Flexible Flow Aggregation for Adaptive Network Monitoring

Network monitoring is a major building block for many domains in communication networks. Besides typical accounting mechanisms and the emerging area of charging in next generation networks, especially network security solutions rely on efficient and optimized monitoring. Network monitoring in high-speed networks is usually based on flow accounting and aggregation techniques represent a necessary enhancement in order to cope with increasing amounts of monitoring data that accrue with the ever-growing network capacities. In this paper, we propose a flexible flow aggregation mechanism that can be directly employed on a monitoring probe to reduce the memory and processing demands. Alternatively, it can work as a concentrator that collects flow data from multiple monitoring probes, combines and aggregates them and forwards the results to an analyzer. We verified and evaluated the aggregation mechanism by integrating it into our monitoring probe Vermont. Our approach opens new prospects for high-speed network monitoring and allows coping with special situations that cannot be treated satisfyingly by traditional flow accounting, such as distributed denial-of-service attacks causing very high numbers of flows. Aggregated flow data are an easy-to-handle form of packet information especially for anomaly detection and accounting issues. 1