Inferring original traffic pattern from sampled flow statistics

摘要

Packet sampling has become a practical and indispensable means to measure flow statistics. Nowadays, most of major ISPs are monitoring their networks based on the sampled flow statistics collected at main routers. Recent studies have demonstrated that analyzing traffic patterns is crucial in detecting network anomalies. For example, sharp increase in the number of small flows may be related to an anomalous event such as worm outbreak. We may not be able to infer the original traffic patterns correctly from the sampled flow statistics because sampling process wipes out a lot of information about small flows, which play a vital role in determining the characteristics of traffic patterns. In this paper, we first show an example of how the sampling process wipes out the original statistics using measured data. Then, we show empirical examples indicating that the original traffic pattern cannot be inferred correctly even if we use a statistical inference method for incomplete data, i.e., the EM algorithm, for sampled flow statistics. Finally, we show that additional information about the original flow statistics, the number of unsampled flows, is helpful in tracking the change in original traffic patterns using sampled flow statistics.