一种新的可变采样率的网络流量抽样测量方法

一种新的可变采样率的网络流量抽样测量方法

潘乔1,2;裴昌幸1

(1. 西安电子科技大学综合业务网理论及关键技术国家重点实验室，陕西西安 710071;
2. 东华大学计算机科学与技术学院，上海 210051)

收稿日期:2008-01-02 修回日期:1900-01-01 出版日期:2008-12-20 发布日期:2008-12-20

IP flow-based variable sampling method for network traffic measurement

PAN Qiao1,2;PEI Chang-xing1

(1. State Key Lab. of Integrated Service Networks, Xidian Univ., Xi’an 710071， China;
2. School of Computer Science and Technology, Donghua Univ., Shanghai 210051， China)

Received:2008-01-02 Revised:1900-01-01 Online:2008-12-20 Published:2008-12-20

摘要/Abstract

摘要： 随机报文抽样方法是目前常用的流量抽样测量方法，但是它倾向于采集长流，影响了异常检测的正确性．提出了一种新的基于IP流可变采样率的网络流量抽样测量方法，将到达的数据报文按照流标识分类，并以每一个报文在所属流中的位置和流的大小为参数设置可变采样率进行抽样测量．实验表明，该方法提高了短流中报文的采样率，减少了随机报文抽样方法对异常检测的影响，检测结果能正确地反映原始数据的异常情况．

关键词: 抽样测量, 可变采样率抽样, IP流, 端口扫描

Abstract: The random packet sampling method is usually employed by traffic sampling measurement. But the accuracy of anomaly detection is affected by the fact that it biases a large IP flow. Based on the IP flow arrival process, a variable sampling method is proposed. According to the attribute of the IP flow, the incoming packets are classified by their flow identifiers and sampling rates are set by their positions in the IP flow. Experimental results show that sampled traffic data improve the accuracy of anomaly detection because the variable sampling method increases the sampling rate of packets in a small IP flow.

Key words: sampling measurement, variable sampling, IP flow, port scan

中图分类号:

TP393

潘乔1;2;裴昌幸1. 一种新的可变采样率的网络流量抽样测量方法
[J]. J4, 2008, 35(6): 968-972.

PAN Qiao1;2;PEI Chang-xing1. IP flow-based variable sampling method for network traffic measurement
[J]. J4, 2008, 35(6): 968-972.