Adaptive Network Flow Clustering

Flow level measurements are used to provide insights into the traffic flow crossing a network link. However, existing flow based network detection devices lack adaptive reconfigure functions when facing large number of flow sources such as spoofed attacks. The cache memory for storing flow records and the CPU for processing and/or exporting them could be increasing dramatically beyond what are available. The static sampling technique could not alleviate the issue totally. Instead it missed the ability to log accurately network traffic information. In this paper, we use Fuzzy Logic to achieve adaptive flow clustering. It reacts to the abrupt changes of flow numbers caused by flooding attack or any other attacks, and suggests a best clustering level. Therefore, large amount of flows are aggregated into a few flows in a real time. Our experiments demonstrate that the adaptive flow clustering prevents huge amount of malicious flows from exhausting memories and CPU resources while guarantees the legitimate flows.