ZhiFeng Zhan,Wei Xing

DOI: https://doi.org/10.1007/978-3-642-25769-8-42

2012-01-01

Abstract:Internet traffic is modest growth worldwide due to popular applications. But the growth does not change the well-known characteristic heavy-tailed of the traffic in Internet. Mice flow would dominate the next generation of ubiquitous wireless networks because the frequent and important communications would be mice flow due to the limits of terminal and network. The most important factor which affects the performance of applications is the duration time of mice flow. For a long time the modifications on traditional TCP protocol did not reveal the nature reasons for the duration time of mice flow: ACK-based slow pacing transmission and window-based conservative packet transmitting strategy. Based on the previous work of window-based transmission schedule, this paper proposes a delay-sensitive Fast-Pacing TCP (FP-TCP) transmission mechanism for mice flow: the definite network status and RTO could be obtained by measuring RTT for each packet in mice flow, the proper transmitting pace and rate base on the network status and the fast packet retransmission schedule. Simulated experiments show that the duration time of mice flow can be shortened by FP-TCP up to about 22% at most in the condition of network is busy, meanwhile only little growth is taken to the lose rate of packet. © Springer-Verlag Berlin Heidelberg 2012.

Peng Yanbing,Gong Jian,Ding Wei

DOI: https://doi.org/10.3969/j.issn.1003-7985.2005.04.008

2005-01-01

Abstract:To reduce the TCP flow processing cost, some bit patterns selected from the TCP/IP packet can be used as TCP flow identification. Based on the entropy and randomness analysis of the distribution of sequence number (SN) and acknowledgement number (AN) in the first packet of a TCP flow, this paper proposes a new uniform TCP flow identification by sequence and acknowledgement number (FIDSAN) to the heavy-tailed IP or TCP traffic. The experimental results suggest that some bits in the TCP sequence number and acknowledgment number can be selected out as flow ID with acceptable confliction probability. The bit length of flow ID selected under given confliction probability can be conducted from an equation deduced from the observing window and flow ID range. FIDSAN has low computation cost in the comparison with the traditional methods, such as 5-tuple, CRC, and Checksum etc.

Xiong Bing,Chen Xiaosu,Chen Ning

DOI: https://doi.org/10.1109/ieec.2009.27

2009-01-01

Abstract:There is a growing interest in designing high-speed network devices to process packet at flow level above the network layer. A basic operation inherent to such systems is the task of maintaining per-flow state in order to correctly perform their higher-level processing. In this paper, we present an efficient TCP flow state management algorithm in high-speed network. First we devise all flow states and their transformation in conformity to TCP state machine. Based on the flow state transformation, we design the flow state management applying recently accessed first principle and budding connection buffer mechanism. According to the design scheme, the implementation is illustrated in a formal way. Experimental results illustrate that our flow state management algorithm performs better than the traditional one especially under DoS attacks.

Jf Wang,L Li,Fc Sun,Mt Zhou

DOI: https://doi.org/10.1016/j.comnet.2004.11.005

IF: 5.493

2005-01-01

Computer Networks

Abstract:Collecting network traffic is becoming a more challenging task in passive network measurement due to the rapid growth of link speed. Flow-based network traffic capture and storage provides an efficient way for high-speed network measurement. The paper concentrates on the flow detection issue which is also the premise for further flow-based traffic analysis and modeling in such challenging environment. Based on the statistical investigation of the correlations between flow size and the maximum packet interarrival time within a flow, we obtain the empirical conditional distribution functions for some popular TCP protocol-based application flows, and then propose a Probability-Guaranteed Adaptive Timeout algorithm (PGAT) for flow termination decision. The assessment criteria for flow termination decision algorithm is systematically developed. Comparisons onflow generation ratio,flow intact ratio, and meanflow extra retaining time metrics indicate that the PGAT algorithm can obtain more attractive performance than other related works. (c) 2004 Elsevier B.V. All rights reserved.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Su Fan-jun,Pan Xue-zeng,Wang Jie-bing,Wan Zheng

DOI: https://doi.org/10.1631/jzus.2006.as0245

2006-01-01

Abstract:Some high-speed protocols such as HSTCP have been proposed to improve the ability of bandwidth utilization in high-speed networks. However, the increased scalability of high-speed TCP leads to many dropped packets in a single loss event in drop tail environment. In addition, there exists burstiness on short time scales that may cause lots of packets loss. In this paper, we analyze the problem of packet loss, and then propose ACWAP (Adaptive Congestion Window Adjustment plus Pacing) algorithm to reduce the loss rate of high-speed TCP. Along with pacing algorithm for avoiding burstiness on short time scales, ACWAP uses delay information to estimate the network state and adaptively changes the increase parameter to 1 before congestion to reduce the number of dropped packets. Many simulation results show our proposed algorithm can reduce the number of dropped packets in a single loss event, alleviate synchronized loss phenomena and improve the RTT unfairness while keeping the advantages of high-speed TCP.

Yu Zhang,Binxing Fang

2010-01-01

Abstract:On the Internet, high-rate flows that do not obey the TCP flow controlmechanism can consume a large share of the link bandwidth and seriously affectother flows. Therefore, identifying high-rate flows is important for activequeue management, traffic measurement and network security. Explicit measurementof high-rate flows is difficult because tracking the possible millions of flowsneeds correspondingly large high-speed memories. To reduce the measurementoverhead, the deterministic 1-out-of-k sampling technique is adopted. However,the state-of-the-art method has to record, every sampled, flow which is notmemory efficient. In this paper, we propose a novel method based on truncated,sequential probability ratio test (TSPRT). Through sequential sampling, TSPRTcan remove the low-rate flows and identify the high-rate flows at the earlystage which can reduce the memory cost and identification time respectively. Theexperimental results show that TSPRT spends less memory and identification timein identifying high-rate flows as compared to previously proposed methods.ICIC International © 2010.

Xiaoguo Zhang,Yanjun Su,Wei Ding

DOI: https://doi.org/10.1109/CIAPP.2017.8167260

2017-01-01

Abstract:Network flow records are the foundational and key data of network flow technology. As network flow technology is widely applied, the correctness of network flow record becomes more and more important. For UDP flow identification, timeout strategy is accepted. However, there is no research to analyze the principle and reasonableness of timeout strategy, so we propose a concept of attribute recognition degree that can make a quantitative analysis of the contribution degree of flow attribute for flow identification, and based on this concept we analyze the principle and reasonableness of timeout strategy and the analysis results prove that timeout strategy is suitable for UDP flow identification. Then, on the basis of the rate of number change of UDP flow records, we propose a timeout threshold algorithm for UDP flow identification in order to improve the accuracy of UDP flow identification with timeout strategy. A lot of analyses and experimental results demonstrate that our timeout threshold algorithm can guarantee the integrity and correctness of UDP flows.

Xiaoguo Zhang,Wei Ding

DOI: https://doi.org/10.4304/jnw.9.6.1416-1425

2014-01-01

Abstract:A great number of researches on network flow characteristics show a large proportion of the network flows are single-packet flows. However, almost all existing flow termination strategies have no optimization for single-packet flows, so the efficiency of flow-aggregation is lower. Based on in-depth study of flow characteristics and TCP protocol specifications, we find the packet status, packet arrival interval and SYN packet size can identify single-packet flows accurately, and then propose a flow-aggregation accelerating strategy for TCP traffic that aims to quickly identify single-packet flows. We build efficiency model and accuracy model to compare our strategy performance with others and make a lot of experiments on the traces collected from a main channel in the CERNET during the latest five years. The results prove our strategy can greatly improve the efficiency of flow-aggregation at the cost of very little loss of accuracy

JF Wang,L Li,MT Zhou,FJ Xu,FC Sun

DOI: https://doi.org/10.1109/glocom.2004.1378260

2004-01-01

Abstract:Collecting network traffic is becoming a more challenging task in passive network measurement due to the rapid growth of link speed. Flow-based network traffic capture and storage is an efficient way for high-speed network measurement. Based on the statistical investigation of the correlations between flow size and the maximum packet interinterval time of consecutive packets within a flow, we obtain the empirical conditional distribution functions for some popular TCP protocol-based application flows, and then propose a probability-guaranteed adaptive timeout algorithm (PGAT) for flow termination decision. The assessment criteria for the flow termination decision algorithm is systematically developed. Comparisons on flow generation ratio, flow intact ratio, and mean flow extra retaining time metrics indicate that the PGAT algorithm can obtain more attractive performance than other schemes.

Tian-yi XIA,Jia-yong LIU

DOI: https://doi.org/10.3969/j.issn.1009-8054.2014.11.042

2014-01-01

Abstract:In order to meet the demand of large flow data of TCP reassembling,this paper proposes a TCP reassembling technology based on data flow characteristics,and it can reassemble the data flow selectively. In addition,it provides a method of judging and han-dling connection termination and a modified method of data buffer strategy,thus reduces the memory occupation and improves the pro-cessing speed. Availability and efficiency of TCP reassembling algorithm are verified by the experimental results.

Li Zhen,Yang Yahui,Xie Gaogang,Qin Guangcheng

2011-01-01

Journal of Computer Research and Development

Abstract:Identifying heavy-hitter flows in the network is of tremendous importance for many network management activities.Heavy-hitter flows identification is essential for network monitoring,management,and charging,etc.Network administrators usually pay special attention to these Heavy-hitter flows.How to find these flows has been the concern of many studies in the past few years.Lossy counting and probabilistic lossy counting are among the most well-known algorithms for finding Heavy-hitters.But they have some limitations.The challenge is finding a way to reduce the memory consumption effectively while achieving better accuracy.In this work,a probabilistic fading method combining data streaming counting is proposed,which is called PFC(probabilistic fading counting).This method leverages the advantages of data streaming counting,and it manages to find the heavy-hitter by analyzing the power-low characteristic in the network flow.By using network's power-law and continuity,PFC accelerates the removal of non-active and aging flows in table records.So PFC reduces memory consumption,and decreases false positive ratio too.Comparisons with lossy counting and probabilistic lossy counting based on real Internet traces suggest that PFC is remarkably efficient and more accurate.Particularly,experiment results show that PFC has 60% lower memory consumption without increasing the false positive ratio.

Xu Lin,Qu Shiru

2011-01-01

Abstract:Aim.The introduction of the full paper points out what we believe to be the four characteristics of traffic flow that cause difficulties in determining the thresholds of massive traffic flow;in its last paragraph,it proposes our effective RTRC-TFD(recognizing and treating recurring context of traffic flow detection) method,which is explained in section 1.The seven subsections of section 1 are:(1) traffic flow data stream model,(2) classification model,(3) time for context extension,(4) determination of context recurrence,whose detection algorithm framework is given in Fig.1,(5) pattern of context change,(6) time for context extension,(7) algorithm for recognizing and treating recurring context,whose procedural steps are given in Fig.2.To verify the effectiveness of our method,section 2 uses the measurement data in a report by U.S.Department of Transportation[9] to simulate our algorithm;the simulation results,presented in Figs.3 through 9,and their analysis show preliminarily that when concept drift and recurring context are taken into consideration,our algorithm has better classification precision and convergence speed,thus being more effective for classifying real-time traffic flow data stream from various contexts than the conventional incremental Bayes classification algorithm.

ZHANG Luo-shi,WANG Da-wei,XUE Yi-bo

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015070

2015-01-01

Abstract:Traditional methods of protocol identification, which is mainly based on individual flow, lose their effective-ness as dealing with sophisticated network applications. A novel model of identifying sophisticated network applications, called flow-aware model, is addressed. This proposed model abstracts the characteristics of sophisticated network appli-cations from spatial dimension, time dimension and flow dimension, and provides the detailed analysis and deeply mining in characteristics of behaviors and states. Based on this model, a framework and method of sophisticated network appli-cations identification is proposed. The experimental results demonstrate that the proposed method can achieve the pur-pose of identifying sophisticated network applications effectively.

ZHOU Ming-zhong,GONG Jian,DING Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2005.04.015

2005-01-01

Abstract:Firstly discussed the state-of-art of flow timeout strategies, and pointed out where they were applicable and their shortcomings. Presented a two-level self-adaptive timeout (TSAT) strategy which handles flows with different timeout strategy according to its feature. This method could improve the performances of network measurement and the efficiency of the resource usage of measurement systems. Some experiments were employed to show the rationality of TSAT strategy. Then the fitness area of strategy was anatomized as well.

Ping-Ping Xiao,Yan-Tao Tian

DOI: https://doi.org/10.1109/icmlc.2007.4370826

2008-01-01

Computer Engineering and Applications Journal

Abstract:In order to improve the unfairness of each flow's bandwidth allocation in the Internet, a NTFFP algorithm is proposed to punish non-friendly TCP flows based on buffer management. The algorithm will record the bandwidth of those active connections that have packets currently in the buffer, discriminate and punish not TCP-friendly flows. Its active flow accounting uses packet history in proportion to the total number of buffers used. The dropping probability of a flow depends on the number of packets that flow has buffered at the router. In the co-existence environment between the normal TCP flows and non-friendly TCP flows, the simulations validate that NTFFP can raise the punishment strength to non-friendly TCP flows, obtain better fairness than RED, as well as keep high link utilization.

Zhen Li,Yahui Yang,Guangxing Zhang,Guangcheng Qin

DOI: https://doi.org/10.1109/ICACTE.2010.5579256

2010-01-01

Abstract:Identifying heavy hitters is essential for network monitoring, management, charging and etc. Existing methods in the literature have some limitations. How to reduce the memory consumption effectively without compromising identification accuracy is still challenging. In this paper, an adaptive method combining sampling and data streaming counting is proposed, called FSPLC(feedback sampling probabilistic lossy counting). Based on the history information in the flow counter table, FSPLC can adjust the sampling frequency dynamically, and also adapt to the real-time traffic changes. Comparison with state-of-the-art algorithms based on real Internet traces suggests that FSPLC is remarkably efficient and accurate. Experiment results show that FSPLC has 1) 60% lower memory consumption, 2) 15% smaller false-positive ratio.

Yanbin Sun,Zhihong Tian,Jianwei Ye,Hongli Zhang

DOI: https://doi.org/10.1109/anthology.2013.6785008

2013-01-01

Abstract:With the development of network, the bandwidth is increasing enormously, more and more new applications such as audio, video, online games and p2p network occupied a great deal of traffic. And most of these applications use UDP as transport layer protocol, which directly increase the UDP traffic. In order to analyze the characteristic of UDP using applications or measure the UDP traffic, we need to detect and analyze the UDP flow. But traditional traffic detection and analyses is focus on the TCP protocol, the most of the flow measurement research is based on the elephant flow detection or sampled flow statistics. To solve these problems, this paper presents a Sliding-Window-based Dynamical Timeout Strategy (SWDT) for the UDP flows detection. With this approach we can deal all the UDP streams, and detect the UDP flows efficiently and accurately. Our approach can be used in both traffic analysis and network measurement, detecting UDP stream, to find out the UDP flows and maintain their information.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/TNSM.2013.022713.120250

2013-01-01

IEEE Transactions on Network and Service Management

Abstract:Traffic classification technique is an essential tool for network and system security in the complex environments such as cloud computing based environment. The state-of-the-art traffic classification methods aim to take the advantages of flow statistical features and machine learning techniques, however the classification performance is severely affected by limited supervised information and unknown applications. To achieve effective network traffic classification, we propose a new method to tackle the problem of unknown applications in the crucial situation of a small supervised training set. The proposed method possesses the superior capability of detecting unknown flows generated by unknown applications and utilizing the correlation information among real-world network traffic to boost the classification performance. A theoretical analysis is provided to confirm performance benefit of the proposed method. Moreover, the comprehensive performance evaluation conducted on two real-world network traffic datasets shows that the proposed scheme outperforms the existing methods in the critical network environment.

Junzhi Gong,Tong Yang,Haowei Zhang,Hao Li,Steve Uhlig,Shigang Chen,Lorna Uden,Xiaoming Li

DOI: https://doi.org/10.1109/tnet.2019.2933868

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:Finding top- k elephant flows is a critical task in network traffic measurement, with many applications in congestion control, anomaly detection and traffic engineering. As the line rates keep increasing in today's networks, designing accurate and fast algorithms for online identification of elephant flows becomes more and more challenging. The prior algorithms are seriously limited in achieving accuracy under the constraints of heavy traffic and small on-chip memory in use. We observe that the basic strategies adopted by these algorithms either require significant space overhead to measure the sizes of all flows or incur significant inaccuracy when deciding which flows to keep track of. In this paper, we adopt a new strategy, called count-with-exponential-decay , to achieve space-accuracy balance by actively removing small flows through decaying, while minimizing the impact on large flows, so as to achieve high precision in finding top- k elephant flows. Moreover, the proposed algorithm called HeavyKeeper incurs small, constant processing overhead per packet and thus supports high line rates. Experimental results show that HeavyKeeper algorithm achieves 99.99% precision with a small memory size, and reduces the error by around 3 orders of magnitude on average compared to the state-of-the-art.