OpenFIow Based Flow Slice Load Balancing

Today＇s data center networks are designed using densely interconnected hosts in the data center.There are multiple paths between source host and destination server.Therefore,how to balance traffic is key issue with the fast growth of network applications.Although lots of load balancing methods have been proposed,the traditional approaches cannot fully satisfy the requirement of load balancing in data center networks.The main reason is the lack of efficient ways to obtain network traffic statistics from each network device.As a solution,the OpenFlow protocol enables monitoring traffic statistics by a centralized controller.However,existing solutions based on OpenFlow present a difficult dilemma between load balancing and packet reordering.To achieve a balance between load balancing and packet reordering,we propose an OpenFlow based flow slice load balancing algorithm.Through introducing the idea of differentiated service,the scheme classifies Internet flows into two categories：the aggressive and the normal,and applies different splitting granularities to the two classes of flows.This scheme improves the performance of load balancing and also reduces the number of reordering packets.Using the trace-driven simulations,we show that the proposed scheme gains over 50%improvement over previous schemes under the path delay estimation errors,and is a practical and efficient algorithm.     

互联网流量的结构特性:重叠社团和相关性(英文)

There is an increasing number of Internet applications, which leads to an increasing network capacity and availability. Internet traffic characterisation and application identification are, therefore, more important for efficient network management. In this paper, we construct flow graphs from detailed Internet traffic data collected from the public networks of Internet Service Providers. We analyse the community structures of the flow graph that is naturally formed by different applications. The community size, degree distribution of the community, and community overlap of 10 Internet applications are investigated. We further study the correlations between the communities from different applications. Our results provide deep insights into the behaviour Internet applications and traffic, which is helpful for both network management and user behaviour analysis.     

Analysis on the time-domain characteristics of botnets control traffic

Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the Internet protocol(IP) addresses of infected bots are unpredictable.Plus,a bot can get an IP address through dynamic host configuration protocol(DHCP),so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can’t be always online.The whole process is carried out under the command and control(C&C) channel.Our goal is to characterize the network traffic under the C&C channel on the time domain.Our analysis draws upon massive data obtained from honeynet and a large Internet service provider(ISP) Network.We extract and summarize fingerprints of the bots collected in our honeynet.Next,with the fingerprints,we use deep packet inspection(DPI) Technology to search active bots and controllers in the Internet.Then,we gather and analyze flow records reported from network traffic monitoring equipments.In this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C&C channel based on our analysis.After that,we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory.In addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection(DFI) technology.     

A NEW ADMISSION CONTROL APPROACH BASED ON PREDICTION

Admission control plays an important role in providing QoS to network users.Mo-tivated by the measurement-based admission control algorithm,this letter proposed a new ad-mission control approach for integrated service packet network based on traffic prediction .In the letter ,FARIMA(p,d,q,)models in the admission control algorithm is deployed.A method to simplify the FARIMA model fitting procedure and hence to reduce the time of traffic modeling and prediction is suggested.The feasibility-study experiments show that FARIMA models which have less number of parameters can be used to model and predict actual traffic on quite a large time scale.Simulation results validate the promising approach.     

Identifying file-sharing P2P traffic based on traffic characteristics

This article focuses on identifying file-sharing peer-to-peer （P2P） （such as BitTorrent （BT）） traffic at the borders of a stub network. By analyzing protocols and traffic of applications, it is found that file-sharing P2P traffic of a single user differs greatly from traditional and other P2P （such as QQ） applications＇ traffic in the distribution of involved remote hosts and remote ports. Therefore, a method based on discreteness of remote hosts （RHD） and discreteness of remote ports （RPD） is proposed to identify BT-like traffic. This method only relies on flow information of each user host in a stub network, and no packet payload needs to be monitored. At intervals, instant RHD for concurrent transmission control protocol and user datagram protocol flows for each host are calculated respectively through grouping flows by the stub network that the remote host of each flow belongs to. On given conditions, instant RPD are calculated through grouping flows by the remote port to amend instant RHD. Whether a host has been using a BT-like application or not can be deduced from instant RHD or average RHD for a period of time. The proposed method based on traffic characteristics is more suitable for identifying protean file-sharing P2P traffic than content-based methods Experimental results show that this method is effective with high accuracy.     

How Many Packets Are Most Effective for Early Stage Traffic Identification： An Experimental Study

Accurately identifying network traffics at the early stage is very important for the application of traffic identification. Recent years, more and more research works have tried to build effective machine learning models to identify traffics with the few packets at the early stage. However, a basic and important problem is still unresolved, that is how many packets are most effective in early stage traffic identification. In this paper, we try to resolve this problem using experimental methods. We firstly extract the packet size of the first 2-10 packets of 3 traffic data sets. And then execute crossover identification experiments with different numbers of packets using 11 well-known machine learning classifiers. Finally, statistical tests are applied to find out which number is the best performed one. Our experimental results show that 5-7 are the best packet numbers for early stage traffic identification.     

FEW-NNN: A Fuzzy Entropy Weighted Natural Nearest Neighbor Method for Flow-Based Network Traffic Attack Detection

Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the focus of many initiatives. Effectively analyzing massive network security data with high dimensions for suspicious flow diagnosis is a huge challenge. In addition, the uneven distribution of network traffic does not fully reflect the differences of class sample features, resulting in the low accuracy of attack detection. To solve these problems, a novel approach called the fuzzy entropy weighted natural nearest neighbor(FEW-NNN) method is proposed to enhance the accuracy and efficiency of flowbased network traffic attack detection. First, the FEW-NNN method uses the Fisher score and deep graph feature learning algorithm to remove unimportant features and reduce the data dimension. Then, according to the proposed natural nearest neighbor searching algorithm(NNN_Searching), the density of data points, each class center and the smallest enclosing sphere radius are determined correspondingly. Finally, a fuzzy entropy weighted KNN classification method based on affinity is proposed, which mainly includes the following three steps: 1、 the feature weights of samples are calculated based on fuzzy entropy values, 2、 the fuzzy memberships of samples are determined based on affinity among samples, and 3、 K-neighbors are selected according to the class-conditional weighted Euclidean distance, the fuzzy membership value of the testing sample is calculated based on the membership of k-neighbors, and then all testing samples are classified according to the fuzzy membership value of the samples belonging to each class;that is, the attack type is determined. The method has been applied to the problem of attack detection and validated based on the famous KDD99 and CICIDS-2017 datasets. From the experimental results shown in this paper, it is observed that the FEW-NNN method improves the accuracy and efficiency of flow-based network traffic attack detection.     

Novel congestion control approach in wireless multimedia sensor networks

Data generated in wireless multimedia sensor networks (WMSNs) may have different importance and it has been claimed that the network exert more efforts in servicing applications carrying more important information. Nevertheless, importance of packets cannot generally be accurately represented by a static priority value. This article presents a dynamic priority based congestion control (DPCC) approach that makes two major innovations in WMSNs. First, DPCC employs dynamic priority to represent packet importance. Second, it prioritizes the local traffic of motes near the base station when WMSN is highly congested. Simulation results confirm the superior performance of the proposed approach with respect to energy efficiency, loss probability and latency as well.     

Congestion warning method based on the Internet of vehicles and community discovery of complex networks

The traffic congestion occurs frequently in urban areas, while most existing solutions only take effects after congesting. In this paper, a congestion warning method is proposed based on the Internet of vehicles(IOV) and community discovery of complex networks. The communities in complex network model of traffic flow reflect the local aggregation of vehicles in the traffic system, and it is used to predict the upcoming congestion. The real-time information of vehicles on the roads is obtained from the IOV, which includes the locations, speeds and orientations of vehicles. Then the vehicles are mapped into nodes of network, the links between nodes are determined by the correlations between vehicles in terms of location and speed. The complex network model of traffic flow is hereby established. The communities in this complex network are discovered by fast Newman(FN) algorithm, and the congestion warnings are generated according to the communities selected by scale and density. This method can detect the tendency of traffic aggregation and provide warnings before congestion occurs. The simulations show that the method proposed in this paper is effective and practicable, and makes it possible to take action before traffic congestion.     

Analysis of an ATM multiplexer under self-similar traffic

Recent empirical studies of the real traffic measurement show that the traditional traffic models cannot capture the character of long-range dependence of the traffic. And many computer simulations said that this character has large influences on the network performance. So fractal or self-similar models are more suitable to describe the modern traffic. But there is still little known about the performance of the multiplexer under self-similar traffic. In this paper, a quasi-self-similar traffic model (QSSP) is proposed. Using this model, the upper bond of the cell loss rate and multiplexing gain of the multiplexer are gotten when there are N i.i.d. QSSP inputs. If the sources have different parameters, an efficient numerical algorithm to get, this bond is proposed. Simulations indicate that our analysis is correct and accurate.     

A novel traffic identification approach based on multifractal analysis and combined neural network

An accurate identification of Internet traffic of different applications is highly relevant for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance monitoring, and security. Traditional traffic identification approaches have become increasingly inaccurate due to restrictions of port numbers, protocol signatures, traffic encryption, and etc. In this paper, a new traffic identification approach based on multifractal analysis of wavelet energy spectrum and classification of combined neural network models is proposed. The proposed approach is able to achieve the identification of different Internet application traffic by performing classification over the wavelet energy spectrum coefficients that were inferred from the original traffic. Without using any payload information, the proposed approach has more advantages over traditional methods. The experiment results illustrate that the proposed approach has satisfactory identification results.     

HYBRID INTERNET TRAFFIC CLASSIFICATION TECHNIQUE1

Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.     

Can multiscale traffic analysis be used to differentiate Internet applications?

An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.     

Hybrid internet traffic classification technique

Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach. Communication author: Li Jun, born in 1971, female, Ph.D. candidate, Associate Professor. Nanjing University of Posts and Telecommunications, Nanjing 210003, China.     

Identifying online traffic based on property of TCP flow

Classification of network traffic using port-based or payload-based analysis is becoming increasingly difficult when many applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. In this article, an approach is presented for online traffic classification relying on the observation of the first n packets of a transmission control protocol (TCP) connection. Its key idea is to utilize the properties of the observed first ten packets of a TCP connection and Bayesian network method to build a classifier. This classifier can classify TCP flows dynamically as packets pass through it by deciding whether a TCP flow belongs to a given application. The experimental results show that the proposed approach performs well in online Internet traffic classification and that it is superior to naive Bayesian method.     

Header signature maintenance for Internet traffic identification

Various traffic identification methods have been proposed with the focus on application‐level traffic analysis. Header signature–based identification using the 3‐tuple (Internet Protocol address, port number, and L4 protocol) within a packet header has garnered a lot of attention because it overcomes the limitations faced by the payload‐based method, such as encryption, privacy concerns, and computational overhead. However, header signature–based identification does have a significant flaw in that the volume of header signatures increases rapidly over time as a number of applications emerge, evolve, and vanish. In this article, we propose an efficient method for header signature maintenance. Our approach automatically constructs header signatures for traffic identification and only retains the most significant signatures in the signature repository to save memory space and to improve matching speed. For the signature maintenance, we define a new metric, the so‐called signature weight, that reflects its potential ability to identify traffic. Signature weight is periodically calculated and updated to adapt to the changes of network environment. We prove the feasibility of the proposed method by developing a prototype system and deploying it in a real operational network. Finally, we prove the superiority of our signature maintenance method through comparison analysis against other existing methods on the basis of various evaluation metrics.     

基于传输层特征和统计特征的P2P流量识别

准确识别对等网络(P2P)流量对网络流量控制有着重要意义。针对P2P流量提出一种高准确度的识别方法。该方法通过统计报文首部ASCII码出现的频率,提取出一个256维的统计特征,结合数据流量的传输层特征,使用决策树算法对流量进行分类识别。在识别过程中提出数据分块的思想,提高了识别的正确率并且能够统计P2P流量流经的端口。仿真测试结果表明,该方法可以在多种流量混杂的情况下识别出P2P流量,且具有较高的准确度。     

Architecture design for ATM statistical multiplexers

Both high-speed packet switches and statistical multiplexers are critical elements in the ATM (asynchronous transfer mode) network. Many switch architectures have been proposed and some of them have been built, but relatively fewer statistical multiplexer architectures have been investigated to date. It has been considered that multiplexers are a special kind of switches which can be implemented with similar approaches. The main function of a statistical multiplexer, however, is to concentrate traffic from a number of input ports to a comparatively smaller number of output ports; ‘switching’ in the sense that a cell must be delivered to a specific output port is often not required. This implies that the channel grouping design principle, in which more than one path is available for each virtual circuit connection, can be applied in the multiplexer. We show that this technique reduces the required buffer memory and increases the system performance significantly. The performances of three general approaches for implementing an ATM statistical multiplexer are studied through simulations with various bursty traffic assumptions. Based on the best performing approach (sharing output channels and buffers), we propose two architecture designs to implement a scalable statistical multiplexer that is modularly decomposed into many smaller multiplexers by using a novel grouping network.     

Application‐Level Traffic Monitoring and an Analysis on IP Networks

Traditional traffic identification methods based on well‐known port numbers are not appropriate for the identification of new types of Internet applications. This paper proposes a new method to identify current Internet traffic, which is a preliminary but essential step toward traffic characterization. We categorized most current network‐based applications into several classes according to their traffic patterns. Then, using this categorization, we developed a flow grouping method that determines the application name of traffic flows. We have incorporated our method into NG‐MON, a traffic analysis system, to analyze Internet traffic between our enterprise network and the Internet, and characterized all the traffic according to their application types.     

基于粒关系矩阵的流量在线分类

随着各种网络应用爆发式增长,流量的在线分类陷入困境之中.传统的基于包统计特征的机器学习方法适用于稳定的网络环境,当网络拥塞出现严重的时延和丢包时将产生较大误差.因而本文提出基于粒计算模型的分类方法.粒计算属于人工智能计算的分支,当数据缺失、信息不完全或是有噪数据仍拥有较高的分辨能力.为此本文将网络流量定义成粒子并构造粒子间关系,再建立粒关系矩阵.传统的包统计特征只是粒关系矩阵当观测角度达到最大时的特例,因此粒关系矩阵对流量特性的描述更为全面,以此进行分类也更为精准.最后实验数据证明了该方法的有效性和优越性.