Title :
Flow-based TCP connection analysis
Author :
Limmer, Tobias ; Dressler, Falko
Author_Institution :
Comput. Networks & Commun. Syst., Univ. of Erlangen, Erlangen, Germany
Abstract :
We discuss the need for accurate analysis of TCP connections based on aggregated flow information. Due to increasing bandwidths in the Internet, flow metering is thought to be a promising solution for network monitoring, as packet-oriented state-based analysis reaches its limits and fast hardware support for flow metering is available. Motivated by earlier work on flow-based connection analysis, we investigate the quality of several stateless classifiers that can be used to determine the TCP connection state as either successful or failed. This information is strongly needed especially in the domain of attack detection and is usually produced by fine-grained analysis in the packet level. Furthermore, we determine appropriate configuration parameters for optimal flow metering by introducing a new statistical property, the maximum packet gap. We evaluated both, the classifiers and the packet gap analysis using a number of representative packet traces. Our best classifiers are able to correctly identify 95% of all connections with a fraction of the processing costs required for packet-based stateful connection tracking.
Keywords :
Internet; flowmeters; transport protocols; Internet; aggregated flow information; fine-grained analysis; flow metering; flow-based TCP connection analysis; network monitoring; optimal flow metering; packet-oriented state-based analysis; Bandwidth; Computer networks; Condition monitoring; Electronic mail; Failure analysis; Hardware; High-speed networks; Information analysis; Intrusion detection; Telecommunication traffic;
Conference_Titel :
Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International
Conference_Location :
Scottsdale, AZ
Print_ISBN :
978-1-4244-5737-3
DOI :
10.1109/PCCC.2009.5403846
