| Summary: | 碩士 === 國立臺灣科技大學 === 資訊管理系 === 103 === Network monitoring approaches have been popularly applied into networksproposed and developed throughout the years. However, the packet-based approach cannot easily be easily performed in at high-speeds networks, so . Therefore, researchers focusedstarted on investigating an alternative approaches, the such as flow-based approach. In a Within the typical architecture of typical flow monitoring, packets are aggregated into flows, which stored in a flow cache for , and then further analysis later. However, the flow cache size is limitedfixed. When network attacks such as flooding attacks is occur, such as flooding attacks. Fthe flow cache iswill easily overflowed, significantly reducing the accuracy of data analysis.. This results in flow data that is not expired consistently, which may impact the subsequent data analysis.
The thesis We proposesd two flow cache replacements: SA-MRU (Size Aware-Most Recently Used) and SA-LRU (Size Aware-Least Recently Used) replacement polic, which y based on the observations of many network attacks’ flow characteristics. eEvict the most and the least recently used flow records, respectively. separately, They also give higher priorities for and give small flows (the number of packets ≤≦2) higher priority to reserve more. Maintaining the important flows on parts of intrusion detection. In the simulation, the data set used traffic contains background traffic and a SYN flooding DDoS attacks. As a result, The results show that SA-MRU and SA-LRU can decrease achieve up to 4%~5% lower false positives (FP) FP and 1%~2% false negatives (FN)lower FN, compared with Least Recently Used (than LRU) cache replacement. SA-MRU and SA-LRU can achieve similar performance, but the latter In the part of hit ratio, SA-LRU has a higher hit ratio performance than the formerSA-MRU.
|
|---|
