EP1992111A2 - Verfahrensweise der sammlung von flussbeschreibungen, die relative flüsse an wenigstens ein kundennetz verbindet an einem verbundsnetz betreffen - Google Patents

Verfahrensweise der sammlung von flussbeschreibungen, die relative flüsse an wenigstens ein kundennetz verbindet an einem verbundsnetz betreffen

Info

Publication number
EP1992111A2
EP1992111A2 EP07731625A EP07731625A EP1992111A2 EP 1992111 A2 EP1992111 A2 EP 1992111A2 EP 07731625 A EP07731625 A EP 07731625A EP 07731625 A EP07731625 A EP 07731625A EP 1992111 A2 EP1992111 A2 EP 1992111A2
Authority
EP
European Patent Office
Prior art keywords
flow
descriptions
network
flow descriptions
flows
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP07731625A
Other languages
English (en)
French (fr)
Inventor
Patrick Truong
Emile Stephan
Frédéric BOUCAUD
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Publication of EP1992111A2 publication Critical patent/EP1992111A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the invention relates to a method for collecting flow descriptions relating to flows relating to at least one client network attached to an interconnection network.
  • the supervision of communication networks is a constant need of network operators. It comes in different applications such as the detection of DoS denial of service attacks for "Douai of Service" in English, the supervision of the network as to the traffic carried by the various nodes of the network or the supervision of a network. client attached to a core network. It will be noted from the outset that a stream corresponds to an exchange of data packets between two machines of an IP network whose packets have common characteristics including common characteristics of origin, destination and service. Subsequently, these characteristics are called flow characteristics.
  • Each stream has a flow identification, which is performed for example using the following elements: the IP address of the source node, - the IP address of the destination node,
  • the protocol used obtained by analysis of the information of the IP layer, for example TCP, UDP or ICMP, the TOS field for "Type Of Service” in English, identifying for the flow the type of quality of service required (priority of the flow , delivery time, ...), the Input field which corresponds to an index of the interface through which the stream is entered in the node, this index being defined for the administration of the network.
  • a node When a node receives a packet of data to be sent containing, for certain identification elements mentioned above, unknown values, it initiates a flow description by adding to the identification of the flow various elements making it possible to describe the flow. such as:
  • DPkts containing the number of packets counted for this stream
  • - DOctets containing the level 3 byte volume (IP layer) in the packets of the stream
  • First and Last respectively corresponding to the start and end times of the stream.
  • the node On receipt of each new data packet, the node updates the parameters DPkts, DOctets and Last. After a predetermined period of inactivity of the stream, or periodically, the node transmits to the collection equipment the descriptions relating to this flow, which he himself made. The amount of data transmitted can be significant and induce a significant load in the collection network, which is even more difficult to manage that the network is large.
  • an aggregation function of the flow descriptions whose function is to aggregate the flow descriptions according to a criterion. aggregation. This criterion may consist, for example, of aggregating the flow descriptions relating to a set of source IP addresses. These aggregated flow descriptions are then forwarded to the collection equipment.
  • the aggregation must satisfy different constraints. For example: For IP traffic analysis, it is essential that the aggregation be able to keep information about the source and destination ports; for the detection of denial of service attacks, the aggregation must make it possible to keep information on the number of packets sent to a server in order to analyze the variation of this volume; and for applications to develop traffic matrices, the aggregation is done on an autonomous system or on subsets of the network.
  • the node can realize only a very limited number of aggregations at a time. To alleviate this problem, the node simultaneously transmits the same flow descriptions to the collectors of the different devices, more specifically in charge of the different supervision applications. This induces an additional workload for the node whose main function is to ensure the routing of data packets. In order to limit this load, the nodes are generally limited to two exports in parallel of flow descriptions.
  • the object of the invention is therefore to limit the volume of aggregated descriptions transmitted to the collection equipment, particularly in the context of the supervision of a customer network attached to an interconnection network.
  • the invention relates to a method for collecting flow descriptions relating to flows relating to at least one client network, the client network being attached to an interconnection network, the method comprising: a first step of receiving flow descriptions, said flow descriptions for flows from the client network; a first step of aggregating the flow descriptions relating to the flows coming from the client network according to an aggregation criterion; a first step of transmitting aggregated flow descriptions to collection equipment; characterized in that it further comprises: a step of analyzing stream flow descriptions from the client network to determine at least one stream characteristic specific to the client network; a second step of receiving flow descriptions, said flow descriptions relating to flows from the interconnection network; a step of filtering flow descriptions relating to the flows coming from the interconnection network, in which the flow descriptions relating to flows devoid of the flow characteristic relative to the determined customer network are eliminated; a second step of transmitting filtered flow descriptions to the collection equipment.
  • the method determines at least one flow characteristic and automatically configures the processing to be performed on the flow descriptions. relating to flows from the interconnection network.
  • Outgoing flow descriptions of the interconnection network are, in turn, subjected to filtering in order to keep only those corresponding to the determined flow characteristic. Thus, the volume of information transmitted to the collection equipment is reduced.
  • it is necessary to obtain the flow descriptions from different nodes of the interconnection network because the paths used for the incoming flows and the outgoing flows of the client network are not necessarily required. the same.
  • Loads from the collection network and collection equipment are also reduced since only relevant information is transmitted.
  • the method also has more flexibility because one can define a different aggregation criterion per client observed.
  • the method further comprises a second step of aggregating filtered flow descriptions according to the aggregation criterion.
  • filtered flow descriptions that is to say those corresponding to the one or more flow characteristics determined.
  • the load of the nodes is thus further reduced since they are not in charge of aggregating all the flow descriptions.
  • the first aggregation step further comprises a substep of assigning to aggregated flow descriptions an identification parameter of an aggregation request and the step of filtering the descriptions of flow includes a substep of assignment to filtered flow descriptions of the same aggregation request identification parameter.
  • the method further comprises a third aggregation step, said step of aggregating the aggregated flow descriptions for flows from the client network and the aggregated flow descriptions from the interconnect network. to obtain bi-directional aggregated flow descriptions prior to transmission to the collection equipment.
  • the aggregated flow descriptions for flows from different nodes of the interconnect network and the aggregated flow descriptions for flows from the connection nodes of the client network are aggregated into bi-directional flow descriptions. Thanks to this, the method of the invention provides a global view of the traffic on the customer network.
  • the port with the lowest value between the source and destination ports is identified. This port corresponds to the server (whether the server is in the client network or another network), the other port to the client
  • the information on the application direction of the flows makes it possible to react quickly if it is found, for example, that the incoming and outgoing flows are asymmetrical. This may be indicative of an ongoing attack on the client network or a server malfunction.
  • the invention also relates to a system for collecting flow descriptions relating to flows relating to at least one client network, the client network being attached to an interconnection network, the system comprising: at least one description receiving module flow arranged to receive flow descriptions relating to flows from one of the two interconnection and client networks; at least one flow description aggregation module, arranged to aggregate received flow descriptions according to an aggregation criterion; a flow description analysis module, arranged to analyze flow descriptions relating to flows coming from the client network in order to determine at least one flow characteristic specific to the client network; a flow description filtering module, arranged to eliminate, in the received flow descriptions, those relating to flows devoid of the determined flow characteristic; a flow description transmission module, arranged to transmit filtered flow descriptions to a collection module.
  • FIG. 1 represents a plurality of client networks attached to an interconnection network as well as a system for collecting flow descriptions
  • FIG. 2 represents the steps of the method of collecting flow descriptions relating to flows relating to at least one client network according to a particular embodiment of the invention
  • FIG. 3 represents a system for collecting flow descriptions.
  • a stream corresponds to an exchange of data packets between two machines of an IP network whose packets have common characteristics including common characteristics of origin, destination and service. Subsequently, these characteristics are called flow characteristics.
  • FIG. 1 represents two client networks 2 and 3 connected to an interconnection network 1.
  • the interconnection network is in charge of routing the flows to the client networks.
  • This is for example the infrastructure of a telecommunication operator.
  • a client network may for example be a corporate network, a home network, a mobile network, a virtual private network (VPN for "Virtual Private Network") based on MPLS (for "MultiProtocol Label Switching" in English),
  • the interconnection network is a core network 1 comprising a plurality of nodes 10, 11, 12, 13 and 14 responsible for routing packets between a source machine address and a destination machine address.
  • the nodes 10 and 11 are output nodes of the core network 1 managing interfaces to the client networks 2 and 3 or to a client node 40.
  • the client node 40 does not belong to the client networks 2 and 3.
  • Packets destined for an IP address belonging to the client network 2 are routed in the core network 1 to the output node 10.
  • the node 10 then transmits the packets to a node 20 of the client network 2.
  • the IP addresses of the network 2 correspond to addresses belonging to the set 156.100.140.0 to 156.100.140.255, that is to say 156.100.140.0 with a mask of 24, denoted 156.100.140.0/24.
  • This is the Classless Inter-Domain Routing (CIDR) classless cross-domain routing notation that identifies a range of IP addresses.
  • the IP address before the slash "/" is the first address in the range.
  • the value after the slash "/" is the number of address bits that are granted to the client network to assign an IP address to its machines.
  • the packets transmitted by a machine of the client network 2 are transmitted via the node 20 to the node 10 of the core network 1.
  • Packets destined for an IP address belonging to the client network 3 are routed in the core network 1 to the output nodes 10 and 11.
  • the node 10 then transmits the packets to a node 30 of the network 3 of the client.
  • the node 11 then transmits the packets to a node 31 of the network 3 of the client.
  • the IP addresses of the network 3 correspond to the set of prefix addresses 140.100.140.0 with a mask of 24, denoted 140.100.140.0/24, and to all the prefix addresses. 139.100.140.0 with a mask of 24, noted 139.100.140.0/24.
  • the packets destined for the prefix 139.100.140.0/24 are routed to the node 10 and those to the prefix 140.100.140.0/24 to the node 20.
  • the packets transmitted by a network machine 3 are transmitted either through the node 30 to the node 10 of the core network 1, or through the node 31 to the node 11 of the core network 1 in charge sharing.
  • the IP addresses of the nodes 20, 30 and 31 are respectively 192.3.2.1, 192.3.2.2 and 192.3.2.3.
  • the IP addresses of the nodes 10 and 11 are respectively 192.3.2.4 and 192.3.2.5.
  • the nodes 10, 11, 20, 30 and 31 offer the possibility of activating, on request, measurements of flow descriptions relating to incoming flows in the node. These metrics can be enabled, for example, for all inbound flows in the node or for incoming flows across some of the node's interfaces only. These measurements are then transmitted to a collection equipment. According to the invention, the measurements are transmitted using an IPFIX protocol, standardized to the IETF, to intermediate collection equipment 50, 51 and 60 before being transmitted to a final collection equipment. Subsequently, the Intermediate collection equipment 50 and 51 are referred to as pre-aggregators and intermediate collection equipment 60, an aggregator. These different collection devices communicate with each other using an IPFIX type protocol.
  • a server 71 allows dialogue with the aggregator 60 in particular to allow the configuration of the collection system which will be described later.
  • the two client networks 2 and 3 are jointly supervised. .
  • the client node 40 is not supervised.
  • the server 71 transmits a request to the aggregator 60.
  • This request contains an AggrMode aggregation criterion, the information identifying one or more nodes in charge of exporting the flow descriptions and the list. interfaces to be observed for each of these nodes as well as a type associated with these interfaces according to whether it is an outgoing stream interface of the client network 2 or 3 or an outgoing network interface of the network of Interconnection 1.
  • the request includes for each client network a parameter for identifying the AggrID aggregation request.
  • these are the nodes interfaces of the client networks 2 and 3, in this case those of the nodes 20 of the client network 2 and those of the nodes 30 and 31 of the client network 3.
  • Two requests of this table have the same identification parameter in order subsequently to facilitate the grouping of the data of the client network 3, this client network 3 having two output interfaces.
  • Table I groups the requests made to the aggregator 60 in the example of the first embodiment. All tables are grouped in the Appendix. In Table I, it will be noted that:
  • Node corresponds to the identity of the node 20, "Node2" to that of the node 30 and "Node3" to that of the node 31.
  • Export address is the address of the node responsible for exporting the flow descriptions.
  • Alggrmod is an aggregation criterion used to define the type of aggregation to perform. Its operation is described in the description of the step
  • the aggregator 60 could identify the interfaces to be observed by reading the administration databases associated with the nodes.
  • the aggregator 60 transmits to a pre-aggregator a pre-aggregation request.
  • the request is transmitted to the pre-aggregator (s) in charge of collecting flow descriptions from the node managing one of the interfaces to be observed belonging to the list of node interfaces to be observed, transmitted by the server 71 ( or determined by the aggregator 60 in the embodiment variant), in step E1.
  • the pre-aggregator 51 which is in charge of collecting flow descriptions relating to flows. from the customer networks 2 and 3.
  • the flow description mechanism is continuously activated on all the interfaces of the nodes.
  • the flow description mechanism is activated on the nodes 20, 30 and 31 by the pre-aggregator 51 or the aggregator 60 by an IPFIX type protocol.
  • the pre-aggregator 51 is then configured to determine at least one flow characteristic by analyzing the flow descriptions relating to flows from the client networks 2 and 3 and to aggregate these flow descriptions according to the aggregation criterion.
  • the pre-aggregator 51 receives flow descriptions relating to flows from the client networks 2 and 3, in the particular example, sent by the nodes 20, 30 and 31. .
  • the pre-aggregator 51 receives the information contained in Table II.
  • the "Export” field corresponds to the IP address of the node that sent the flow descriptions.
  • the other fields correspond to the description of the flow.
  • the pre-aggregator 51 analyzes the flow descriptions for flows from the customer network 2 or 3 in according to the information received at the configuration step El to determine, for each client network to observe 2 or 3, at least one flow characteristic. In the first embodiment, it deduces the characteristics of this client network, in particular, the IP prefix (es) of the client network and the autonomous system to which the client network belongs. These characteristics are specific to the client network. Information about the network mask and the stand-alone system of the client network is contained in the transmitted flow descriptions. The information relating to the mask appears in the "Src Mask" field of the table IL For the sake of clarity, the information relating to the autonomous system, contained in the flow descriptions received by the pre-aggregator 51, does not appear in Table II .
  • the pre-aggregator 51 knows at least one of the flow characteristics to be observed.
  • a fifth flux characteristic transmission step E5 the pre-aggregator 51 transmits to the aggregator 60 the stream characteristic (s) to be observed determined in step E4. This is the particular example of the information in Table III.
  • the aggregator 60 is aware of the flow characteristic or characteristics to be observed.
  • the pre-aggregator 51 aggregates the flow descriptions according to the AggrMod aggregation criterion that it received in step E1.
  • the aggregation criterion is a combination of the two parameters "minPort” and "PrefixSrc", “minPort” representing the smaller source and destination ports and "PrefixSrc” representing the network prefix of the stream source. Aggregation on the basis of such a criterion is described below.
  • a first substep E61 for each row of Table II, the pre-aggregator 51 determines the smaller of the two ports, between the source port and the destination port of the stream, this information being included in the description of the stream in the SrcPort and DstPort fields. If the destination port matches the value determined to be the smallest, the stream will be considered as the amount between a client and a server. If the source port is the value that is determined to be the smallest, the flow is considered as going down between a server and a client. The pre-aggregator retains the smallest value and assigns to the flow description a parameter representative of a rising or falling transmission direction between a client and a server. Table IV contains the information from Table II following this substep E61.
  • the pre-aggregator 51 aggregates the flow descriptions according to the aggregation criterion transmitted to the step E1.
  • the aggregation criterion is the combination of "MinPort” and "PrefixSrc". It thus groups in a single aggregated flow description all the flow descriptions relating to respective ports (MinPort) covered by the same IP prefix of the client network and to the same direction of transmission (amount or downlink), sent by the same node identified by the "export" field of the flow description. The information in the destination address field of the DestAddr stream is not retained in the aggregated feed descriptions.
  • the pre-aggregator 51 assigns to the aggregated flow description a time parameter representative of the time distribution of flow descriptions that have been aggregated. It may be, for example, the lowest value among the set of values contained in the "First” fields of the flow descriptions that have been aggregated (this "First” field corresponding to the start time of flow ), and the highest value among all the values contained in the "Last” fields of the flow descriptions that have been aggregated (the "Last” field corresponding to the end of flow time).
  • the pre-aggregator 51 transmits in a substep E63 the aggregated flow descriptions to the aggregator 60.
  • the flow description aggregation step E6 is performed only for the flow descriptions corresponding to the outgoing flows of the client network. Thus, the transmission of aggregated flow descriptions is limited to the outgoing flows of the client network (and therefore incoming on the interconnection network). There is no flow description transmitted for unobserved customer networks.
  • step E7 the aggregator
  • the 60 configures the pre-aggregator 50 by transmitting to it the characteristics to be observed, in particular, the nodes managing one of the interfaces to be observed belonging to the list of node interfaces to be observed, the flux characteristic or characteristics that it obtained at the step E5 and the aggregation criterion. Optionally, it transmits the aggregation identification parameter.
  • step E5 the pre-aggregator 51 directly transmits these characteristics to the pre-aggregator 50 and step E7 is not performed.
  • the pre-aggregator 50 activates the aggregation of the flow descriptions relating to flows coming from the interconnection network 1 as a function of the one or more received stream characteristics and according to the aggregation criterion, as described below.
  • the pre-aggregator 50 receives flow descriptions relating to flows from the network. interconnection 1, sent by the nodes 10 and 11 in the particular embodiment, and filtering in a substep E82 received flow descriptions to eliminate those whose flow characteristic corresponding to the flow characteristic specific to the client network received is not covered by it . These are flow descriptions for flows that do not have the flow characteristic specific to the particular client network. In the first embodiment, it eliminates those whose destination address is not covered by one of the predetermined network prefixes of the client network. Optionally, it assigns each flow description the aggregation identification parameter.
  • the flow descriptions filtered by the pre-aggregator 50 are contained in Table VI. These filtered flow descriptions are then processed in the same manner as in step E6.
  • the pre-aggregator 50 assigns, during a substep E83, to the filtered flow descriptions a parameter representing a direction of upstream or downstream transmission between a client and a server. It then aggregates, in a substep E84, in a single flow description all the flow descriptions filtered according to the aggregation criterion. In the first embodiment, it is flow descriptions relating to one of the predetermined network prefixes of the client network 2 or 3 and to the same direction of upstream or downstream transmission, sent by a node identified by the "export" field of the flow description.
  • the pre-aggregator 50 then transmits, during a substep E85, the aggregated flow descriptions to the aggregator 60.
  • the aggregator 60 aggregates the flow descriptions received from the pre-aggregator 51 in step E6 and those received from the pre-aggregator 50 to step E8 in bi-directional aggregated flow descriptions as described below.
  • the aggregator searches in the other aggregated flow descriptions. from the same pre-aggregator 51 if there is one a container also as the source address the same IP prefix. If the transmission direction parameter assigned to the flow description has the same value as that assigned to the flow description from the pre-aggregator 51, it aggregates the two flow descriptions. It then looks in the aggregated flow descriptions from the pre-aggregator 50 if there is one containing the same IP prefix as the destination address.
  • the Aggregator 60 aggregates the two flow descriptions into a bi-directional aggregate flow description.
  • the aggregations are performed taking into account temporal information in order to aggregate only flow descriptions included in the same time interval. This generation of bi-directional flow descriptions is facilitated by the use of the demand aggregation identifier parameter, AgrrID, which allows the detection of aggregated flow descriptions from different pre-aggregators related to the same request.
  • the aggregator 60 generates from the aggregate flow descriptions contained in Tables V and VII bidirectional flow descriptions contained in Tables VIII and IX.
  • Table VIII corresponds to flow descriptions to servers external to client network 2 or 3. This is the two-way aggregation of flow descriptions corresponding to downstream flows.
  • Table IX corresponds to the flow descriptions to servers present in the client network 2 or 3, that is to say upstream flows.
  • the flow descriptions of Ag2 of the TCP stream have a notable asymmetry, which leads to suppose that the servers of the client network 3 undergo a TCP attack.
  • the information relating to the nodes having transmitted the flow descriptions can be preserved but are not indicated in the tables VIII and IX for reasons of readability.
  • bi-directional flow descriptions have the advantage of concealing the internal addressing plans of the client network.
  • bi-directional flow descriptions are then transmitted during a step ElO to a collection equipment 70.
  • This transmission is parameterizable: it can be done along the water or when certain values exceed a threshold.
  • the aggregation includes threshold detections by comparing values included in the bidirectional flow descriptions. It can be a comparison between the number of incoming packets and the number of outgoing packets. It can also be threshold detection on certain parameters such as the number of packets, the volume of bytes.
  • the method apart from the steps related to the configuration of the entire collection system, is continuous, that is to say that the E3 stages of receiving flow descriptions, E6 of aggregating flow descriptions, E8 Filtering and aggregation of flow descriptions and aggregation E9 occur continuously as flow descriptions corresponding to the observed flows are received from the nodes.
  • the first embodiment is described using as a criterion of aggregation a value of assigning a parameter representative of a direction of transmission between a client and a server according to the source port and the destination port contained in the flow descriptions. and then aggregating the source IP prefix flow descriptions to the pre-aggregator 51 processing flow descriptions for flows from the client network 2 or 3 and the destination IP prefix to the pre-aggregator 50 processing the bearer flow descriptions. on flows from the core network.
  • Generic source port values are reserved for servers in a range of 0 to 1023: for example, the value of 80 is http, 12 to TCP,
  • the first embodiment is described in the case where a distribution of the load is performed between the different nodes. It is also conceivable that only the nodes at the output of the client network transmit the flow descriptions to and from the client network. In a second embodiment, the method makes it possible to observe multicast streams.
  • a broadcast mode it may be for example television broadcasting, dissemination of information.
  • the source of emission is located in the observed customer network. Streams from the client network are destined for a so-called multicast address.
  • the core network is responsible for redistributing the flows to the multicast address to the different addresses of unicast IP terminals that have requested, using the Internet Group Management Protocol (IGMP), to receive the streams. It manages a multicast broadcast tree.
  • the pre-aggregator 51 detects the multicast destination address on an output interface of the client network by analyzing flow descriptions for flows from the client network. Depending on the type of application envisaged, two different modes of aggregation can be identified.
  • the aim is to determine the multicast tree, managed by the core network, associated with the multicast address.
  • the aggregation criterion is defined as "broadcastTree”.
  • the pre-aggregator 51 analyzes the flow descriptions in order to determine at least the address of the source unicast and / or the address multicast destination. These characteristics are specific to the client network.
  • it transmits these characteristics of determined flows to the aggregator 60.
  • the pre-aggregator 51 aggregates the flow descriptions. for streams whose source and destination addresses match the pair (unicast source address, multicast destination address).
  • the aggregator 60 configures pre-aggregators in charge of flow descriptions for flows coming from the core network by providing them with the determined flow information and the aggregation criterion.
  • the pre-aggregators provide the aggregated flow descriptions as a function of the determined flow characteristics. They transmit, associated with the aggregated flow descriptions, a list of nodes ("Export" field) that corresponds to the nodes through which the multicast stream was routed. From the information contained in the aggregated flow descriptions and in particular the routing information that is present there (identification of the next router for routing, identification of the autonomous system, etc.), the application can determine the tree Multicast stream. By symmetry, this variant is also applicable to the discovery of the multicast stream tree, the multicast source being broadcast in the client network.
  • the aim is to estimate the audience of a multicast service of a broadcast source located in the client network or to observe its distribution by network.
  • the aggregation criterion is defined as "broadcastListener”.
  • Steps E4, E5, E62 and E8 are identical to the first variant.
  • the aggregator configures pre-aggregators in charge of flow descriptions for flows from access networks by providing the determined flow characteristics and the aggregation criterion. From the flow descriptions received in step E8, the application thus determines a list of multicast access nodes and / or broadcast nodes to the terminals to be interrogated in order to subsequently obtain the number of associated multicast sessions. at this source. This makes it possible to obtain a good instantaneous estimate of the audience by simply cumulating the sessions.
  • a "multicast” mode it may also be multi-directional traffic, for example audio conferencing or other.
  • the application aims to determine the list of members of a multicast group. All members of the Multicast group, each with a unicast source address, send to a Multicast address. In this case, the aggregation criterion is defined as "multicastMember".
  • the pre-aggregator 51 determines, as flow characteristics, the address of the unicast source located in the client network and the address. multicast destination. These characteristics are specific to the client network.
  • step E5 it transmits the multicast destination address to the aggregator 60.
  • the pre-aggregator 51 aggregates the descriptions of feeds for feeds whose source and destination addresses match the torque (unicast source address, multicast destination address).
  • the aggregator 60 configures pre-aggregators in charge of flow descriptions relating to flows coming from the core network by providing them with the determined flow characteristic or characteristics and the aggregation criterion.
  • the pre-aggregators provide the filtered flow descriptions based on the multicast destination address and keeping each source address. From this information, the application can determine the list of source addresses transmitting in the same multicast group as the unicast source address of the client network and therefore the list of members of the multicast group.
  • the method also works in the case where the nodes implement a flow sampling for the constitution of the descriptions of flux. The method then takes into account this information, which may for example be present in the low-level flow descriptions or be known by configuration of the nodes.
  • the method is also applicable to the collection of flow descriptions on other types of client networks such as a virtual private network, a home network, a mobile network. It is particularly well suited for collecting flow descriptions for flows from any network attached to a higher level interconnection network.
  • the collection system includes the pre-aggregators 50, 51 and the aggregator 60.
  • a portion of the pre-aggregator 51, having a function of aggregating flow descriptions for flows from a client network, called by the outgoing pre-aggregator suite comprises the following modules: a flow description reception module 510, arranged to receive flow descriptions relating to flows coming from the client network; a flow description aggregation module 512, arranged to aggregate received flow descriptions according to an aggregation criterion; a flow description analysis module 511, arranged to analyze flow descriptions relating to flows from the client network to determine at least one flow characteristic specific to the client network; a flow description transmission module 513, arranged to transmit filtered flow descriptions to an aggregator 60 or to a collection module 70; a configuration module 514, arranged to receive configuration information from an aggregator and to transmit to the aggregator the determined flow characteristic.
  • a part of the pre-aggregator 50 having a function of aggregating flow descriptions on flows from an interconnection network, hereinafter referred to as an incoming pre-aggregator, comprises the following modules: a configuration module 514, arranged to receive configuration information from an aggregator 60; a flow description receiving module 510, arranged to receive flow descriptions relating to flows from the interconnection network; a flow description filtering module 515, arranged to eliminate, in the stream descriptions received, those relating to flows devoid of said at least one stream characteristic received by the configuration module 514; a flow description transmission module 513, arranged to transmit filtered flow descriptions to an aggregator 60 or to a collection module
  • the incoming pre-aggregator 50 further comprises a flow description aggregation module 512, arranged to aggregate received stream descriptions as a function of an aggregation criterion.
  • the flow descriptions are transmitted to it by the filtering module 515.
  • the aggregator 60 comprises the following modules: a flow description receiving module 600, arranged to receive flow descriptions from incoming s aggregator and outgoing pre-aggregators; a configuration module 601, arranged to configure the pre-aggregators and to receive from outgoing pre-aggregators the one or more determined flow characteristics; an aggregation module 602, arranged to aggregate aggregated flow descriptions received from outgoing pre-aggregators and aggregated flow descriptions received from incoming pre-aggregators.
  • the collection system includes one or more modules
  • the modules, as described, are distributed on different machines, separate nodes 20, 30, 31. Alternatively, it is possible to provide all the necessary modules in the nodes or possibly only the modules provided in the pre-aggregators.
  • the outgoing pre-aggregator 51 transmits directly to the incoming pre-aggregator 50 the configuration information and the determined flow characteristic (s).
  • the modules 510 to 515 and 600 to 602, which implement the method described above, are preferably software modules comprising software instructions for executing the steps of the method previously described by the server.
  • the software modules can be stored in or transmitted by a data carrier.
  • This may be a hardware storage medium, for example a CD-ROM, a magnetic diskette or a hard disk, or a transmission medium such as an electrical signal, optical or radio, or a telecommunications network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP07731625A 2006-02-28 2007-02-14 Verfahrensweise der sammlung von flussbeschreibungen, die relative flüsse an wenigstens ein kundennetz verbindet an einem verbundsnetz betreffen Withdrawn EP1992111A2 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0650695 2006-02-28
PCT/FR2007/050800 WO2007099245A2 (fr) 2006-02-28 2007-02-14 Procede de collecte de descriptions de flux portant sur des flux relatifs a au moins un reseau client rattache a un reseau d'interconnexion

Publications (1)

Publication Number Publication Date
EP1992111A2 true EP1992111A2 (de) 2008-11-19

Family

ID=37119119

Family Applications (1)

Application Number Title Priority Date Filing Date
EP07731625A Withdrawn EP1992111A2 (de) 2006-02-28 2007-02-14 Verfahrensweise der sammlung von flussbeschreibungen, die relative flüsse an wenigstens ein kundennetz verbindet an einem verbundsnetz betreffen

Country Status (3)

Country Link
US (1) US7908369B2 (de)
EP (1) EP1992111A2 (de)
WO (1) WO2007099245A2 (de)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108366042A (zh) * 2017-04-07 2018-08-03 北京安天网络安全技术有限公司 一种基于探针的自动流量特征收集方法及系统

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8286191B2 (en) * 2009-05-14 2012-10-09 International Business Machines Corporation Dynamically composing data stream processing applications
US8255554B2 (en) 2009-05-14 2012-08-28 International Business Machines Corporation Application resource model composition from constituent components
US9674207B2 (en) * 2014-07-23 2017-06-06 Cisco Technology, Inc. Hierarchical attack detection in a network
US10686699B2 (en) * 2015-07-28 2020-06-16 Ciena Corporation Multicast systems and methods for segment routing
US10278198B2 (en) * 2016-08-23 2019-04-30 Realtek Singapore Private Limited Packet forwarding device, and packet-forwarding priority setting circuit and method
US11811638B2 (en) 2021-07-15 2023-11-07 Juniper Networks, Inc. Adaptable software defined wide area network application-specific probing

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5615801A (en) * 1990-06-06 1997-04-01 The Coca-Cola Company Juice concentrate package for postmix dispenser
DE60045552D1 (de) 1999-06-30 2011-03-03 Apptitude Inc Verfahren und gerät um den netzwerkverkehr zu überwachen
US20020181462A1 (en) * 2001-04-24 2002-12-05 Sorin Surdila System and method for providing end-to-end quality of service (QoS) across multiple internet protocol (IP) networks
US20030033430A1 (en) 2001-07-20 2003-02-13 Lau Chi Leung IP flow discovery for IP probe auto-configuration and SLA monitoring
US7561517B2 (en) 2001-11-02 2009-07-14 Internap Network Services Corporation Passive route control of data networks
FR2842058B1 (fr) * 2002-07-08 2004-10-01 France Telecom Procede de restitution d'un flux de donnees multimedia sur un terminal client, dispositif, systeme et signal correspondants
FR2857187B1 (fr) * 2003-07-04 2005-08-19 France Telecom Procede de configuration automatique d'un routier d'acces, compatible avec le protocole dhcp, pour effectuer un traitement automatique specifique des flux ip d'un terminal client
FR2859059A1 (fr) * 2003-08-20 2005-02-25 France Telecom Procede de transmission de paquets, dispositifs d'agregation et de desagregation de paquets
US7526807B2 (en) * 2003-11-26 2009-04-28 Alcatel-Lucent Usa Inc. Distributed architecture for statistical overload control against distributed denial of service attacks
CN100550823C (zh) * 2003-12-26 2009-10-14 上海贝尔阿尔卡特股份有限公司 一种具有快速保护和公平特性的以太网传送设备及方法
US7424489B1 (en) * 2004-01-23 2008-09-09 At&T Corp. Methods and apparatus for space efficient adaptive detection of multidimensional hierarchical heavy hitters
US20060221956A1 (en) * 2005-03-31 2006-10-05 Narayan Harsha L Methods for performing packet classification via prefix pair bit vectors
US20070261041A1 (en) * 2005-08-23 2007-11-08 Lisa Amini Method and system for dynamic application composition in streaming systems
US20070118609A1 (en) * 2005-11-23 2007-05-24 France Telecom Distributed computing architecture and associated method of providing a portable user environment
US9794272B2 (en) * 2006-01-03 2017-10-17 Alcatel Lucent Method and apparatus for monitoring malicious traffic in communication networks
US7941387B2 (en) * 2007-11-05 2011-05-10 International Business Machines Corporation Method and system for predicting resource usage of reusable stream processing elements

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2007099245A2 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108366042A (zh) * 2017-04-07 2018-08-03 北京安天网络安全技术有限公司 一种基于探针的自动流量特征收集方法及系统
CN108366042B (zh) * 2017-04-07 2020-02-07 北京安天网络安全技术有限公司 一种基于探针的自动流量特征收集方法及系统

Also Published As

Publication number Publication date
US7908369B2 (en) 2011-03-15
WO2007099245A2 (fr) 2007-09-07
US20090055529A1 (en) 2009-02-26
WO2007099245A3 (fr) 2007-10-18

Similar Documents

Publication Publication Date Title
EP3151470B1 (de) Analytik für ein verteiltes netzwerk
Gerber et al. P2p the gorilla in the cable
Kihl et al. Traffic analysis and characterization of Internet user behavior
US7660296B2 (en) Reliable, high-throughput, high-performance transport and routing mechanism for arbitrary data flows
EP1992111A2 (de) Verfahrensweise der sammlung von flussbeschreibungen, die relative flüsse an wenigstens ein kundennetz verbindet an einem verbundsnetz betreffen
US20250184245A1 (en) Method and System for Triggering Augmented Data Collection on a Network Based on Traffic Patterns
EP2206289A1 (de) Intelligente sammlung und verwaltung von flussstatistik
EP2262173A1 (de) Netzwerkverwaltungsverfahren und Mittel
Bashir et al. Classifying P2P activity in Netflow records: A case study on BitTorrent
EP3682601B1 (de) Datenumlenkung in einer anlage auf einem kundengelände unter verwendung von verbindungsaggregation
Li et al. A five year perspective of traffic pattern evolution in a residential broadband access network
Han et al. Insights into the issue in IPv6 adoption: A view from the Chinese IPv6 Application mix
WO2008035006A2 (fr) Procede pour configurer le profil de qualite de service d'un flot donne au niveau d'un noeud d'acces d'un reseau de communication par paquets
FR3010600A1 (fr) Procede de transmission de flux de donnees a travers un reseau de telecommunication
Aurelius et al. Streaming media over the Internet: Flow based analysis in live access networks
Kolbe et al. Monitoring the impact of P2P users on a broadband operator's network
Kettig et al. Monitoring the Impact of P2P Users on a Broadband Operator's Network over Time
Dischinger Making broadband access networks transparent to researchers, developers, and users
Leitão Adaptive Search Radius for BitTorrent Swarms
my Father RIP
WO2010052406A1 (fr) Procede d'observation de flots transmis a travers un reseau de communication par paquets

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20080905

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

17Q First examination report despatched

Effective date: 20090529

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20110705