Scope-based Flow Monitoring to Improve Traffic Analysis in Programmable Networks

Abstract

Flow monitoring allows to obtain an aggregated network traffic view that can be leveraged for subsequent analysis. Since network management tasks like flow-based traffic classification or prediction benefit from broader data views, the flow tracking scope used to export required traffic metadata can be enlarged: First, coherent packet streams can not only be monitored in a unidirectional but also bidirectional context that combines interrelated forward and backward direction views. Second, time-based subflow management for both contexts separates observed packet streams into consecutive windows covering a particular fraction to gain higher data granularity. To support these diversified traffic views in combination with variable feature sets for demand-driven data export serving different traffic analysis tasks, flow tracking and export strategies are required to operate in a dynamic manner. This paper proposes a flow monitoring approach enabling to track the four aforementioned scopes while adapting timeout-based data export operating on programmable switches. A multi-level system architecture and an adaptive protocol ensure flexible sharing and analysis of data records. Evaluations show that exported data can be used to improve analysis outcomes, whereby the considered data scope affects achieved accuracy but also the monitoring overhead.