Flow-based TCP connection analysis

We discuss the need for accurate analysis of TCP connections based on aggregated flow information. Due to increasing bandwidths in the Internet, flow metering is thought to be a promising solution for network monitoring, as packet-oriented state-based analysis reaches its limits and fast hardware support for flow metering is available. Motivated by earlier work on flow-based connection analysis, we investigate the quality of several stateless classifiers that can be used to determine the TCP connection state as either successful or failed. This information is strongly needed especially in the domain of attack detection and is usually produced by fine-grained analysis in the packet level. Furthermore, we determine appropriate configuration parameters for optimal flow metering by introducing a new statistical property, the maximum packet gap. We evaluated both, the classifiers and the packet gap analysis using a number of representative packet traces. Our best classifiers are able to correctly identify 95% of all connections with a fraction of the processing costs required for packet-based stateful connection tracking.