Improving Host Profiling with Bidirectional Flows

We present an approach to network devices behavior profiling based on NetFlow monitoring and a bidirectional flows extension. Behavior profiles of network devices typically focus on communicating peers, amount of traffic and traffic structure. However, using an implementation of the bidirectional flows standard we are able to distinguish between servers, clients and single flows directly which increases the profile quality. In this paper, we describe and evaluate our bidirectional flows implementation and suggest to use more precise time stamps in flow monitoring. Further, we compare results obtained by standard behavior profiles (unidirectional flows) and extended behavior profiles (bidirectional flows). Various measurements of extended behavior profile from campus network are presented. The influence of a sensor connection to themonitored network (Cisco SPAN port vs. tap) on the data quality is studied as a side effect of bidirectional flows implementation.