Enhancing performance of cardinality analysis by packet filtering

Cardinality in network flow data gives useful information for network administrators about suspicious communication on their network. Such communication tends to present abnormal number of source and/or destination network address. Our research group reported that cardinality presented in TCP/IP packet header can be used to detect malware propagation and P2P software usage in small size network. However the processing speed of the cardinality analyzer is not enough to analyze high speed network line over 20Gbps. In this paper, we propose a technique to offload the analyzer by packet filtering based on the TCP flags. We also report the performance and the limitation of the proposed technique.

[1]  Masayuki Murata,et al.  Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[2]  Katsuyuki Yamazaki,et al.  Stream Mining for Network Management , 2006, IEICE Trans. Commun..

[3]  Shoichiro Asano,et al.  Finding Cardinality Heavy-Hitters in Massive Traffic Data and Its Application to Anomaly Detection , 2008, IEICE Trans. Commun..

[4]  Yoshinori Watanabe,et al.  Analyzing the Number of Varieties in Frequently Found Flows , 2008, IEICE Trans. Commun..

[5]  Tatsuya Mori,et al.  Detection of Worm-Infected Hosts by Communication Pattern Analysis , 2005 .

[6]  Erik D. Demaine,et al.  Frequency Estimation of Internet Packet Streams with Limited Space , 2002, ESA.

[7]  Akira Sato,et al.  A Traffic Analysis Using Cardinalities and Header Information , 2010, 2010 First International Conference on Networking and Computing.

[8]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[9]  Abhishek Kumar,et al.  Joint data streaming and sampling techniques for detection of super sources and destinations , 2005, IMC '05.

[10]  Graham Cormode,et al.  Space efficient mining of multigraph streams , 2005, PODS.

[11]  P. Flajolet,et al.  Loglog counting of large cardinalities , 2003 .

[12]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.