Information Technology Reference
In-Depth Information
been modified by implementing a custom import interface, such that the in-
put format are Netflow records, called
modified Aguri
. The spatial-aggregation
task is performed by assembling small records into larger ones in prefix based
trees. This means, for a time period of
η
seconds, Aguri generates a tra
c profile
by spatially summarizing subnets, hosts and tra
c volumes. The tool can gener-
ate 4 distinct profiles: source address profile, destination address profile, source
protocol profile and destination protocol profile. An example for a source address
profile is shown in Fig. 3, reflecting the local network activity for 32 seconds in a
tree-like structure. By inspecting the Aguri tool, it has been detected that mon-
itored time intervals are not constantly
η
seconds, but sometimes
η
+
τ
seconds.
A source code analysis showed that the monitoring time period (start and end
time) are deduced from packet captures and not based on a simple timing mech-
anism. A consequence of this is that moments of silence, where no packets are
transmitted, are not taken into consideration, such that a time interval becomes
η
+
τ
seconds.
2.2 Digging into Netflow Records with a Kernel Function
Kernel functions are an interesting tool for the evaluation of high dimensional
data. Referring to [11], a kernel function is defined as a simple mapping
K
:
X
×
[ from input space
X
to a similarity score
K
(
x, y
)=
i
X
→
[0
,
∞
φ
i
(
x
)
φ
i
(
y
)=
φ
(
x
)
φ
(
y
), where
φ
i
(
x
) is a feature vector over
x
. In the module
Aguri-
Processor
, a new kernel function based on topology and trac volume has
been defined to compare Aguri profiles.
·
K
(
T
n
,T
m
)=
s
(
a
i
,b
j
)
× v
(
a
i
,b
j
)
(1)
i
∈
N
T
n
,j
∈
N
T
m
The kernel function is defined by two kernel function parts. The first part
s
(
a
i
,b
j
)
assesses topological changes in the network by considering sux lengths of nodes
(see Eq. 2). The second part
v
(
a
i
,b
j
) is a Gaussian kernel treating trac volume
changes in tree nodes (see Eq. 3).
⎨
2
suffixlength
j
2
suffixlength
i
prefix
i
prefix
j
if
prefix of
s
(
a
i
,b
j
)=
(2)
2
suffixlength
i
2
suffixlength
j
⎩
prefix
j
prefix
i
if
prefix of
0
otherwise
v
(
a
i
,b
j
)=
exp
−
| vol percentage
i
− vol percentage
j
|
2
σ
2
(3)
A more comprehensive version of the kernel function is presented in [12]. The
kernel function takes as input successive Aguri profiles, i.e. (
T
1
,
T
2
) and deter-
mines the similarity between
K
(
T
1
)and
K
(
T
2
). The higher the
K
-value, the
more similar are the successive trees.
Search WWH ::
Custom Search