Abstract
Deep packet inspection (DPI) and IP flow monitoring are frequently used network monitoring approaches. Although the DPI provides application visibility, detailed examination of every packet is computationally intensive. The IP flow monitoring achieves high performance by processing only packet headers, but provides less details about the traffic itself. Application-aware flow monitoring is proposed as an attempt to combine DPI accuracy and IP flow monitoring performance. However, the impacts, benefits and disadvantages of application flow monitoring have not been studied in detail yet. The work proposed in this paper attempts to rectify this lack of research. We also propose a next generation flow measurement for application monitoring. The flows will represent events within the application protocol, e.g., web page download, instead of packet stream. Finally, we will investigate the performance of different approaches to application classification and application parsing with a computational complexity in mind.
Chapter PDF
References
Brownlee, N.: Flow-Based Measurement: IPFIX Development and Deployment. IEICE Transactions on Communications 94(8), 2190–2198 (2011)
Network Situational Awareness group at CERT, Carnegie Mellon University.: Yet Another Flowmeter, http://tools.netsa.cert.org/yaf/ (cited January 18, 2014)
Chen, S., Ranjan, S., Nucci, A.: IPzip: A Stream-Aware IP Compression Algorithm. In: Data Compression Conference, DCC 2008, pp. 182–191 (March 2008)
Chen, T.M., Hu, L.: Internet Performance Monitoring. Proceedings of the IEEE 90(9), 1592–1603 (2002)
Cisco: NetFlow Export Datagram Format (2014), http://www.cisco.com/en/US/docs/net_mgmt/netflow_collection_engine/3.6/user/guide/format.html (cited January 18, 2014)
Cisco: Network Based Application Recognition, NBAR (2014), http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html (cited January 18, 2014)
Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (October 2004), http://www.ietf.org/rfc/rfc3954.txt
Claise, B., Aitken, P., Ben-Dvora, N.: Cisco Systems Export of Application Information in IP Flow Information Export (IPFIX). RFC 6759 (Informational) (November 2012), http://www.ietf.org/rfc/rfc6759.txt
Claise, B., Trammell, B., Aitken, P.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. RFC 7011 (INTERNET STANDARD) (September 2013), http://www.ietf.org/rfc/rfc7011.txt
Elich, M., Velan, P., Jirsík, T., Čeleda, P.: An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis. In: Turgut, D., Aschenbruck, N., Tölle, J. (eds.) 38th Annual IEEE Conference on Local Computer Networks (LCN 2013), Sydney, Australia, pp. 1046–1052 (2013)
Estan, C., Keys, K., Moore, D., Varghese, G.: Building a Better NetFlow. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2004, pp. 245–256. ACM, New York (2004), http://doi.acm.org/10.1145/1015467.1015495
Estan, C., Varghese, G., Fisk, M.: Bitmap Algorithms for Counting Active Flows on High-speed Links. IEEE/ACM Trans. Netw. 14(5), 925–937 (2006), http://dx.doi.org/10.1109/TNET.2006.882836
Fioreze, T., Oude Wolbers, M., van de Meent, R., Pras, A.: Finding Elephant flows for optical networks. In: 10th IFIP/IEEE International Symposium on Integrated Network Management, IM 2007, pp. 627–640 (2007)
Gao, M., Zhang, K., Lu, J.: Efficient packet matching for gigabit network intrusion detection using TCAMs. In: 20th International Conference on Advanced Information Networking and Applications, AINA 2006, vol. 1, 6 p. (2006)
Gogoi, P., Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Packet and Flow Based Network Intrusion Dataset. In: Parashar, M., Kaushik, D., Rana, O.F., Samtaney, R., Yang, Y., Zomaya, A. (eds.) IC3 2012. CCIS, vol. 306, pp. 322–334. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-32129-0_34
IANA: IP Flow Information Export (IPFIX) Entities (2014), http://www.iana.org/assignments/ipfix (cited April 07, 2014)
Iannaccone, G., Diot, C., Graham, I., McKeown, N.: Monitoring Very High Speed Links. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, IMW 2001, pp. 267–271. ACM, New York (2001), http://doi.acm.org/10.1145/505202.505235
Lai, H., Cai, S., Huang, H., Xie, J., Li, H.: A Parallel Intrusion Detection System for High-Speed Networks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 439–451. Springer, Heidelberg (2004), http://dx.doi.org/10.1007/978-3-540-24852-1_32
Muenz, G., Claise, B., Aitken, P.: Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols. RFC 6728 (Proposed Standard) (October 2012), http://www.ietf.org/rfc/rfc6728.txt
ntop: nProbe (2014), http://www.ntop.org/products/nprobe/ (cited January 18, 2014)
Pang, R., Paxson, V., Sommer, R., Peterson, L.: Binpac: A Yacc for Writing Application Protocol Parsers. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006, pp. 289–300. ACM, New York (2006), http://doi.acm.org/10.1145/1177080.1177119
Quan, L., Heidemann, J.: On the Characteristics and Reasons of Long-lived Internet Flows. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 444–450. ACM, New York (2010), http://doi.acm.org/10.1145/1879141.1879198
Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational), updated by RFC 6183 (March 2009), http://www.ietf.org/rfc/rfc5470.txt
Schuehler, D.V., Lockwood, J.W.: A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks. In: Becker, J., Platzner, M., Vernalde, S. (eds.) FPL 2004. LNCS, vol. 3203, pp. 301–310. Springer, Heidelberg (2004), http://dx.doi.org/10.1007/978-3-540-30117-2_32
Velan, P., Jirsík, T., Čeleda, P.: Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement. In: Bauschert, T. (ed.) EUNICE 2013. LNCS, vol. 8115, pp. 136–147. Springer, Heidelberg (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 International Federation for Information Processing
About this paper
Cite this paper
Velan, P., Čeleda, P. (2014). Next Generation Application-Aware Flow Monitoring. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds) Monitoring and Securing Virtualized Networks and Services. AIMS 2014. Lecture Notes in Computer Science, vol 8508. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43862-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-662-43862-6_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43861-9
Online ISBN: 978-3-662-43862-6
eBook Packages: Computer ScienceComputer Science (R0)