Virtual vectors and network traffic analysis

In a high-speed network, traffic monitoring modules should be compact in size to fit into a fast but small memory (e.g., SRAM). We propose two compact algorithms for network traffic monitoring and analysis, for the purposes of per-flow traffic measurement and long-duration flow detection. The proposed schemes are based on the data structure of a virtual vector that was recently invented, but limited to the purpose of estimating spread value. We found that the virtual vector can be applied to a range of different problems in the area of network traffic monitoring and analysis. In this article, we propose a counting virtual vector that counts the number of packets for per-flow traffic measurement. For long-duration flow detection, we observe that the attackers can easily evade the previous work and propose a new detection scheme to catch even evasive flows. Through experiments on real Internet traffic traces, we show that the proposed schemes outperform previous work or make up for its weaknesses.