A flow measurement architecture to preserve application structure

Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay G. Rao

Research output: Contribution to journalArticlepeer-review


The Internet has significantly evolved in the number and variety of applications. Network operators need mechanisms to constantly monitor and study these applications. Modern routers employ passive measurement solution called Sampled NetFlow to collect basic statistics on a per-flow basis (for a small subset of flows), that could provide valuable information for application monitoring. Given modern applications routinely consist of several flows, potentially to many different destinations, only a few flows are sampled per application session using Sampled NetFlow. To address this issue, in this paper, we introduce related sampling that allows network operators to give a higher probability to flows that are part of the same application session. Given the lack of application semantics in the middle of the network, our architecture, RelSamp, treats flows that share the same source IP address as related. Our heuristic works well in practice as hosts typically run few applications at any given instant, as observed using a measurement study on real traces. In our evaluation using real traces, we show that RelSamp achieves 5–10× more flows per application session compared to Sampled NetFlow for the same effective number of sampled packets. We also show that behavioral and statistical classification approaches such as BLINC, SVM and C4.5 achieve up to 50% better classification accuracy compared to Sampled NetFlow, while not impairing existing management tasks such as volume estimation too much.
Original languageEnglish
Pages (from-to)181-195
Number of pages15
JournalComputer Networks
Publication statusPublished - 1 Feb 2015


Dive into the research topics of 'A flow measurement architecture to preserve application structure'. Together they form a unique fingerprint.

Cite this