Abstract
Traffic monitoring is essential for accounting user traffic and detecting anomaly traffic such as Internet worms or P2P file sharing applications. Since typical Internet traffic monitoring tools use only TCP/UDP/IP header information, they cannot effectively classify diverse application traffic, because TCP or UDP port numbers could be used by different applications. Moreover, under the recent deployment of firewalls that permits only a few allowed port numbers, P2P or other non-well-known applications could use the well-known port numbers. Hence, a port-based traffic measurement scheme may not provide the correct traffic monitoring results. On the other hand, traffic monitoring has to report not only the general statistics of traffic usage but also anomaly traffic such as exploiting traffic, Internet worms, and P2P traffic. Particularly, the anomaly traffic can be more precisely identified when packet payloads are inspected to find signatures. Regardless of correct packet-level measurement, flow-level measurement is generally preferred because of easy deployment and low-cost operation. In this paper, therefore, we propose a signature-aware flow-level traffic monitoring method based on the IETF IPFIX standard for the next-generation routers, where the flow format of monitoring traffic can be dynamically defined so that signature information could be included. Our experimental results show that the signature-aware traffic monitoring scheme based on IPFIX performs better than the traditional port-based traffic monitoring method. That is, hidden anomaly traffic with the same port number has been revealed.
This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). (IITA-2005-(C1090-0502-0020)).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Cisco NetFlow, http://www.cisco.com/warp/public/cc/pd/iosw/ioft/netflct/tech/napps_ipfix-charter.html
Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX), IETF RFC3917 (October 2004)
Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool, USENIX LISA (2000)
Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., Diot, C.: Packet-Level Traffic Measurements from the Sprint IP Backbone. IEEE Network 17(6), 6–16 (2003)
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks, USENIX LISA (1999)
Choi, T., Kim, C., Yoon, S., Park, J., Lee, B., Kim, H., Chung, H., Jeong, T.: Content-aware Internet Application Traffic Measurement and Analysis. In: IEEE/IFIP Network Operations & Management Symposium (2004)
Moore, A., Papagiannaki, K.: Toward the Accurate Identification of Network Applications. In: Passive and Active Measurement Workshop (April 2006)
nProbe, http://www.ntop.org/
WinIPFIX, http://networks.cnu.ac.kr/~winipfix/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lee, Y., Shin, S., Kwon, Tg. (2006). Signature-Aware Traffic Monitoring with IPFIX. In: Kim, YT., Takano, M. (eds) Management of Convergence Networks and Services. APNOMS 2006. Lecture Notes in Computer Science, vol 4238. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11876601_9
Download citation
DOI: https://doi.org/10.1007/11876601_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-45776-3
Online ISBN: 978-3-540-46233-0
eBook Packages: Computer ScienceComputer Science (R0)