JP5545674B2 - Simultaneous flow number variation estimation method and apparatus - Google Patents

Description

  The present invention relates to a method and an apparatus for estimating the number of simultaneous flow fluctuations, and in particular, to a network system that manages a state for each flow, for example, a flow router (see http://anagran.com/) and an IPv4 address exhaustion problem. As a countermeasure, ISP (Internet Service Provider) uses large scale NAT (LSN) (T. Nishitani et al., “Common functions of large scale NAT” installed when configuring a communication network using NAT (Network Address Translation). (LSN), "draftnishitani-cgn-02, IETF, May 2009.) etc. Estimate the number of concurrent flows to estimate the number of concurrent flows required to estimate the size of the required flow table It relates to a method and a device.

  As IP networks are widely used, the usage forms and applications of IP networks are diversified, and the traffic added to the networks is also diversified. On the other hand, traffic has been increasing year by year, and it has become very important to estimate the impact that traffic will have on the network. For example, it has been pointed out that there is an increase in video sharing traffic and traffic due to rich content distribution such as video and TV (see Non-Patent Document 1, for example).

  On the other hand, as described above, in addition to a large amount of traffic per communication, for example, in recent applications, it has been pointed out that one host generates many flows simultaneously (for example, non-patent literature). 2).

  Also, anomalous traffic such as SYN flooding and network scanning can generate a large amount of flows. If traffic with such a large number of flows is added to the network, the impact on large scale NAT (LSN) is expected to increase. Here, LSN is a method considered as a countermeasure against the IPv4 address exhaustion problem. As shown in Fig. 1 (a), an ISP installs an LSN at the boundary between an internal network and an external network, uses a unique address in the internal network, assigns it to an internal host, and accesses the Internet when accessing the Internet. Enables communication with hosts on the Internet by converting the internal address of the internal host into a global IPv4 address.

  For example, a method called NAT444, dual stack (DS) -lite has been proposed (see, for example, Non-Patent Document 3). In NAT444 in FIG. 1 (a), a home end host transmits a packet to customer premise equipment (CPE) -NAT using a private IPv4 address X used in the home. In CPE-NAT, the address X is converted to a unique address Y used in the ISP. As this unique address, for example, a so-called “ISP shared address” (for example, see Non-Patent Document 4) is used. This is a proposal to specify an unassigned IPv4 address as an address that can be shared between ISPs by the Internet assigned numbers authority (IANA). The packet with the unique address Y is transferred to the LSN, where it is converted to a global IPv4 address and then transferred to the Internet.

  In DS-lite in Fig. 1 (b), ISP uses IPv6 internally. As in FIG. 1A, a packet from the end host is transferred to the DS-lite home gateway (HGW) with the private address X, and the packet is transferred to the LSN using the IPv4 over an IPv6 tunnel to the LSN. Then, the LSN converts the address of the packet into a global IPv4 address.

  In any of the above methods, it is necessary to manage the flow state within the LSN. Here, the flow refers to a packet group having the same set of five sets of {srcIP, dstIP, srcPort, dstPort, Protocol}.

An example of flow state management is shown in FIG. In this example, network external host X1 (host on the Internet) 129.1.1.1 and network internal host Y1 (private address: port number = 192.168.0.1:1024) communicate with network external host X2 129.2.2.2 and network internal host Suppose you are communicating with Y2 (192.168.0.1:1025). In the case of normal NAPT, different {global IPv4 address, port number} are assigned to two internal hosts. For example, 192.168.0.1:1024⇔129.0.0.1:1000, 192.168.0.1:1025⇔129.0.0.1:1001, and so on, for two private addresses: ports, 129.0.0.1:1000, 129.0.0.1: Two global IPv4: 1001 ports are assigned.
As described above, in the system that needs to manage the flow state as shown in FIG. 2, it is necessary to appropriately design the size of the flow management table. There are reports of Non-Patent Documents 5 to 7 as traffic impact evaluation to LSN. These calculate the average number of generated flows per host and how the distribution is based on the measured data. For example, Non-Patent Document 5 indicates that some hosts generate a large number of flows.

Cisco Visual Networking Index: Forecast and Methodology, 2008-2013, http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white paper c11-481360.pdf S. Miyakawa, "From IPv4 only To v4 / v6 Dual Stack," IETF72 IABTechnical Plenary, Aug. 2008. http://www.nttv6.jp/ miyakawa / IETF72 / IETF-IAB-TECH-PLENARY-NTT-miyakawa. pdf T. Nishitani et al., "Common functions of large scale NAT (LSN)," draftnishitani-cgn-02, IETF, May 2009. Y. Shirasaki et al., "NAT444 with ISP shared address," draft-shirasakinat444-isp-shared-addr-01 (work in progress), March 2009. G. Maier et al., "On dominant characteristics of residential broadband Internet traffic," ACM IMC 2009. http://www.janog.gr.jp/meeting/janog24/program/d2p5.html Tsuji, "Evaluation of user influence by introducing NAT into ISP," IEICE Journal, Vol. 93, No. 6, pp. 473-478, June 2010.

  However, in the above non-patent documents 5 to 7, a report on the distribution of the number of flows generated per host, or an analysis of how many flows are generated per host on average when all hosts are multiplexed. Just doing. On the other hand, to design the size of the flow management table, when multiple hosts are multiplexed, grasp the amount of change in the number of entries in the flow table (number of simultaneous flows), that is, how the distribution will be. There is a need. For example, even if the average number of simultaneous flows when the hosts are multiplexed is 100, the required flow table size differs greatly depending on whether the distribution is 100 or 10000. When the variance is 100, the standard deviation is 10 which is the square root. For example, if the table of average +3 x standard deviation = 130 entries is prepared in consideration of the fluctuation of the number of concurrent flows, the number of concurrent flows is normally distributed. , The entry success rate can be 99.87%. On the other hand, if the variance is 10000, it is necessary to prepare an average + 3 × standard deviation = 400 entries in order to achieve the same success rate. As described above, there is a problem that it is necessary to correctly estimate the fluctuation amount (dispersion) of the number of simultaneous flows.

  In view of the above-described problems, an object of the present invention is to use a statistic that can be measured in a network to determine the size of a flow table required in a network device that manages a flow state. It is an object to provide a simultaneous flow number fluctuation amount estimation method and apparatus for estimating the number fluctuation amount (variance).

In the first method of the present invention,
In order to estimate the number of flow entries required in a network device that manages the state of each flow by defining a packet group that uses the same five sets of {srcIP, dstIP, srcPort, dstPort, Protocol} as a flow,
Information on the flow i passing through the network is collected for a predetermined measurement period T and stored in the storage means. Here, the flow i information includes flow key i = {srcIP, dstIP, srcPort, dstPort, Protocol}, start time Tfirst_i and end time Tlast_i of flow i, and flow duration d_i = Tlast_i− calculated from them. Tfirst_i. Here, it is assumed that N flows with d_i> 0 are collected, and the average of the flow durations is avg_d = Σd_i / N. Two flows i and j are selected at random from these collected flows, and Hmin = min (d_i, d_j) is set, and this is performed M times in a predetermined number of times. The value of Hmin in the m-th trial is Hmin (k), and the average is calculated by avg_Hmin = ΣHmin (m) / M.

  Next, using the flow information, statistical information regarding the number of generated flows for each srcIP # x is obtained. Specifically, first, the measurement period T is divided by a measurement period τ smaller than T (T / τ = L sections are generated), and the number of flows generated from srcIP # x in the kth measurement section Is F (x, k). The average E and the variance V of the number of flows generated from a certain srcIP are calculated using F (x, k).

  Then, the number A of arrival srcIPs per unit time is calculated by A = N / T / E.

  With the above preparation, the variance VarL of the number of simultaneous flows is calculated by the following formula.

VarL = A × (V + E ² -E) × avg_Hmin + A × E × avg_d (1)
In the second method of the present invention, as a method for calculating E and V in the first method, when the set of occurrences srcIP is w_s, x∈w_s and k∈ [1, L] are collected. Of F (x, k), only those satisfying F (k, x)> 0 are extracted. And let LW be the number of F (k, x) extracted,
E = ΣF (k, x) / LW, V = ΣF (k, x) ² / LW-E ²
It is characterized by calculating by.

In the third method of the present invention,
In the first method, while calculating A from the collected flow information, the distribution of the number of concurrent flows when assuming that A at a future time becomes A * determined in advance
VarL = A * × (V + E ² -E) × avg_Hmin + A * × E × avg_d
It is characterized by estimating by.

In the fourth method of the present invention,
When estimating the variance of the number of simultaneous flows by the first or third method, the flow whose destination port number is a specific number (port number often seen in abnormal traffic such as scan) among the flow information used for estimation The variance is estimated after removing.

In the fifth method of the present invention,
In the first method, A is calculated from the collected flow information, whereas the number of users to be collected for flow information is Z, and the number of concurrent flows is assumed when the number of accommodated users is Z ′. The
VarL = A / Z × Z '× (V + E ² -E) × avg_Hmin + A / Z × Z' × E × avg_d
It is characterized by estimating by.

In the sixth method of the present invention,
Using avg_d and avg_Hmin in the first method, α = avg_Hmin / avg_d
Assume that there is flow information collected separately in a measurement period T ′ shorter than the measurement period T in the first method. At this time, statistical information relating to the number of generated flows for each srcIP # x is obtained using the flow information. Specifically, first, the measurement period T ′ is divided by a measurement period τ smaller than T ′ (T ′ / τ = L ′ sections are generated), and from srcIP # x in the kth measurement section Let F (x, k) be the number of generated flows. The average E and the variance V of the number of flows generated from a certain srcIP are calculated using F (x, k). In addition, the number of arrival srcIP per unit time A,
A ＝ N / T '/ E
Calculate according to

  Further, the average avgL ′ of the number of simultaneous flows in the measurement period T ′ is calculated from the collected flow information.

  Based on the above preparation, the variance Var_L of the number of simultaneous flows is estimated by the following equation.

VarL = A × (V + E ² -E) × avgL '/ (A × E) × α + avgL'

  As described above, according to the present invention, the number of simultaneous flows for determining the size of the flow table required in the network device that manages the flow state using the statistics that can be measured in the network. Can be estimated.

It is explanatory drawing of large scale NAT (LSN) used as object in this invention. It is an example of the flow management table in LSN used as object in this invention. 1 is a basic configuration diagram of an IP network to which the present invention is applied. It is a block diagram of the estimation apparatus in the 1st Embodiment of this invention. It is a flowchart of the flow management table management in the 1st Embodiment of this invention. It is the graph which compared the estimation result of the standard deviation when assuming Poisson arrival, and the result of actual measurement. It is a system block diagram applied to the 2nd Embodiment of this invention. It is an actual data analysis result to which the present invention is applied.

  Embodiments of the present invention will be described below with reference to the drawings.

[First embodiment]
FIG. 3 is a basic configuration diagram of an IP network to which the present invention is applied, and shows an example thereof.

  As shown in FIG. 3, the estimation apparatus 10 is used in a form of being inserted into a link between the nodes 1 and 2. Alternatively, in the node (switch or router), the packet may be mirrored to a port, and the estimation device may be installed at the end of the port. Alternatively, the packet may be once captured with the configuration of FIG. 3, and the procedure described in the present embodiment (described below) may be performed by reading the packet from the beginning in post-processing.

  FIG. 4 shows the configuration of the estimation apparatus according to the first embodiment of the present invention.

    The estimation apparatus 10 shown in the figure estimates the variance of the number of simultaneous flows by the first method described above, and further calculates the average and variance of the number of generated flows per host necessary for the estimation by the second method. The apparatus includes a packet analysis unit 11, a flow management unit 12, a flow statistical information collection unit 13, and a simultaneous flow number variance estimation unit 14.

  FIG. 5 shows a flow of the flow management table management operation of the estimation apparatus.

  In FIG. 4, when a packet arrives from the preceding node 1, the packet analysis unit 11 reads out the flow key of the packet = {srcIP # i, dstIP # i, srcPort # i, dstPort # i, Protocol # i} The management unit 12 is notified of the flow key. Thereafter, the packet is transferred to the subsequent node 2 (step 101 in FIG. 5).

  The flow management unit 12 prepares a flow management table (not shown) inside or outside, and in the table, the flow key i = {srcIP # i, dstIP # i, srcPort # i, dstPort # i, Protocol # i }, And the first and last packet arrival times Tfirst_i and Tlast_i are stored. It is checked whether the flow key i = {srcIP # i, dstIP # i, srcPort # i, dstPort # i, Protocol # i} of the packet has already been entered in the flow management table (step 102 in FIG. 5). If it is new, if the packet is TCP and FIN or RST are flagged (step 103 in FIG. 5), nothing is done. If it is not FIN and RST, a new entry is made in the flow management table, and Tfirst_i ← Tnow (current time) and Tlast_i ← Tnow are set (step 104 in FIG. 5).

  If it is determined that the packet has already been issued (step 102 in FIG. 5, Yes), it is checked whether the packet is TCP and a flag is set in FIN or RST (step 105 in FIG. 5). If the flag is set (step 105 in FIG. 5, Yes), Tlast_i ← Tnow is updated, and then the flow information (that is, flow key i, Tfirst_i, Tlast_i) is output to the flow statistics information collection unit. Then, the information is deleted from the flow management table (step 106 in FIG. 5). If the flag is not set (No in step 105 in FIG. 5), the current time Now is compared with Tlast_i + Tout obtained by adding a predetermined timer value Tout to Tlast_i (step 107 in FIG. 5). If Ton is larger (step 107 in FIG. 5, Yes), Tlast_i in the flow management table is updated to Tlast_i + Tout, and then the flow information (that is, flow key i, Tfirst_i, Tlast_i) is flowed. The data is output to the statistical information collection unit 13 and the information is deleted from the flow management table (step 108 in FIG. 5).

  The flow management unit 12 performs the above during the measurement period T. The flow information remaining in the flow management table at the end of the measurement period is output to the flow statistical information collection unit 13. However, Tlast_i at this time is updated after Tlast_i is updated to Tlast_i + Tout if Tlast_i + Tout <Tnow, otherwise Tlast_i is set to null.

  The flow statistics information collection unit 13 stores the flow information output from the flow management unit 12 in a memory (not shown). Among the flow information, Tlast_i is not null, and Tfirst_i has passed Tout or more from the start of measurement. Only the flows that have been extracted are extracted and output to the simultaneous flow number variance estimation unit 14. The reason is that Tfirst_i is not necessarily the true flow start time because there is a possibility that the communication for which Tout has not elapsed has continued communication before the start of measurement.

The simultaneous flow number variance estimation unit 14 calculates the flow duration d_i = Tlast_i−Tfirst_i from the start time Tfirst_i and the end time Tlast_i of the flow i. Here, it is assumed that N flows with d_i> 0 are collected, and the average of the flow durations is avg_d = Σd_i / N. Two flows i and j are selected at random from these collected flows, and Hmin = min (d_i, d_j) is set, and this is performed M times in a predetermined number of times. The value of Hmin in the m-th trial is Hmin (k), and the average is
avg_Hmin = ΣHmin (m) / M
And is stored in a memory (not shown).

  Next, the flow statistical information collection unit 13 obtains statistical information regarding the number of generated flows for each srcIP # x using the flow information. Specifically, first, the measurement period T is divided by a measurement period τ smaller than T (T / τ = L sections are generated), and the number of flows generated from srcIP # x in the kth measurement section Is F (x, k). The simultaneous flow number variance estimation unit 14 calculates the average E and variance V of the number of flows generated from a certain srcIP using the number of flows F (x, k). Then, the number A of arrival srcIPs per unit time is calculated by A = N / T / E.

  With the above preparation, the concurrent flow number variance estimation unit 14 calculates the variance VarL of the number of concurrent flows by the following equation.

VarL = A × (V + E ² -E) × avg_Hmin + A × E × avg_d (1)
Here, the mathematical formula (1) will be described. For that purpose, the experimental results of FIG. 6 will be described first. This is a previous study by the present inventors (Reference 1: R. Kawahara, T. Mori, T. Yada, "Analysis of impact of traffic on large-scale NAT," IEICE Technical Report, vol. 110, no. 224, IN2010-78, pp. 75-80, Oct. 2010.).

  In the graph of FIG. 6, the line “Poisson” indicates that the flow generation follows a stochastic process often used in traffic theory called the Poisson process, and the standard deviation of the number of simultaneous flows (= square root of variance). It is the result of estimating.

  On the other hand, “data set A” and “data set B” in the figure are values obtained by plotting the average and standard deviation of the number of simultaneous flows using actual measured data of Internet traffic. From this, it can be seen that the line assuming Poisson and the result of the actual measurement value deviate greatly.

  Assuming that the number of arrival flows per unit time is λ and the average flow duration H is E [H], the average E [L] of the number of simultaneous flows L is E [L] = λ × E [H] Given. This is true regardless of whether the flow is generated by Poisson, and is called Little's formula (refer to Reference 2: “Takine, Ito, Nishio, Network Design Theory, Iwanami Lecture”). On the other hand, when flow generation follows Poisson, applying M / G / ∞ in the queuing model, the variance Var [L] of the number of visitors in the system (that is, the number of simultaneous flows) is Var [L] = E [L] Become. That is, the standard deviation is sqrt (E [L]). Therefore, the Poisson line in FIG. 6 is a line of y = sqrt (x).

  As shown in FIG. 6, as one of the reasons why the actually measured value greatly deviates from the theoretical value, it is considered that the flow does not follow the Poisson process and a plurality of flows are generated at the same time. In fact, the aforementioned non-patent document 2 points out that recent applications generate dozens of flows at the same time.

  Therefore, in the present invention, a collective arrival model of flows is considered. Specifically, consider the application of the collective arrival model M [x] / G / ∞. In this case, each host (= srcIP) arrives at Poisson, and a plurality of flows are generated at the same time when the host arrives. At this time, the variance Var [L] of the number of simultaneous flows is calculated by the following equation (Reference 3: J. Keilson and A. Seidmann, “M / G / ∞ with batch arrivals,” Operations Research Letters, Oct. 1988. .)

Var [L] = λE [K (K-1)] E [min (H1, H2)] + E [L] (2)
Here, K is a random variable representing the number of flows generated when a certain host arrives, and H1 and H2 are flow durations.

  In the present invention, E [K (K-1)] and E [min (H1, H2)] in this equation (2) are determined from statistics that can be measured by the network.

Specifically, the duration d_i of the flow i is calculated from the collected flow information, and two flows i and j are randomly selected from these flows, and Hmin = min (d_i, d_j) is set. This is performed a predetermined number of times M. The value of Hmin in the mth trial is Hmin (k), and the average is
avg_Hmin = ΣHmin (m) / M
Calculate according to Then, E [min (H1, H2)] in the above equation (2) is estimated by avg_Hmin.
Next, the measurement period T is divided by a measurement period τ smaller than T (T / τ = L sections are generated), and the number of flows generated from srcIP # x in the kth measurement section is F (x , k) and F (x, k) is used to calculate the average E and variance V of the number of flows generated from a certain srcIP. Then, E [K (K−1)] in Equation (2) is estimated by V + E ² −E using E and V. this is,
E [K (K-1)] = E [K ² ] -E [K] = Var [K] + E [K] ² -E [K]
Because it becomes.

  E [L] in Equation (2) is obtained by multiplying the average A of the number of arriving hosts by the average E of the number of generated flows per host arrival from the Little's formula E [L] = λ × E [H] A × E [L] is estimated by A × E × d_avg using E as an estimated value of the number of arrival flows λ and the average d_avg of duration.

[Second Embodiment]
In the first embodiment, as shown in FIG. 3, the estimation apparatus is configured to be inserted between the nodes 1 and 2, but as shown in FIG. 7, the flow information is output from each router 3 in the network. It is also possible to collect it. The configuration of the estimation device itself is the same as that in FIG. 4 and the processing of the estimation device is substantially the same as in the first embodiment. However, in a general router flow output function, the flow duration d_i = 0 (For example, a flow consisting of only one packet to which the TCP FIN or RST is assigned), it is necessary to target only a flow where d_i> 0.

[Third Embodiment]
The configuration of the estimation apparatus in the present embodiment is the same as that in FIG.

As a method for calculating the average E and variance V in the first embodiment, in the present embodiment, in the simultaneous flow number variance estimation unit 14, when the set of appearance srcIP is w_s, x∈w_s and k∈ [ Of F (x, k) collected for [1, L], only those satisfying F (k, x)> 0 are extracted. And let LW be the number of F (k, x) extracted, and average E and variance V
E = ΣF (k, x) / LW, V = ΣF (k, x) ² / LW-E ²
Calculate according to

[Fourth Embodiment]
The configuration of the estimation apparatus in the present embodiment is the same as that in FIG. 4, but the operation of the simultaneous flow number variance estimation unit 14 is different.

In the first embodiment, A is calculated from the collected flow information. In this embodiment, in the simultaneous flow number variance estimation unit 14, A at a future time is set to A * determined in advance. Assuming that
VarL = A * × (V + E ² -E) × avg_Hmin + A * × E × avg_d
Estimate by

This makes it possible to estimate the amount of change in the number of simultaneous flows with respect to demand A * at a future time. The average number of concurrent flows when demand changes to A * is
A * × E × d_avg
Is calculated by

[Fifth Embodiment]
The configuration of the estimation apparatus in the present embodiment is the same as that in FIG. 4, but the operation of the simultaneous flow variance estimation unit 14 is different from those in the first and fourth embodiments.

  In the method described in the first embodiment and the fourth embodiment, in the concurrent flow number variance estimation unit 14, in this embodiment, when estimating the variance of the number of concurrent flows, flow information used for estimation Among these, a flow whose destination port number is a specific number (a port number often found in abnormal traffic such as scanning) is excluded, and then the variance is estimated.

  As described in Document 1, the traffic from a host that generates a large amount of flows may include abnormal traffic such as scanning. Therefore, it is necessary to design an appropriate flow management table size for the traffic after removing such traffic by providing the LSN with a function of removing such traffic. Therefore, it has been proposed to estimate the amount of change in the number of simultaneous flows after removing scan traffic such as port numbers 135 and 445.

[Sixth embodiment]
The configuration of the estimation apparatus in the present embodiment is the same as that in FIG. 4, but the operation of the simultaneous flow variance estimation unit 14 is different from that in the first embodiment.

In the first embodiment, the number of arriving srcIPs A per unit time is calculated from the collected flow information. In the present embodiment, the concurrent flow number variance estimation unit 14 performs the flow information collection target. If the number of users is Z and the number of accommodated users is Z '
VarL = A / Z × Z '× (V + E ² -E) × avg_Hmin + A / Z × Z' × E × avg_d
Estimate by

  As for the number of users Z, the number of accommodated users in the network to be monitored may be used, or the number of srcIPs that appear may be counted from the collected flow information and used as Z.

[Seventh embodiment]
The configuration of the estimation apparatus in the present embodiment is the same as that in FIG. 4, but the operations of the flow information collection unit 13 and the simultaneous flow number variance estimation unit 14 are different.

Using the average avg_d and avg_Hmin of the flow duration in the first embodiment, α = avg_Hmin / avg_d
Assume that there is flow information collected separately in a measurement period T ′ shorter than the measurement period T in the first embodiment. In this embodiment, at this time, the flow statistical information collection unit 13 uses the flow information to obtain statistical information regarding the number of generated flows for each srcIP # x.

Specifically, first, the measurement period T ′ is divided by a measurement period τ smaller than T ′ (T ′ / τ = L ′ sections are generated), and from srcIP # x in the kth measurement section Let F (x, k) be the number of generated flows. The simultaneous flow number variance estimation unit 14 calculates an average E and a variance V of the number of flows generated from a certain srcIP using F (x, k). In addition, the number of arrival srcIP per unit time A,
A = N / T '/ E
Calculate according to

  Further, the average avgL ′ of the number of simultaneous flows in the measurement period T ′ is calculated using the flow information collected in the flow statistical information collection unit 13 of FIG. The procedure is described.

The data of the measurement period T ′ will be described as data from time 0 to time T ′ for convenience. Suppose that T ′ is divided by the measurement period τ, and for the time point kτ (k = 1 to L ′),
Tfirst_i <kτ <Tlast_i
Count the number of flows i that satisfy, and let it be the number of simultaneous flows L (k) at time kτ,
avgL '= ΣL (k) / L'
And calculate.
Based on the above preparation, the concurrent flow number variance estimation unit 14 estimates the variance Var_L of the concurrent flow number using the following equation.

VarL = A × (V + E ² -E) × avgL '/ (A × E) × α + avgL'
The above method will be supplementarily described. Here, the average avgL ′ of the number of simultaneous flows is directly calculated using the data in the measurement period T ′. On the other hand, assuming that the measurement period length is insufficient for the period T ′ to exhibit variance, the variance is estimated by the above formula. At that time, in the first term on the right side of the above formula, the value of avg_Hmin was used in the first embodiment, but since avg_Hmin is determined depending on the avg_d at that time (average of the flow duration), The current (ie, during period T ′) average flow duration may be different from that measured separately (ie, avg_d). Therefore, in the present embodiment, the average of the current flow duration is estimated from the average avgL ′ of the current number of concurrent flows by using the Little's formula, and avgL ′ / (A × E) is used. The current value of avg_Hmin is estimated by multiplying by α.

  Moreover, it is possible to construct the operation of the components of the estimation apparatus in the first to seventh embodiments as a program, and install and execute it on a computer used as the estimation apparatus.

  In addition, this invention is not limited to said embodiment, A various change and application are possible within a claim.

DESCRIPTION OF SYMBOLS 1 Preliminary node 2 Subsequent node 10 Estimation apparatus 11 Packet analysis unit 12 Flow management unit 13 Flow statistics information collection unit 14 Simultaneous flow number variance estimation unit

Claims (7)

Simultaneous flow to estimate the number of flow entries required in a network device that manages the state of each flow by defining a group of packets with the same flow key {srcIP, dstIP, srcPort, dstPort, Protocol} as a flow group A number variation estimation method,
The flow management means passes through the network, the flow key i = {srcIP, dstIP, srcPort, dstPort, Protocol}, the start time Tfirst_i and the end time Tlast_i of the flow i, and the flow duration d_i = calculated from them A flow collecting step of collecting N pieces of information of the flow i including Tlast_i-Tfirst_i during a predetermined measurement period T and storing the information in a storage unit;
The flow statistics information collecting means obtains an average of flow durations for N flows d_i> 0 collected in the flow collecting step by avg_d = Σd_i / N, and the flow stored in the storage means Two flows i and j are randomly selected from the above, and the process of setting Hmin = min (d_i, d_j) is performed M times a predetermined number of times, and the value of Hmin in the m-th trial is set to Hmin (k) and the average is
avg_Hmin = ΣHmin (m) / M
An average calculation step to calculate according to
The flow statistical information collection means obtains statistical information on the number of generated flows for each srcIP # x using the flow information stored in the storage means, and determines the number of arrival srcIPs A per unit time as A = N Statistical information calculation step obtained by / T / E,
Simultaneous flow number variance estimation means,
Distributed VarL of the number of simultaneous flows,
VarL = A × (V + E ² -E) × avg_Hmin + A × E × avg_d
The simultaneous flow number variance estimation step to calculate,
And
In the statistical information calculation step,
The measurement period T is divided by a measurement period τ smaller than T (T / τ = L sections are generated), and the number of flows generated from srcIP # x in the kth measurement section is expressed as F (x, k), and using the generated flow number F (x, k), an average E and variance V of the number of flows generated from a certain srcIP are calculated. In the statistical information calculation step,
When calculating the average E and the variance V of the number of flows,
When the set of occurrences srcIP is w_s, only those that satisfy F (k, x)> 0 among the number of generated flows F (x, k) for x∈w_s and k∈ [1, L] Extract
The number of F (k, x) extracted is LW, and the average E is
E = ΣF (k, x) / LW, V = ΣF (k, x) ² / LW-E ²
The simultaneous flow number variation estimation method according to claim 1, wherein the calculation is performed by: In the statistical information calculation step,
Distributing the number of simultaneous flows when assuming that the number of arriving srcIPs per unit time in the future A is a predetermined A *
VarL = A * × (V + E ² -E) × avg_Hmin + A * × E × avg_d
The simultaneous flow number variation estimation method according to claim 1, characterized in that: In the simultaneous flow number variance estimation step,
When estimating the variance of the number of simultaneous flows, the flow information used for estimation excludes flows whose destination port number is a specific number (port number often found in abnormal traffic such as scans), and then distributed 4. The simultaneous flow number variation estimation method according to claim 1 or 3, wherein the estimation is performed. In the simultaneous flow number variance estimation step,
Assuming that the number of users to be collected from the flow information is Z, the distribution of the number of simultaneous flows when the number of accommodated users is Z ′,
VarL = A / Z × Z '× (V + E ² -E) × avg_Hmin + A / Z × Z' × E × avg_d
The simultaneous flow number variation estimation method according to claim 1, characterized in that: In the flow information collecting step,
Collecting flow information in a measurement period T ′ shorter than the measurement period T;
In the average calculation step,
Α = avg_Hmin / avg_d is calculated using the average avg_d and avg_Hmin,
In the statistical information calculation step,
Using the flow information, obtain statistical information on the number of generated flows for each srcIP # x,
Calculate the average avgL ′ of the number of simultaneous flows in the measurement period T ′ from the collected flow information,
In the simultaneous flow number variance estimation step,
Disperse Var_L of the number of concurrent flows
VarL = A × (V + E ² -E) × avgL '/ (A × E) × α + avgL'
Estimated by
In the statistical information calculation step,
The measurement period T ′ is divided by a measurement period τ smaller than T ′ (T ′ / τ = L ′ sections are generated), and the number of flows generated from srcIP # x in the kth measurement section is F. (x, k), and using the generated flow number F (x, k), calculate the average E and the variance V of the number of flows generated from a certain srcIP,
The simultaneous flow number fluctuation amount estimation method according to claim 1, wherein the number A of arrival srcIPs per unit time is calculated by A = N / T ′ / E. Simultaneous flow to estimate the number of flow entries required in a network device that manages the state of each flow by defining a group of packets with the same flow key {srcIP, dstIP, srcPort, dstPort, Protocol} as a flow group A number variation estimation device,
Flow key i = {srcIP, dstIP, srcPort, dstPort, Protocol}, including flow i start time Tfirst_i and end time Tlast_i, and flow duration d_i = Tlast_i-Tfirst_i calculated from them Flow management means that collects N pieces of information of the flow i during a predetermined measurement period T and stores them in the storage means;
For the N flows with d_i> 0 collected by the flow management means, an average of flow durations is obtained by avg_d = Σd_i / N, and 2 randomly selected from the flows stored in the storage means. The process of selecting two flows i and j and setting Hmin = min (d_i, d_j) is performed a predetermined number of times M, and the value of Hmin in the mth trial is set to Hmin (k), and the average The
avg_Hmin = ΣHmin (m) / M
An average calculating means for calculating by:
Using the flow information stored in the storage means, obtain statistical information on the number of generated flows for each srcIP # x, and obtain the number of arriving srcIPs per unit time A by A = N / T / E Information gathering means;
Distributed VarL of the number of simultaneous flows,
VarL = A × (V + E ² -E) × avg_Hmin + A × E × avg_d
The simultaneous flow number variance estimating means to calculate,
Have
The statistical information calculation means includes
The measurement period T is divided by a measurement period τ smaller than T (T / τ = L sections are generated), and the number of flows generated from srcIP # x in the kth measurement section is expressed as F (x, k), and includes means for calculating the average E and variance V of the number of flows generated from a certain srcIP using the generated flow number F (x, k), .

Images