Signature-Aware Traffic Monitoring with IPFIX

摘要

Traffic monitoring is essential for accounting user traffic and detecting anomaly traffic such as Internet worms or P2P file sharing applications. Since typical Internet traffic monitoring tools use only TCP/UDP/IP header information, they cannot effectively classify diverse application traffic, because TCP or UDP port numbers could be used by different applications. Moreover, under the recent deployment of firewalls that permits only a few allowed port numbers, P2P or other non-well-known applications could use the well-known port numbers. Hence, a port-based traffic measurement scheme may not provide the correct traffic monitoring results. On the other hand, traffic monitoring has to report not only the general statistics of traffic usage but also anomaly traffic such as exploiting traffic, Internet worms, and P2P traffic. Particularly, the anomaly traffic can be more precisely identified when packet payloads are inspected to find signatures. Regardless of correct packet-level measurement, flow-level measurement is generally preferred because of easy deployment and low-cost operation. In this paper, therefore, we propose a signature-aware flow-level traffic monitoring method based on the IETF IPFIX standard for the next-generation routers, where the flow format of monitoring traffic can be dynamically defined so that signature information could be included. Our experimental results show that the signature-aware traffic monitoring scheme based on IPFIX performs better than the traditional port-based traffic monitoring method. That is, hidden anomaly traffic with the same port number has been revealed.