DCAP: Detecting misbehaving flows via collaborative aggregate policing

Chen N. Chuah, Lakshminarayanan Subramanian, Randy H. Katz

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

This paper proposes a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow accounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit. Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(√n), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83%) of the misbehaving flows with almost zero false alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9%). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.

Original languageEnglish (US)
Title of host publicationComputer Communication Review
Pages5-18
Number of pages14
Volume33
Edition5
DOIs
StatePublished - Oct 2003

Fingerprint

Routers
Packet loss
Quality of service
Bandwidth
Processing

Keywords

  • Flow-level accounting
  • Misbehaving flow detection
  • Traffic policing

ASJC Scopus subject areas

  • Information Systems

Cite this

Chuah, C. N., Subramanian, L., & Katz, R. H. (2003). DCAP: Detecting misbehaving flows via collaborative aggregate policing. In Computer Communication Review (5 ed., Vol. 33, pp. 5-18) https://doi.org/10.1145/963985.963987

DCAP : Detecting misbehaving flows via collaborative aggregate policing. / Chuah, Chen N.; Subramanian, Lakshminarayanan; Katz, Randy H.

Computer Communication Review. Vol. 33 5. ed. 2003. p. 5-18.

Research output: Chapter in Book/Report/Conference proceedingChapter

Chuah, CN, Subramanian, L & Katz, RH 2003, DCAP: Detecting misbehaving flows via collaborative aggregate policing. in Computer Communication Review. 5 edn, vol. 33, pp. 5-18. https://doi.org/10.1145/963985.963987
Chuah CN, Subramanian L, Katz RH. DCAP: Detecting misbehaving flows via collaborative aggregate policing. In Computer Communication Review. 5 ed. Vol. 33. 2003. p. 5-18 https://doi.org/10.1145/963985.963987
Chuah, Chen N. ; Subramanian, Lakshminarayanan ; Katz, Randy H. / DCAP : Detecting misbehaving flows via collaborative aggregate policing. Computer Communication Review. Vol. 33 5. ed. 2003. pp. 5-18
@inbook{b58d27e35d774d79b6ecc14a59d1cb0e,
title = "DCAP: Detecting misbehaving flows via collaborative aggregate policing",
abstract = "This paper proposes a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow accounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit. Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(√n), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83{\%}) of the misbehaving flows with almost zero false alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9{\%}). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.",
keywords = "Flow-level accounting, Misbehaving flow detection, Traffic policing",
author = "Chuah, {Chen N.} and Lakshminarayanan Subramanian and Katz, {Randy H.}",
year = "2003",
month = "10",
doi = "10.1145/963985.963987",
language = "English (US)",
volume = "33",
pages = "5--18",
booktitle = "Computer Communication Review",
edition = "5",

}

TY - CHAP

T1 - DCAP

T2 - Detecting misbehaving flows via collaborative aggregate policing

AU - Chuah, Chen N.

AU - Subramanian, Lakshminarayanan

AU - Katz, Randy H.

PY - 2003/10

Y1 - 2003/10

N2 - This paper proposes a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow accounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit. Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(√n), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83%) of the misbehaving flows with almost zero false alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9%). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.

AB - This paper proposes a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow accounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit. Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(√n), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83%) of the misbehaving flows with almost zero false alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9%). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.

KW - Flow-level accounting

KW - Misbehaving flow detection

KW - Traffic policing

UR - http://www.scopus.com/inward/record.url?scp=33645779745&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33645779745&partnerID=8YFLogxK

U2 - 10.1145/963985.963987

DO - 10.1145/963985.963987

M3 - Chapter

AN - SCOPUS:33645779745

VL - 33

SP - 5

EP - 18

BT - Computer Communication Review

ER -