,but also can identify those things that do not change as the Internet evolves.The design and implementation of a multi-tier storage system is prensented.The efficiency of this approach comes from leveraging the heavy-tailed nature of net-work traffic:because the bulk of the traffic in high-volume streams comes from just a few connections,by constructing a filter that records only the first N bytes of each connection we can greatly winnow down the recorded volume while still retaining both small connections in full,and the beginnings of large connections.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Min Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.10.008

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic pattern characteristics monitoring is useful for abnormal behavior detection and network management. In this paper, we develop a framework for connection degree calculation and measurement in high-speed networks. The bi-directional traffic flow model is employed to aggregate traffic packets, which can reduce the number of flow records and capture user's alternation behavior characteristics. The first order connection degree and joint correlation degree are selected as the features to capture the characteristics of traffic profiles. To perform careful traffic inspection and attack detection, not only the abnormal changes of a single traffic feature but also the correlations between the features are analyzed in the new framework. First, the symmetry of in and out connection degrees is analyzed. And we found that incomplete flows are an important information source for abnormal behavior detection. Second, joint correlation degree can characterize the user's communication profiles and their behavior dynamics, which are employed to perform abnormal detection using measurements based on Renyi cross entropy. Finally, the reversible degree sketch is employed for querying abnormal traffic pattern sources for real-time traffic management. The experimental results based on actual traffic traces collected from Northwest Regional Center of CERNET (China Education and Research Network) show the efficiency of the proposed method. The method based on Renyi entropy can detect abnormal changing points correctly. FNR of the reversible sketch for locating abnormal sources is below 4% and time complexity is constant and less than 4s, which is critical for real-time traffic monitoring.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Liang Fu Lu,Zheng-Hai Huang,Mohammed A. Ambusaidi,Kui-Xiang Gou

DOI: https://doi.org/10.1155/2014/323764

IF: 1.4

2014-01-01

Discrete Dynamics in Nature and Society

Abstract:With the rapid growth of data communications in size and complexity, the threat of malicious activities and computer crimes has increased accordingly as well. Thus, investigating efficient data processing techniques for network operation and management over large-scale network traffic is highly required. Some mathematical approaches on flow-level traffic data have been proposed due to the importance of analyzing the structure and situation of the network. Different from the state-of-the-art studies, we first propose a new decomposition model based on accelerated proximal gradient method for packet-level traffic data. In addition, we present the iterative scheme of the algorithm for network anomaly detection problem, which is termed as NAD-APG. Based on the approach, we carry out the intrusion detection for packet-level network traffic data no matter whether it is polluted by noise or not. Finally, we design a prototype system for network anomalies detection such as Probe and R2L attacks. The experiments have shown that our approach is effective in revealing the patterns of network traffic data and detecting attacks from large-scale network traffic. Moreover, the experiments have demonstrated the robustness of the algorithm as well even when the network traffic is polluted by the large volume anomalies and noise.

Yan QIAO,Jun JIAO,Yuan RAO

DOI: https://doi.org/10.3969/j.issn.1673-162X.2016.01.010

2016-01-01

Abstract:Data Center Network (DCN)is the infrastructure of cloud computing and other distributed computing services.Understanding the characteristics of end-to-end traffic flows in DCNs is essential to DCN designs and operations.However,it is extremely difficult to measure the traffic flows directly. Inferring the end-to-end traffic follows from the SNMP counters on switches has been widely applied in traditional computer networks.But it still can not be utilized in DCNs directly yet.To address this problem,we propose an efficient traffic inference algorithm for DCNs based on gravity traffic model.It first decomposes the DCNs into several clusters according to the feature of conditional independence of DCN traffic,and then computers the coarse-grained traffic of each cluster based on some theorem that we state in section 3.Finally it utilizes the gravity traffic model and network tomography to refine the traffic on each cluster to obtain the fine-grained end-to-end traffic.We compare our new proposal with two classical traffic inference algorithms SRMF and ELIA on different scale of DCNs.The results show that our new algorithm outperforms the other two algorithms in both speed and accuracy.Thus the new proposal can provide vital reference to the area of DCN designs and operations.

Tao Qin,Xiaohong Guan,Wei Li.,Pinghui Wang

DOI: https://doi.org/10.1109/ICCW.2008.45

2008-01-01

Abstract:Detecting and measuring the changes of temporal traffic patterns in large scale networks are crucial for effective network management. This paper presents the concept of region flow to aggregate traffic packets. Regions are defined by the IP prefix, and a region flow is a group of packets with the same source and destination region during a time interval. In this way, the number of flows can be reduced significantly and a better extraction of pivotal traffic metrics is generated. Three traffic features: source connection degree, destination connection degree and packet distribution ratio are proposed to capture the dynamic change of the flow patterns between regions and the Renyi cross entropy are applied to measure and detect the changes. The experimental results show that the method proposed in this paper can capture the dynamic traffic features effectively for 10Gbps backbone networks, and can be used for detecting abnormal network behaviors. ©2008 IEEE.

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

Guang Cheng,Jian Gong

DOI: https://doi.org/10.1109/ICII.2001.983511

2001-01-01

Abstract:With the subsequent increasing of backbone bandwidth, the full trace capture will be seriously hindered. The research in the paper results from a study analyzing packet traces obtained from a backbone link in CERNET. Millions of packets are passed per minute through the link that make the traffic measurement difficult or even impossible. The Poisson sampling measure proposed by RFC2330 is used in the research to alleviate the measurement hindering while preserving the statistically representative characteristics of the traffic population. Algorithms for the continuous process sampling and the discrete process sampling are proposed in the paper. The relationship between the mean packet length of the Poisson sampling data sets and the test data set is discussed to show the advantage of the algorithms. The network traffic throughput can be estimated according to the mean length of sampling packets, Poisson rate and during sampling time

Kuai Xu,Feng Wang,Supratik Bhattacharyya,Zhi-Li Zhang

DOI: https://doi.org/10.1504/ijipt.2010.032616

2010-01-01

International Journal of Internet Protocol Technology

Abstract:This paper presents the design and implementation of a real-time behaviour profiling system for internet links. The system uses flow-level information, and applies data mining and information-theoretic techniques to automatically discover significant events based on communication patterns. We demonstrate the operational feasibility of the system by implementing it and performing benchmarking of CPU and memory costs using packet traces from backbone links. To improve the robustness of this system against sudden traffic surges, we propose a novel filtering algorithm. The proposed algorithm successfully reduces the CPU and memory cost while maintaining high profiling accuracy. Finally, we devise and evaluate simple yet effective blocking strategies to reduce prevalent exploit traffic, and build a simple event analysis engine to generate ACL rules for filtering unwanted traffic.

Yuxuan Liang,Zhongyuan Jiang,Yu Zheng

DOI: https://doi.org/10.1145/3139958.3139960

2017-01-01

Abstract:There is an underlying cascading behavior over road networks. Traffic cascading patterns are of great importance to easing traffic and improving urban planning. However, what we can observe is individual traffic conditions on different road segments at discrete time intervals, rather than explicit interactions or propagation (e.g., A -> B) between road segments. Additionally, the traffic from multiple sources and the geospatial correlations between road segments make it more challenging to infer the patterns. In this paper, we first model the three-fold influences existing in traffic propagation and then propose a data-driven approach, which finds the cascading patterns through maximizing the likelihood of observed traffic data. As this is equivalent to a submodular function maximization problem, we solve it by using an approximate algorithm with provable near-optimal performance guarantees based on its submodularity. Extensive experiments on real-world datasets demonstrate the advantages of our approach in both effectiveness and efficiency.

Li Qu,Jianming Hu,Yi Zhang

DOI: https://doi.org/10.1109/ITSC.2010.5625105

2010-01-01

Abstract:The detected traffic data for single point or link cannot satisfy the needs for network-level traffic status information with the rapid development of the traffic control and guidance systems. This paper proposed a modeling and clustering method for network-level urban traffic status based on the dynamic traffic flow assignment ratios. The traffic assignment ratio matrix model integrates traffic status, topology and relation between links, with the dynamic traffic assignment ratios estimated by Linear Programming. The network-level traffic status is clustered by Self-Organizing Map and the typical patterns are discovered. The experiment proves the efficiency and applicability of this method for network-level traffic status modeling and analyzing.

Yan Shi,Min Deng,Jianya Gong,Chang-Tien Lu,Xuexi Yang,Huimin Liu

DOI: https://doi.org/10.1111/tgis.12521

IF: 2.568

2019-01-01

Transactions in GIS

Abstract:Spatio‐temporal clustering is a highly active research topic and a challenging issue in spatio‐temporal data mining. Many spatio‐temporal clustering methods have been designed for geo‐referenced time series. Under some special circumstances, such as monitoring traffic flow on roads, existing methods cannot handle the temporally dynamic and spatially heterogeneous correlations among road segments when detecting clusters. Therefore, this article develops a spatio‐temporal flow‐based approach to detect clusters in traffic networks. First, a spatio‐temporal flow process is modeled by combining network topology relations with real‐time traffic status. On this basis, spatio‐temporal neighborhoods are captured by considering traffic time‐series similarity in spatio‐temporal flows. Spatio‐temporal clusters are further formed by successive connection of spatio‐temporal neighbors. Experiments on traffic time series of central London's road network on both weekdays and weekends are performed to demonstrate the effectiveness and practicality of the proposed method.

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Hongrui Zhu,Guojun Yuan,Guangming Tan,Zhan Wang,Tao Jiang,Xuejun An

DOI: https://doi.org/10.1109/icpads47876.2019.00047

2019-01-01

Abstract:In high-performance computing (HPC) and distributed computing area, network performance greatly influenced application efficiency. However, due to the diversity of traffic patterns, the traditional network with fixed topology may achieve good performance under some applications, while performs poorly under other forms. Network reconfiguration technologies which can change the topology dynamically have been developed to obtain a balanced performance for different traffic patterns. Nonetheless, selecting an appropriate network topology from the wide variety of options remains difficult due to the complexity of analyzing traffic alongside topology performance characteristics. Traditional research focused on congestion estimation and specific parameter adjustment without reconfiguring the global topology. In this paper, we propose a generic Traffic to Hierarchical Topology (T2HT) method to analyze traffic patterns and choose an appropriate network configuration for the given traffic T2HT makes use of actual traffic data with a hierarchical model to predict network performance with a given topology and uses a machine learning (ML) algorithm to score the better options in order to determine the best topology. We performed 8000 simulations of dataset-topology combinations to verify the feasibility of the model. Our results show that T2HT achieved marked improvements with its recommendations, making it feasible for use in hierarchical network design. Under the DOE testbed, the throughput of the topology generated by T2HT can reach above 90% of theoretical limit(full connection), and the latency is improved by about 24.6% compared to typical topology 3D Torus with the same physical restrictions.