TY - GEN
T1 - Inferring original traffic pattern from sampled flow statistics
AU - Mori, Tatsuya
AU - Kawahara, Ryoich
AU - Kamiyama, Noriaki
AU - Harada, Shigeaki
PY - 2007
Y1 - 2007
N2 - Packet sampling has become a practical and indispensable means to measure flow statistics. Recent studies have demonstrated that analyzing traffic patterns is crucial in detecting network anomalies. We may not be able to infer the original traffic patterns correctly from the sampled flow statistics because sampling process wipes out a lot of information about small flows, which play a vital role in determining the characteristics of traffic patterns. In this paper, we first show an example of how the sampling process wipes out the original statistics using measured data. Then, we show empirical examples indicating that the original traffic pattern cannot be inferred correctly even if we use a statistical inference method for incomplete data, i.e., the EM algorithm, for sampled flow statistics. Finally, we show that additional information about the original flow statistics, the number of unsampled flows, is helpful in tracking the change in original traffic patterns using sampled flow statistics.
AB - Packet sampling has become a practical and indispensable means to measure flow statistics. Recent studies have demonstrated that analyzing traffic patterns is crucial in detecting network anomalies. We may not be able to infer the original traffic patterns correctly from the sampled flow statistics because sampling process wipes out a lot of information about small flows, which play a vital role in determining the characteristics of traffic patterns. In this paper, we first show an example of how the sampling process wipes out the original statistics using measured data. Then, we show empirical examples indicating that the original traffic pattern cannot be inferred correctly even if we use a statistical inference method for incomplete data, i.e., the EM algorithm, for sampled flow statistics. Finally, we show that additional information about the original flow statistics, the number of unsampled flows, is helpful in tracking the change in original traffic patterns using sampled flow statistics.
UR - http://www.scopus.com/inward/record.url?scp=46349099953&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=46349099953&partnerID=8YFLogxK
U2 - 10.1109/SAINT-W.2007.51
DO - 10.1109/SAINT-W.2007.51
M3 - Conference contribution
AN - SCOPUS:46349099953
SN - 0769527574
SN - 9780769527574
T3 - SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
BT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
T2 - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
Y2 - 15 January 2007 through 19 January 2007
ER -