Enhancing performance of cardinality analysis for faster network

摘要

Cardinality in network flow data gives useful information for network administrators about suspicious communication on their network. Such communication tends to present abnormal number of source and/or destination network address. Our research group reported that cardinality presented in TCP/IP packet header can be used to detect malware propagation and P2P software usage in small size network. However the processing speed of the analyzer is not enough to analyze high speed network line over 20Gbps. In this paper, we propose a technique to offload the analyzer by packet filtering based on the TCP flags. We also report the performance and the limitation of the proposed technique.