Real-time measurement of flows classified according to their application

In the management of Internet Protocol networks, the number of flows is an important performance metric because it has useful applications in areas such as port scan detection, denial-of-service detection, and traffic analysis. Real-time counting of flows is particularly important because network operators can take immediate actions against detected network anomalies or performance degradation. This paper presents a method that enables real-time counting of flows classified by application. More useful information for network management can be obtained by counting classified flows. For example, the proposed method is helpful in determining the type of attacks or victim services for attack detection. The algorithm for counting classified flows is developed using the timestamp vector algorithm. This paper first explores a naïve method that has as many timestamp vector mechanisms as the application classes. However, this method is disadvantageous because it consumes very large memory space. To avoid this problem, a new method that considerably decreases memory consumption is proposed. In addition, the paper also investigates a method for improving measurement accuracy. The effectiveness of the proposed method is evaluated for real-world network data.