Passive measurement of one-way and two-way flow lifetimes

Flow based analysis has been considered a simple and effective approach in network analysis. 5-tuple (unidirectional) flows are used in many network traffic, however, often these analyses require bidirectional packet matching to observe the interactions. Separating the flows into two categories as one-way (packets in one direction only) and two-way (packets in both directions) flows can yield further insight. We have examined traces of Auckland traffic for 2000, 2003 and 2006, and analyzed their one-way and two-way flows. We observed several behaviors and the changes in flow sizes and their lifetimes over time. In our traces, we observe that one-way flows are mostly malicious, re-transmissions, and some are long-lived. Two-way flows are mostly normal end-to-end transmissions with their lifetimes/RTTs decreasing, their sizes increasing, and many short-lived flows mostly depict errors in TCP. Also, we observe similarity between one-way and two-way flow sizes for their lifetimes.

[1]  George C. Polyzos,et al.  A Parameterizable Methodology for Internet Traffic Flow Profiling , 1995, IEEE J. Sel. Areas Commun..

[2]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[3]  Mischa Schwartz,et al.  ACM SIGCOMM computer communication review , 2001, CCRV.

[4]  Nevil Brownlee,et al.  Streams, Flows and Torrents , 2001 .

[5]  kc claffy,et al.  Understanding Internet traffic streams: dragonflies and tortoises , 2002, IEEE Commun. Mag..

[6]  Yin Zhang,et al.  On the characteristics and origins of internet flow rates , 2002, SIGCOMM '02.

[7]  James Won-Ki Hong,et al.  The Architecture of NG-MON: A Passive Network Monitoring System for High-Speed IP Networks , 2002, DSOM.

[8]  Packet Delay and Loss at the Auckland Internet Access Path , 2002 .

[9]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[10]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[11]  Richard Nelson,et al.  Analysis of long duration traces , 2005, CCRV.

[12]  Nevil Brownlee Some Observations of Internet Stream Lifetimes , 2005, PAM.

[13]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[14]  J. Crowcroft,et al.  Using Packet Symmetry to Curtail Malicious Traffic , 2005 .

[15]  Anja Feldmann,et al.  A methodology for studying persistency aspects of internet flows , 2005, CCRV.

[16]  Konstantina Papagiannaki,et al.  Long-term forecasting of Internet backbone traffic , 2005, IEEE Transactions on Neural Networks.