[go: up one dir, main page]

WO2008153840A2 - Surveillance à bon rendement des contraintes par utilisation de seuils adaptatifs - Google Patents

Surveillance à bon rendement des contraintes par utilisation de seuils adaptatifs Download PDF

Info

Publication number
WO2008153840A2
WO2008153840A2 PCT/US2008/006878 US2008006878W WO2008153840A2 WO 2008153840 A2 WO2008153840 A2 WO 2008153840A2 US 2008006878 W US2008006878 W US 2008006878W WO 2008153840 A2 WO2008153840 A2 WO 2008153840A2
Authority
WO
WIPO (PCT)
Prior art keywords
local
remote site
constraint
network
global
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2008/006878
Other languages
English (en)
Other versions
WO2008153840A3 (fr
Inventor
Srinivas Raghav Kashyap
Rajeev Rastogi
Jeyashankher S R
Pushpraj Shukla
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia of America Corp
Original Assignee
Lucent Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/933,790 external-priority patent/US7904692B2/en
Priority claimed from US12/010,942 external-priority patent/US20090077156A1/en
Application filed by Lucent Technologies Inc filed Critical Lucent Technologies Inc
Publication of WO2008153840A2 publication Critical patent/WO2008153840A2/fr
Publication of WO2008153840A3 publication Critical patent/WO2008153840A3/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays

Definitions

  • network monitoring systems When monitoring emerging large-scale, distributed systems (e.g., peer to peer systems, server clusters, Internet Protocol (IP) networks, sensor networks and the like), network monitoring systems must process large volumes of data in (or near) real-time from a widely distributed set of sources. For example, in a system that monitors a large network for distributed denial of service (DDoS) attacks, data from multiple routers must be processed at a rate of several gigabits per second. In addition, the system must detect attacks immediately after they happen (e.g., with minimal latency) to enable networks operators to take expedient countermeasures to mitigate effects of these attacks.
  • DDoS distributed denial of service
  • FIG. 1 illustrates a conventional distributed monitoring method utilizing what is referred to as a zero-slack scheme.
  • a central coordinator such as a network operations center so assigns local constraint threshold values 7 ⁇ to each remote site si, . . . , s n according to Equation (1) shown below.
  • T 1 T/n, Vi e [1, n] Equation (1)
  • T is a global constraint threshold value for the system and n is the number of nodes or remote sites in the system.
  • the global constraint threshold corresponds to the total number of bytes that passed the service provider network in the past second.
  • variable X j may be the total amount of traffic (e.g., in bytes) entering into a network through an ingress point.
  • the variable x ⁇ may also be an observed number of cars on the highway, an amount of traffic from a monitored network in a day, the volume of remote login (e.g., TELNET, FTP, etc.) requests received by hosts within the organization that originate from the external hosts, packet loss at a given remote site or network node, etc.
  • step S506 when the coordinator so receives the local alarm transmission from site s p the coordinator so calculates an estimate of the global aggregate value according to Equation (2) shown below.
  • each local constraint T 1 represents an estimate of the current value of variable x, at each node other than x 7 , which are known at the central coordinator so- At step S508, the central coordinator so then determines whether Equation (3) is satisfied. , + Y T 1 ⁇ T Equation (3)
  • Equation (3) If Equation (3) is not satisfied, the central coordinator so sends a message requesting current values of the variable x, to each remote site S 1 , . . . , s n at step S510. This transmission of messages is referred to as a "global poll.”
  • each remote site sends an update message including the current value of the variable X 1 .
  • the central coordinator uses these obtained values for variables x / , x ⁇ , ...x n , the central coordinator so determines if the global network constraint threshold T has been violated at step S512.
  • the central coordinator so aggregates the values for variables x ⁇ , X 2 , ...x n and compares the aggregate value with the global constraint threshold. If the aggregate value is greater than the global constraint threshold, then the central coordinator so determines that the global constraint threshold T is violated. If the central coordinator so determines that the global constraint threshold T is violated, the central controller so records violation of the global constraint threshold in a memory at step S514. In one example, the central controller so may generate a log, which includes time, date, and particular values associated with the constraint threshold violation.
  • step S512 if the central coordinator so determines that the global constraint threshold T is not violated, the process terminates and no action is taken.
  • step S508 if the central coordinator so determines that Equation (3) is satisfied, the central coordinator so determines that a global poll is not necessary, the process terminates and no action is taken.
  • a local alarm transmission results in a global poll by the central coordinator so because any violation of a local constraint threshold for any node causes the central coordinator S 0 to estimate that the global constraint threshold T is violated.
  • Using a zero-slack scheme results in relatively high communication costs due to the frequency of local alarms and global polls.
  • Example embodiments provide methods for tracking anomalous behavior in a network referred to as non-zero slack schemes, which may reduce the number of communication messages in the network (e.g., by about 60%) necessary to monitor emerging large-scale, distributed systems using distributed computation algorithms.
  • system behavior e.g., global polls
  • Markov's Inequality uses Markov's Inequality to obtain a simple upper bound that expresses the global poll probability as the sum of independent components, one per remote site involving the local variable plus constraint at the remote site.
  • optimal local constraints e.g., the local constraints that minimize communication costs
  • Non-zero slack schemes may result in lower communication costs.
  • FIG. 1 illustrates a conventional method for distributed monitoring
  • FIG. 2 is a conventional system architecture
  • FIG. 3 is a flow chart illustrating a method for generating and assigning local constraints to remote sites in a system according to an illustrative embodiment
  • FIG. 4 is a flow chart illustrating a method for generating a local constraint using the Markov-based algorithm according to an illustrative embodiment
  • FIG. 5 is a flow chart illustrating a method for generating a local constraint for a remote site using a reactive algorithm according to an illustrative embodiment.
  • Illustrative embodiments are directed to methods for generating and/or assigning local constraints to nodes or remote sites within a network and methods for tracking anomalous behavior using the assigned local constraint thresholds.
  • Anomalous behavior may be used to indicate that action is required by a network operator and/or system operations center.
  • the methods described herein utilize nonzero slack scheme algorithms for determining local constraints that retain some slack in the system.
  • DSPs digital signal processors
  • ASICs application-specific-integrated-circuits
  • FPGAs field programmable gate arrays
  • each remote site is assigned a local constraint (or threshold) ⁇ 5 where T is again the global constraint threshold for the system and n is the number of nodes in the system.
  • the slack SL refers to the difference between the global threshold value and the sum of the remote site threshold
  • the global constraint may be decomposed into a set of local thresholds, ⁇ at each remote site _?,-.
  • local constraint values hereinafter local constraints
  • T local constraint values
  • an "uninteresting" event is a change in value at some remote site that does not cause a global function to exceed a threshold of interest.
  • One embodiment provides a method for assigning local constraints to nodes in a system using a "brute force" algorithm.
  • the method may be performed at the central coordinator so in FIG. 1.
  • FIG. 3 is a flow chart illustrating a method for generating and assigning local constraints to remote sites in a system according to an illustrative embodiment.
  • the communication between the central coordinator so and each remote site s, may be performed concurrently.
  • step S202 the central coordinator so receives histogram updates in an update message.
  • variable x may be the total amount of traffic (e.g., in bytes) entering into a network through an ingress point.
  • variable x may also be an observed number of cars on the highway, an amount of traffic from a monitored network in a day, the volume of remote login (e.g., TELNET, FTP, etc.) requests received by hosts within the organization that originate from the external hosts, packet loss at a given remote site or network node, etc.
  • the volume of remote login e.g., TELNET, FTP, etc.
  • each remote site maintains a histogram of the constantly changing value of its local variable re, observed over time as H ⁇ ( ⁇ ), Vv E [0, T], where Hi( ⁇ ) is the probability of variable x, having a value v.
  • the update messages may be sent and received periodically, wherein the period is referred to as the recompute interval.
  • the central coordinator in response to receiving the update messages from the remote sites, so generates (calculates) local constraints T t for each remote site _?,-.
  • the central coordinator so may generate local constraints 7 ⁇ based on a total system cost C as will be described in more detail below.
  • the coordinator s 0 first calculates a probability P 1 (i) of a local alarm for each individual remote site (hereinafter local alarm probability) according to Equation (4) shown below.
  • Equation (4) Pr(jc, > T) is the probability that the observed value at remote site S 1 is greater than its threshold 7 ⁇ and is independently calculated for a given local constraint T 1 .
  • the local alarm probability P t (i) is entirely independent of the state of the other remote sites.
  • the local alarm probability Pi (i) for each remote site _?,- is independent of values of variable x, at other remote sites in the system.
  • the central coordinator determines a probability P g of a global poll (hereinafter referred to as a global poll probability) in the system according to Equation (5) shown below:
  • the estimated values Y 1 are stored at the coordinator so such that
  • the central coordinator so updates the stored values Y 1 based on values x, reported in local alarms from each remote site.
  • the coordinator so receives updates for values x, at remote site s, via a local alarm message generated by remote site s, once the observed value x, exceeds its local constraint T 1 .
  • the stored values Y 1 at the central coordinator so for each remote site
  • the central coordinator so
  • the global alarm probability P q is dependent on the state of all remote
  • step S204 of FIG. 3 the central coordinator so generates the
  • Equation (6) P / (i) is the local alarm probability at site s t , P g is the global poll probability, C / is the cost of a local alarm transmission message from remote site s » to the coordinator so and C g is the cost of performing a global poll by the central coordinator so.
  • Q is 0(1) and C g is O(n), where 0(1) and OfW ⁇ ) differ by orders of magnitude.
  • 0(1) is a constant independent of the size of system and O(n) is a quantity that grows linearly with the size of the system. For instance, if there are 1000 remote sites in the system, then Q may be a first value (e.g., 10) and C g is another value (e.g., 100).
  • C / As the network increases in size, (e.g., by adding another 9000 nodes), C / remains close to 10, but C g increases much larger than 100. As such, C g grows much faster than C / as network size increases. More specifically, the central coordinator so generates local constraints 7 / for each remote site s, to minimize the total system cost C.
  • the central coordinator so performs a naive exhaustive enumeration of all T n possible sets of local threshold values to generate the local constraints at each remote site that result in minimum total system cost C
  • the local alarm probability Pi (i) at each remote site Si and the global poll probability P 9 value are calculated to determine the total system cost C.
  • this naive enumeration has a running time of O (nT n+2 ).
  • O nT n+2
  • only local threshold values in the range [Ti — ⁇ , T 1 + ⁇ ] for a small constant ⁇ may be considered.
  • the small constant ⁇ may be determined experimentally and assigned, for example, by a network operator at a network operations center.
  • the central coordinator so sends each generated local constraint T 1 to its corresponding remote site s,.
  • Another illustrative embodiment provides a method for generating local constraints using a Markov-based algorithm.
  • This embodiment uses Markov's inequality to approximate the global poll probability P g resulting in a decentralized algorithm, in which each site _?,- may independently determine its own local constraint Ti.
  • Markov's inequality gives an upper bound for the probability that a non-negative function of a random variable is greater than or equal to some positive constant.
  • FIG. 4 is a flow chart illustrating a method for generating a local constraint using the Markov-based algorithm according to an illustrative embodiment. As noted above, the method shown in FIG. 4 may be performed at each individual remote site in the system. Referring to FIG. 4, at step S302, using a Markov's inequality, remote site s, approximates a global poll probability P g according to Equation (7) shown below.
  • Equation (9) the remote site's estimated individual contribution to the total system cost E[Y 1 ] is given by Equation (9) shown below.
  • the remote site s independently determines the local constraint T 1 based on its estimated individual contribution E[YJ to the estimated total system cost C given by Equation (8). More specifically, for example, the remote site s, independently calculates the local constraint T 1 that minimizes its contribution to the estimated total system cost C, thus allowing the remote site s, to calculate its local constraint T 1 independent of the coordinator so.
  • the remote site s may calculate its local constraint T x by performing a linear search in the range 0 to T. Because such a search requires O(T) running time, the running time may be reduced to O ( ⁇ ) by searching for the optimal threshold value in a small range [T 1 - 6, T 1 + S].
  • the linear search performed by the remote site S 1 may be performed at least once during each round or recompute interval. Each time remote site s, recalculates its local constraint T 1 , the remote site s, reports the newly calculated local constraint to the central coordinator S 0 via an update message.
  • each remote site's local constraint may be restricted to a maximum of T/n by the central coordinator so. However, such a restriction may reduce performance in cases where one site's value is very high on average compared to other sites.
  • Another illustrative embodiment provides a method for generating local constraints using what is referred to herein as a "reactive algorithm.”
  • the method for generating local constraints using the reactive algorithm may be performed at each remote site individually or at a central location such as central coordinator SQ.
  • each remote site reports the newly calculated local constraint to the central coordinator in an update message during each recompute interval. If the method according to this illustrative embodiment is performed at the central coordinator so, then the central coordinator so assigns and sends the newly calculated local constraint to each remote site during each recompute interval. As noted above, the central coordinator so and the remote sites may communicate in any well-known manner.
  • the remote site determines its own local constraint 7* based on actual local alarm and global poll events within the system.
  • FIG. 5 is a flow chart illustrating a method for generating a local constraint for a remote site using a reactive algorithm according to an illustrative embodiment.
  • the remote site s t generates an initial local constraint 7 / , for example, using the above described Markov-based algorithm.
  • the remote site s then adjusts the local constraint T 1 based on actual global poll and local alarm events in the system. For example, each time the remote site s, transmits a local alarm, the remote site si determines that the local constraint 7 ⁇ may be lower than an optimal value. In this case, the remote site s, may increase its local constraint T 1 value by a factor a with a probability 1/p, (or 1, if l/p t is greater than 1), where a and p x are parameters of the system greater than 0.
  • Parameter p ⁇ is computed according to Equation (10) discussed in more detail below.
  • the remote site s determines that its local constraint T t may be higher than an optimal value.
  • the remote site s may reduce the threshold value by a factor of a with a probability p ⁇ (or 1, if A is greater than 1).
  • the local constraint at remote site s is not always decreased in response to a global poll, but rather is decreased probabilistically.
  • parameter p ⁇ may be set according to Equation (10) shown below.
  • Equation 10 probability P ⁇ [T° pt ) is the local alarm probability when the
  • Equation (10) can be shown to be a valid value for p, because if each remote
  • the average number of observed local alarms is less than p ⁇ times the average number of observed global
  • the remote site s may utilize the Markov-based method to determine the local constraint T 1 that minimizes the total system cost C and use this value to compute the contribution of the remote site to P q .
  • the remote site S 1 sends its individual estimated contribution E[ ⁇ J of P q to the central coordinator s 0 at least once during or at the end of each recompute interval.
  • the central coordinator so sums (or aggregates) the components of P q received from the remote sites and computes the P q value.
  • the coordinator so sends this value of P q to each remote site, and each remote site uses this received value of P q to compute parameter ⁇ t .
  • Illustrative embodiments use an estimate of P g provided by the central coordinator S 0 to compute p t at each remote site. The remaining portions of information necessary are available locally at each remote site.
  • the above discussed embodiments may be used to generate and/or assign local thresholds to remote sites in the system of FIG. 2, for example. Using these assigned local thresholds, methods for distributed monitoring may be performed more efficiently and system costs may be reduced.
  • the local thresholds determined according to illustrative embodiments may be utilized in the distributed monitoring method discussed above with regard to FIG. 1.
  • illustrative embodiments may be used to monitor the total amount of traffic flowing into a service provider network.
  • the monitoring setup includes acquiring information about ingress traffic of the network. This information may be derived by deploying passive monitors at each link or by collecting flow information (e.g., Netflow records) from the ingress routers (remote sites). Each monitor determines the total amount of traffic (e.g., in bytes) coming into the network through that ingress point. If the total amount of traffic exceeds a local constraint assigned to that ingress point, the monitor generates a local alarm. A network operations center may then perform a global poll of the system, and determine whether the total traffic across the system violates a global threshold, that is, a maximum total traffic through the network.
  • flow information e.g., Netflow records
  • illustrative embodiments discussed herein may be used to detect service quality degradations of VoIP sessions in a network. For example, assume that VoIP requires the end-to-end delay to be within 200 milliseconds and the loss probability to be within 1%. Also, assume a path through the network with n network elements (e.g., routers, switches). To monitor loss probabilities through the network, each network element uses an estimate of its local loss probability, for example, ⁇ ' * e U' n ⁇ and an estimate of the loss probability L of the path through these network elements given by
  • - log(l -/,) is local constraint T 1 and-log(0.99) is global constraint T.
  • the losses may be monitored in a network using distributed constraints monitoring. Delays can be monitored similarly using distributed SUM constraints.
  • illustrative embodiments may be used to raise an alert when the total number of cars on the highway exceeds a given number and report the number of vehicles detected, identify all destinations that receive more than a given amount of traffic from a monitored network in a day, and report their transfer totals, monitor the volume of remote login (e.g., TELNET, FTP, etc.) request received by hosts within the organization that originate from the external hosts, etc.
  • remote login e.g., TELNET, FTP, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne des procédés, ou logiques lâches non nulles, permettant de faire un suivi des comportements anormaux dans un réseau. Ces logiques lâches non nulles produisent des contraintes locales optimales pour chaque site éloigné du réseau, ce qui permet de réduire dans le réseau le nombre de message de communication nécessaires pour surveiller les nouveaux systèmes distribués à grande échelle qui utilisent des algorithmes de calcul distribués.
PCT/US2008/006878 2007-06-08 2008-05-30 Surveillance à bon rendement des contraintes par utilisation de seuils adaptatifs Ceased WO2008153840A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US60/933,790 2007-06-08
US11/933,790 US7904692B2 (en) 2007-11-01 2007-11-01 Iommu with translation request management and methods for managing translation requests
US12/010,942 2008-01-31
US12/010,942 US20090077156A1 (en) 2007-09-14 2008-01-31 Efficient constraint monitoring using adaptive thresholds

Publications (2)

Publication Number Publication Date
WO2008153840A2 true WO2008153840A2 (fr) 2008-12-18
WO2008153840A3 WO2008153840A3 (fr) 2009-06-04

Family

ID=40130393

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/006878 Ceased WO2008153840A2 (fr) 2007-06-08 2008-05-30 Surveillance à bon rendement des contraintes par utilisation de seuils adaptatifs

Country Status (1)

Country Link
WO (1) WO2008153840A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3422664A1 (fr) * 2017-06-30 2019-01-02 Thomson Licensing Procédé de blocage des attaques par déni de service distribué et appareil correspondant

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8402129B2 (en) * 2001-03-21 2013-03-19 Alcatel Lucent Method and apparatus for efficient reactive monitoring

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3422664A1 (fr) * 2017-06-30 2019-01-02 Thomson Licensing Procédé de blocage des attaques par déni de service distribué et appareil correspondant
EP3422659A1 (fr) * 2017-06-30 2019-01-02 Thomson Licensing Procédé de blocage des attaques par déni de service distribué et appareil correspondant
CN109218283A (zh) * 2017-06-30 2019-01-15 汤姆逊许可公司 阻止分布式拒绝服务攻击的方法及对应的设备

Also Published As

Publication number Publication date
WO2008153840A3 (fr) 2009-06-04

Similar Documents

Publication Publication Date Title
Tartakovsky et al. A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods
EP2425592B1 (fr) Contrôle de débit adaptative basé sur des signaux de surcharge
US8588074B2 (en) Data transfer path evaluation using filtering and change detection
US8402129B2 (en) Method and apparatus for efficient reactive monitoring
US7391740B2 (en) Method for quantifying reponsiveness of flow aggregates to packet drops in a communication network
US8917599B2 (en) Systems and methods for controlling data transmission rates
He et al. OpenFlow‐based low‐overhead and high‐accuracy SDN measurement framework
US20090077156A1 (en) Efficient constraint monitoring using adaptive thresholds
Tang et al. FR-RED: Fractal residual based real-time detection of the LDoS attack
US7738377B1 (en) Method and apparatus for volumetric thresholding and alarming on internet protocol traffic
EP1729447A1 (fr) Procédé et système de surveillance permettant l'analyse d'échantillons de données comportant une multiplicité de paquets de donneés
Peng et al. Detecting distributed denial of service attacks by sharing distributed beliefs
Peng et al. Detecting reflector attacks by sharing beliefs
Khalifa et al. An overview and comparison of analytical TCP models
WO2008153840A2 (fr) Surveillance à bon rendement des contraintes par utilisation de seuils adaptatifs
Markovich et al. Statistical analysis and modeling of peer-to-peer multimedia traffic
Al-Kasassbeh Network intrusion detection with wiener filter-based agent
Marupally et al. Bandwidth variability prediction with rolling interval least squares (RILS)
Cai et al. Scaling behavior of an artificial traffic model on scale-free networks
Li et al. Robust EKF-based wireless congestion control
KR101071506B1 (ko) 십 캔슬 플러딩 공격탐지방법 및 그 장치
Cavusoglu et al. Estimation of available bandwidth share by tracking unknown cross-traffic with adaptive extended Kalman filter
Hong et al. An API-RCP design using pole placement technique
Jeong et al. An effective DDoS attack detection and packet-filtering scheme
Kaur et al. DDoS detection with daubechies

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08754813

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 08754813

Country of ref document: EP

Kind code of ref document: A2