Please use this identifier to cite or link to this item:
Title: Adaptive flow aggregation - A new solution for robust flow monitoring under security attacks
Author(s): Chiu, Dah Ming 
Author(s): Hu, Y.
Lui, J. C. S.
Issue Date: 2006
Publisher: IEEE
Related Publication(s): Proceedings of the 2006 IEEE/IFIP Network Operations and Management Symposium (NOMS)
Start page: 424
End page: 435
Flow-level traffic measurement is required for a wide range of applications including accounting, network planning and security management. A key design challenge is how to gracefully deal with traffic surges that exhaust the resources (memory, export bandwidth or CPU) of the flow monitor. A standard solution is to do sampling (look at one out of every n packets). This is implemented in Cisco’s Netflow, a popular platform. Setting the sampling rate according to the normal traffic, however, cannot avoid overrunning available memory for flow records during abnormal situations, such as when there is a DoS attack or other security breaches. Currently available countermeasures have their own problems: (1) reject new flows when the cache is full - some legitimate new flows will not be counted; (2) export not-terminated flows to make room for new ones - this will exhaust the export bandwidth; (3) adapt the sampling rate to traffic rate - this will reduce the overall accuracy of accounting, including legitimate flows. In this paper, we propose a new counter-measure to deal with abnormal traffic conditions - adaptive flow aggregation. Often the reason for abnormal traffic conditions is due to security attacks. Fortunately, such attacks usually have some common patterns. For example, packets of DoS attacks have the same destination IP address, while traffic for worm spreading has the same source IP address. Our flow monitoring algorithm identifies these traffic clusters in real-time and aggregates these large amount of short flows into a few flows.
DOI: 10.1109/NOMS.2006.1687572
CIHE Affiliated Publication: No
Appears in Collections:SS Publication

SFX Query Show full item record

Google ScholarTM




Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.