Finding Heavy Hitters by Packet Count Flow Sampling

Abstract

In many applications, ranging from network congestion monitoring to data mining, it is often desirable to identify from a large data set whose frequency is above a given threshold. This can help us find out the heaviest users, most popular web sites and so on.Our work focus on packet count heavy hitters finding problem , especially suite for Some attacks such as SYN flood and port scans. These kind of anomaly will not occupy much bandwidth, but still can affect the Internet seriously. A major difficulty with detecting heavy hitters on a high-speed monitoring point is that the traffic volume can contain millions of flows. So we present a threshold sampling technique. It can select large ones prior to small ones.Meanwhile, it can control the resources consumed by adjusting the threshold. The main procedures of this method is the source IP address base packet count aggregating and sorting. The experimental results show that heavy hitters from the sample approximate that from the original dataset, proofing that our method are effective.