network monitoringflow profilingDenial of Service attackworm propagation
Denial-of-Service (DoS) attack has become a major threat to the Internet. Network anomaly may be a sign of a possible attack. Network administrators seek for an efficient, scaleable, and real time solution of monitoring a large and heavy traffic network and detecting network anomaly efficiently, or the network might not be able to operate properly. The collected data sometimes might be either too coarse to detect anomaly or too detail to finish processing in real time. SNMP based network monitoring collects coarse information not enough to detect the problem, while packet-sniffing based monitoring retains very detail contents and affects network performance, especially in large networks. Network flow is defined as a unidirectional sequence of packets between the given source and destination network endpoints. Flow information might be the balance between the above two approaches. We propose a network monitoring mechanism for large networks based on flow information which can manage a large network efficiently in real time manner. Based on simulation with the real network traffic, the proposed solution can efficiently monitor a large network and detect Denial of Service (DoS) attacks, port scans, and worm propagation. The results show that it is significantly helpful for network administrators for large networks.