Traffic features measurement based on multi-scale aggregation model

Analysis and measurement of traffic features are crucial for effective network management and traffic control. In this paper we proposed several traffic flow models to aggregate traffic packets in multi-scales and entropy to measure the feature distribution hierarchically, and then seek for the important features and appropriate scale for traffic monitoring. DFlow model is a group of packets with identical triples: source address, destination address and destination port, and HFlow the same source and destination addresses. By removing traffic features from the NetFlow model, the aggregation scales are extended. Source and Destination addresses are selected to investigate the traffic characters with different flow models. The experimental results using actual traffic show that the number of flows is reduced when the aggregation scale is extended, and the entropy of normal traffic addresses is stable along with the monitoring time. On the other hand, the entropy of destination address is increased when the aggregation scales extended. Investigations into the traffic show that this is caused by the widely used of HTTP and Point to Point protocols. Analysis of the worm scanning traffic shows that the abnormal behavior patterns are more regularly than normal behavior and traffic features have the same entropy with different flow models. The results also show that the appropriate scale for traffic monitoring is the Dflow model, which reduced the data records by more than 30% while retain the traffic characters.