CDF-based Flow Detection for Network Flow Sampling and Packet Capturing

Authors

  • Aris Cahyadi Risdianto School of Electrical Engineering and Computer Science, Gwangju Institute of Science and Technology
  • Nuryani - Research Center for Informatics, Indonesian Institute of Sciences (LIPI)

DOI:

https://doi.org/10.14203/jet.v19.26-31

Keywords:

flow detection, cumulative distribution function, flow sampling, packet capturing

Abstract

Providing an appropriate level of flow collection, relying on packet capturing or flow sampling method, is extremely hard due to various practical limitations and resources requirements. To address this challenge, this paper investigated a CDF (Cumulative Distribution Function)-based flow detection to decide between “known” and “unknown” flows. Therefore, a combined flow collection can be achieved to improve the collection’s efficiency by sampling only the known flows and capturing the remaining unknown flows. As a preliminary experiment, detecting known and unknown flows was conducted over a long period by calculating the empirical CDF distance between each flow’s rate and overall packet’s rate distribution, called as FPR (Flow-to-Packet Ratio), with a threshold (FPRmin) based on a significant level of observed data. The result shows that unknown flow is detected for most of the recommended significant level values.

Downloads

Download data is not yet available.

References

A. C. Risdianto, J. W. Kim, "A balanced collection of flow visibility for effective SDN-coordinated flow clustering and tagging," in Proc. Korea Inst. Commun. Inform. Sci. Winter Conf. 2017, Jeongseon, Korea, 2017.

S. Panchen, P. Phaal, N. McKee (2001). InMon corporation's sFlow: A method for monitoring traffic in switched and routed networks.

Y. Afek, A. B. Barr, S. L. Feibish, L. Schiff, “Sampling and large flow detection in SDN”, in Proc. 2015 ACM Special Interest Group Data Commun., London, UK, 2015, pp. 345-346. Crossref

G. Cheng, Y. Tang, W. Ding, “A double-sampling and hold based approach for accurate and efficient network flow monitoring,” in Proc. Int. Conf. Computational Sci., China, 2007, pp. 857-864. Crossref

J. M. C. Silva, P. Carvalho, S. R. Lima, “A modular architecture for deploying self-adaptive traffic sampling,” in Proc. Int. Federation Inform. Process. Int. Conf. Autonomous Infrastructure Manage. Security, 2014, pp. 179-183. Crossref

R. Hofstede, P. Čeleda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, and A. Pras, “Flow monitoring explained: From packet capture to data analysis with netflow and ipfix, ” IEEE Commun. Surveys Tutorials, vol. 16, no. 4, pp. 2037-2064, May, 2014. Crossref

P. Phaal and S. Panchen. (2017, June). Packet sampling basics. [Online]. Available: http://www.sflow.org/packetSamplingBasics/index.htm.

A. W. V. Vaart, Asymptotic Statistics. Cambridge: Cambridge University Press, 1998, p. 265.

H. W. Lilliefors, "On the Kolmogorov-Smirnov test for normality with mean and variance unknown," J. American Statistical Assoc., vol. 62, no. 318, pp. 399-402, Jun. 1967. Crossref

Wireshark. (2017, June). Wireshark [Online]. Available: https://www.wireshark.org/.

Dipartimento di Ingegneria Elettrica e delle Tecnologie dell'Informazione (2017, June). D-ITG: Distributed Internet Traffic Generator [Online]. Available: http://www.grid.unina.it/software/ITG/.

G. Lyon (2017, June). Nmap: the Network Mapper – Free Security Scanner [Online]. Available: https://nmap.org/.

University de Montreal. (2017, June). Critical Values for two-sample Kolmogorov-Smirnov test (2-sided) [Online]. Available: https://www.webdepot.umontreal.ca/Usagers/angers/MonDepotPublic/STT3500H10/Critical_KS.pdf.

D. M. Lane. (2017, June). Significance Testing and Confidence Intervals [Online]. Available: http://onlinestatbook.com/2/logic_of_hypothesis_testing/sign_conf.html.

Downloads

Published

2019-08-31

Issue

Vol. 19 No. 1 (2019)

Section

Articles

License

Authors who publish with this journal agree to the following terms:

The copyright to this article is transferred to BRIN if and when the article is accepted for publication. The undersigned hereby transfers any and all rights in and to the paper including without limitation all copyrights to BRIN. The undersigned hereby represents and warrants that the paper is original and that he/she is the author of the paper, except for material that is clearly identified as to its original source, with permission notices from the copyright owners where required. The undersigned represents that he/she has the power and authority to make and execute this assignment. The copyright transfer form can be downloaded here.

The corresponding author signs for and accepts responsibility for releasing this material on behalf of any and all co-authors. This agreement is to be signed by at least one of the authors who have obtained the assent of the co-author(s) where applicable. After submission of this agreement signed by the corresponding author, changes of authorship or in the order of the authors listed will not be accepted.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

 

How to Cite

[1]
“CDF-based Flow Detection for Network Flow Sampling and Packet Capturing”, J. Elektron. dan Telekomun., vol. 19, no. 1, pp. 26–31, Aug. 2019, doi: 10.14203/jet.v19.26-31.