1. Field of the Invention
The present invention relates to network data-flow monitoring, and, in particular, tracking and monitoring of long-duration network-data flows in a network.
2. Description of the Related Art
This section introduces aspects that may help facilitate a better understanding of the invention(s). Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is in the prior art or what is not in the prior art.
Computer networks have become an important part of our business and personal lives. Computer networks often span a large logical or geographical region such as a university campus, a neighborhood, or a corporation. Networking enables computers to conveniently share and access data.
Network management is the process of planning, securing, engineering, and operating a network to enable information sharing while reducing the risk of network failure and/or data/security compromise. A network needs to be monitored in order to allocate proper resources and to keep the data flow intact. Two of the tasks of network management are network-data monitoring and network-data regulation. Network-data monitoring is the process of monitoring various network-data flows. Network-data flows are streams of data packets through a network that share some common characteristics such as source and destination IP addresses. Network-data regulation is the process of rate controlling some data flows relative to other data flows, for example, to allow priority or real-time data to meet quality-of-service agreements, or to prevent malicious services from interfering with acceptable network performance.
Network-data flows are typically classified as either long-duration (LD) or short-duration (SD) network-data flows. A network-data flow is considered an LD network-data flow if it persists for a long period of time (e.g., greater than ten minutes). LD network-data flows generally include peer-to-peer (P2P) flows and video-traffic flows. However, in some cases, LD network-data flows may include botnet traffic. Botnet (“roBOT NETwork”) traffic is traffic from groups of computer systems that have had malicious software installed by worms, Trojan horses, or other malicious software running on them. These computers often may be controlled remotely by a “botnet herder” or owner who can assemble these robot or zombie computers to coordinate a distributed denial-of-service attack. Thus, monitoring LD network-data flows constitutes an essential aspect of network management.
For example, Netflow® analyzer, a product of Cisco Systems Corporation (San Jose, Calif.), allows for monitoring of LD network-data flows. Cisco's Netflow® analyzer identifies network-data flows based on values in specific fields of incoming packets, such fields including source IP address, destination IP address, source port, destination port, layer 3 protocol type, type of services (ToS) byte, and input logical interface. For each flow in a network, Netflow® analyzer maintains in a hash table an identifier and the times of arrival (TOA) of the first and most-recent packet of the flow. This information allows a user to detect flows of various duration including LD network-data flows. However, maintaining this information for all flows in the network requires substantial computing and memory resources. If the goal of monitoring is specifically to track only LD flows, Netflow® analyzer's utilization of memory is inefficient since it also stores information about short-duration (SD) flows.
Another method for monitoring the duration of network-data flows is described in U.S. Pat. Pub. 2007/0237079, “Binned Duration Flow Tracking,” incorporated herein by reference in its entirety. The publication describes a method for storing values identifying the beginning and end of network-data flows in bins that are implemented using counting bloom filters. According to the method, the bins cover independent and arbitrary time ranges such that the duration of the network-data flow can be determined from the time range of the bin that stores the packets corresponding to the network-data flow. The method, however, tracks all network-data flows including SD network-data flows and requires a bloom filter for each duration range, making its implementation costly.
Thus, there exists a need for efficient methods for detection of long-duration network-data flows, which methods are computationally feasible given the line speeds of modern networks and which require relatively little memory capacity.