PERFORMANCE ENHANCEMENTS FOR FINDING TOP TRAFFIC PATTERNS

摘要

A method for network traffic characterization is provided. Flow data records are acquired associated with a security alert signature. Unidimensional traffic clusters are generated based on the acquired data. A Bloom filter is populated with the acquired flow data records. Clusters of interest are identified from the generated unidimensional traffic clusters. The identified clusters of interest are compressed into a compressed set. A determination is made whether a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature. A multidimensional lattice corresponding to the unidimensional traffic clusters is generated. The multidimensional lattice is traversed and for each multidimensional node under consideration a determination is made if the Bloom filter contains flow records matching the multidimensional node under consideration. A determination is made if the unidimensional node corresponding to the multidimentional node is included in the compressed set of unidimensional nodes.

主权项

1. A computer-implemented method for network traffic characterization, the method comprising the steps of:
acquiring flow data records for a plurality of network data flows associated with an alert signature; generating a plurality of unidimensional traffic clusters based on the acquired flow data records, each of the plurality of unidimensional traffic clusters comprising a plurality of unidimensional nodes, and populating a dynamic Bloom filter with the acquired flow data records; identifying one or more unidimensional traffic clusters of interest from the generated plurality of unidimensional traffic clusters; compressing the one or more unidimensional traffic clusters of interest into a compressed set of unidimensional nodes based on a predetermined compression threshold; determining if a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature; generating a multidimensional lattice corresponding to the plurality of unidimensional traffic clusters, in response to determining that the multidimensional processing is needed, wherein the multidimensional lattice comprises a plurality of multidimensional nodes; traversing the multidimensional lattice and determining, for each multidimensional node under consideration in the multidimensional lattice, if the dynamic Bloom filter contains one or more flow records matching each multidimensional node under consideration and determining if a unidimensional node corresponding to the multidimensional node under consideration is included in the compressed set of unidimensional nodes; and generating a list of flow records matching the multidimensional node under consideration, in response to determining that the unidimensional node corresponding to the multidimensional node under consideration is included in the compressed set of unidimensional nodes and in response to determining that the dynamic Bloom filter contains one or more flow records matching the multidimensional node under consideration.