Nothing Special   »   [go: up one dir, main page]

Skip to main content

Signature-Aware Traffic Monitoring with IPFIX

  • Conference paper
Management of Convergence Networks and Services (APNOMS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4238))

Included in the following conference series:

  • 561 Accesses

Abstract

Traffic monitoring is essential for accounting user traffic and detecting anomaly traffic such as Internet worms or P2P file sharing applications. Since typical Internet traffic monitoring tools use only TCP/UDP/IP header information, they cannot effectively classify diverse application traffic, because TCP or UDP port numbers could be used by different applications. Moreover, under the recent deployment of firewalls that permits only a few allowed port numbers, P2P or other non-well-known applications could use the well-known port numbers. Hence, a port-based traffic measurement scheme may not provide the correct traffic monitoring results. On the other hand, traffic monitoring has to report not only the general statistics of traffic usage but also anomaly traffic such as exploiting traffic, Internet worms, and P2P traffic. Particularly, the anomaly traffic can be more precisely identified when packet payloads are inspected to find signatures. Regardless of correct packet-level measurement, flow-level measurement is generally preferred because of easy deployment and low-cost operation. In this paper, therefore, we propose a signature-aware flow-level traffic monitoring method based on the IETF IPFIX standard for the next-generation routers, where the flow format of monitoring traffic can be dynamically defined so that signature information could be included. Our experimental results show that the signature-aware traffic monitoring scheme based on IPFIX performs better than the traditional port-based traffic monitoring method. That is, hidden anomaly traffic with the same port number has been revealed.

This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). (IITA-2005-(C1090-0502-0020)).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Cisco NetFlow, http://www.cisco.com/warp/public/cc/pd/iosw/ioft/netflct/tech/napps_ipfix-charter.html

  2. Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX), IETF RFC3917 (October 2004)

    Google Scholar 

  3. Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool, USENIX LISA (2000)

    Google Scholar 

  4. Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., Diot, C.: Packet-Level Traffic Measurements from the Sprint IP Backbone. IEEE Network 17(6), 6–16 (2003)

    Article  Google Scholar 

  5. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks, USENIX LISA (1999)

    Google Scholar 

  6. Choi, T., Kim, C., Yoon, S., Park, J., Lee, B., Kim, H., Chung, H., Jeong, T.: Content-aware Internet Application Traffic Measurement and Analysis. In: IEEE/IFIP Network Operations & Management Symposium (2004)

    Google Scholar 

  7. Moore, A., Papagiannaki, K.: Toward the Accurate Identification of Network Applications. In: Passive and Active Measurement Workshop (April 2006)

    Google Scholar 

  8. nProbe, http://www.ntop.org/

  9. WinIPFIX, http://networks.cnu.ac.kr/~winipfix/

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lee, Y., Shin, S., Kwon, Tg. (2006). Signature-Aware Traffic Monitoring with IPFIX. In: Kim, YT., Takano, M. (eds) Management of Convergence Networks and Services. APNOMS 2006. Lecture Notes in Computer Science, vol 4238. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11876601_9

Download citation

  • DOI: https://doi.org/10.1007/11876601_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-45776-3

  • Online ISBN: 978-3-540-46233-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics