Aggregation for flow-based monitoring


Jérôme François


2 April 2014




ZI 2126

Title: Aggregation for flow-based monitoring


Monitoring traffic concerns many both the network at the edge and in the core of Internet. It is useful to support many types of applications like resources planning or security. The latter is the focus of this talk by considering the analysis of NetFlow records collected through a national Internet Service Provider. Such a network produces a lot of traffic which thus raises scalability issues. A usual approach to cope with this problem is to leverage aggregation but it can be done in different manners as for example considering all subnetworks with a fixed prefix length. A first approach which will be presented extends the latter by considering a dynamic granularity over the IP address space. A second one will show how to combine multiple dimensions like both the source and destination addresses but this method is generic and can be applied to various domains like DNS monitoring as well. Finally, constructing an interdependency graph from the NetFlow records is helpful for tracking botnets. The choice of the strategy is a paramount of importance as it will impact the results of the analysis.

The main objective is to achieve a good detection of anomaly while keeping the complexity as lower as possible.