Traffic matrix (TM) estimation has been extensively studied for decades. Although conventional estimation techniques assume that traffic volumes are unchanged between origins and destinations, packets are often lost on a path due to traffic burstiness, silent failures, etc. Counting every path at every link, we could easily get the traffic volumes with their change, but this approach significantly increases the measurement cost since counters are usually implemented using expensive memory structures like a SRAM. This paper proposes a mathematical model to estimate TMs including volume changes. The method is established on a Boolean fault localization technique; the technique requires fewer counters as it simply determines whether each link is lossy. This paper extends the Boolean technique so as to deal with traffic volumes with error bounds that requires only a few counters. In our method, the estimation errors can be controlled through parameter settings, while the minimum-cost counter placement is determined with submodular optimization. Numerical experiments are conducted with real network datasets to evaluate our method.

Large-scale content transfer, especially video transfer, is now a dominant traffic component in the Internet. Originally, content transfer had a content-oriented feature, i.e., “Users do not care where content is retrieved. Users only take care of what content they obtain.” Conventional traffic engineering (TE) aims to obtain optimal routes for traffic between ingress and egress router pairs, i.e., TE has focused on a location-oriented approach that takes care of where to connect. With increased demand for content-oriented features for content traffic, TE needs to focus on content-oriented routing design. In this study, we therefore propose a novel approach to content-oriented TE, called content aware routing (CAR). In CAR, routes are designed for content and egress router pairs, i.e., content traffic toward a receiver-side router. Content demand can be flexibly distributed to multiple servers (i.e., repositories) providing the same content, meaning that content can be obtained from anywhere. CAR solves the optimization problem of minimizing maximum link utilization. If there are multiple optimal solutions, CAR selects a solution in which resource usage is minimized. Using numerical examples formulated by the linear programming problem, we evaluated CAR by comparing it with combinations of conventional content delivery networks and TE, i.e., location-oriented designs. Our numerical results showed that CAR improved maximum link utilization by up to 15%, with only a 5% increase of network resource usage.

We propose a novel network traffic matrix decomposition method named Stable Principal Component Pursuit with Frequency-Domain Regularization (SPCP-FDR), which improves the Stable Principal Component Pursuit (SPCP) method by using a frequency-domain noise regularization function. An experiment demonstrates the feasibility of this new decomposition method.

This letter proposes a novel method of large-scale IP traffic matrix (TM) estimation, called algebraic reconstruction technique inference (ARTI), which is based on the partial flow measurement and Fratar model. In contrast to previous methods, ARTI can accurately capture the spatio-temporal correlations of TM. Moreover, ARTI is computationally simple since it uses the algebraic reconstruction technique. We use the real data from the Abilene network to validate ARTI. Simulation results show that ARTI can accurately estimate large-scale IP TM and track its dynamics.

This letter proposes a novel method of large-scale IP traffic matrix estimation which is based on Partial Flow Measurement and Fratar Model (PFMFM). Firstly, we model OD flows as Fratar model and introduce the constrained relations between traffic matrix and link loads. By combining partial flow measurement, we can get a good prior value of network tomography. Then a good estimation of traffic matrix is attained with the modified network tomography method. Finally, we use the real data [8] from network Abilene to validate our method. In contrast to TomoGravity [1], the results show that our method improves remarkably and the estimation of traffic matrix is closer to real data, and especially when the flow is small and changes dramatically, the estimation is better.

Distributed denial-of-service attacks on public servers have recently become more serious. The most effective way to prevent this type of traffic is to identify the attack nodes and detach (or block) attack nodes at their egress routers. However, existing traceback mechanisms are currently not widely used for several reasons, such as the necessity of replacement of many routers to support traceback capability, or difficulties in distinguishing between attacks and legitimate traffic. In this paper, we propose a new scheme that enables a traceback from a victim to the attack nodes. More specifically, we identify the egress routers that attack nodes are connecting to by estimating the traffic matrix between arbitral source-destination edge pairs. By monitoring the traffic variations obtained by the traffic matrix, we identify the edge routers that are forwarding the attack traffic, which have a sharp traffic increase to the victim. We also evaluate the effectiveness of our proposed scheme through simulation, and show that our method can identify attack sources accurately.

We survey traffic matrix models, whose elements represent the traffic demand between source-destination pair nodes. Modeling the traffic matrix is useful for multilayer Traffic Engineering (TE) in IP optical networks. Multilayer TE techniques make the network so designed flexible and reliable. This is because it allows reconfiguration of the virtual network topology (VNT), which consists of a set of several lower-layer (optical) paths and is provided to the higher layer, in response to fluctuations (diurnal) in traffic demand. It is, therefore, important to synthetically generate traffic matrices as close to the real ones as possible to maximize the performance of multilayer TE. We compare several models and clarify their applicability to VNT design and control. We find that it is difficult in practice to make an accurate traffic matrix with conventional schemes because of the high cost for data measurement and the complicated calculations involved. To overcome these problems, we newly introduce a simplified traffic matrix model that is practical; it well mirrors real networks. Next, this paper presents our developed server, the IP Optical TE server. It performs multilayer TE in IP optical networks. We evaluate the effectiveness of multilayer TE using our developed IP Optical server and the simplified traffic matrix. We confirm that multilayer TE offers significant CAPEX savings. Similarly, we demonstrate basic traffic control in IP optical networks, and confirm the dynamic control of the network and the feasibility of the IP Optical TE server.

From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90% vulnerable hosts.

This paper proposes a new method of estimating real-time traffic matrices that only incurs small errors in estimation. A traffic matrix represents flows of traffic in a network. It is an essential tool for capacity planning and traffic engineering. However, the high costs involved in measurement make it difficult to assemble an accurate traffic matrix. It is therefore important to estimate a traffic matrix using limited information that only incurs small errors. Existing approaches have used IP-related information to reduce the estimation errors and computational complexity. In contrast, our method, called spike flow measurement (SFM) reduces errors and complexity by focusing on spikes. A spike is transient excessive usage of a communications link. Spikes are easily monitored through an SNMP framework. This reduces the measurement costs compared to that of other approaches. SFM identifies spike flows from traffic byte counts by detecting pairs of incoming and outgoing spikes in a network. A matrix is then constructed from collected spike flows as an approximation of the real traffic matrix. Our experimental evaluation reveals that the average error in estimation is 28%, which is sufficiently small for the method to be applied to a wide range of network nodes, including Ethernet switches and IP routers.