An Efficient Approach for Analyzing Multidimensional Network Traffic

Identifying dominant network flows is important for network anomaly detection. Estan et al. proposed an algorithm that effectively detects dominant network flows by constructing multidimensional clusters based on a "natural hierarchy" existing in the five-tuple information of network flows. Wang et al. improved this algorithm by significantly reducing its computational complexity. In practice, however, the algorithm's execution time may be relatively long when handling large volumes of traffic with a low threshold. In this paper, we introduce a practical technique that further improves the time efficiency of Wang et al.'s algorithm. Our approach simplifies network traffic's hierarchical structure by utilizing local IP subnet information. The comparative performance of our approach and Wang et al.'s algorithm is evaluated using real NetFlow data collected at a large campus network. The experimental results demonstrate that our algorithm is much more time efficient than Wang et al.'s algorithm.