ASDIC

Significative Aggregate Flow


Notes about terminology

First a short note about terminology. Similar concepts of aggregated flows exist in other systems, but all vendors seem to have their own terminology.

  • RFC2724 - "aggregate flow"
  • ARGUS - "aggregate"
  • UCSD AutoFocus - "traffic cluster"
  • Netflow - "high-level aggregated traffic collection"
  • Firewalls - "rules" (basically the same concept)
  • "Traffic pattern"
  • "Collection"

Here we try being consequent using the word "aggregate" for short, but sometimes "collection" and "traffic pattern" might be used as well.

ASDIC is the only tool identifying and defining all aggregate flows, and with most other tools you need to define them manually. Hence the need of the prefix "significative". If you define an aggregate yourself, of course you make sure it is significant, else you would not define it in the first place. With a system creating the aggregates for you, significative means that only all the relevant aggregates are defined.

Significative Aggregate Flow

An aggregate flow is a collection of sessions. This is used to group related sessions together.

For example, the tree sessions below from Alice (10.0.5.42) to Bob (172.1.1.12):

  • 10.0.5.42:1234 => 172.1.1.12:80
  • 10.0.5.42:1214 => 172.1.1.12:80
  • 10.0.5.42:1354 => 172.1.1.12:80

are normally collected into the following significative aggregates:

  1. 10.0.5.42 => 172.1.1.12:80
  2. => 172.1.1.12:80
  3. 10.0.5.42 => 172.1.1.12

The significative semantics of those aggregates are:

  1. "Alice surfs to Bob"
  2. "Bob is a web server"
  3. "Alice communicates with Bob"

Aggregates without any significance, i.e. containing random tcp client ports or aggregates unrelated fields, are never created because they does not add any information to the system. The significance of the parts in a session forming an aggregate flow is determined by signal/noise separation by statistics and heuristics, and not by hard-coded rules.

Aggregates have primary two benefits:

  • They pinpoint the semantics of the traffic flow
  • They don't grow in numbers as the sessions does

Aggregates can be hierarchical. In this example, aggregate 1 is a sub-aggregate of aggregate 2 and 3. Aggregate 2 and 3 are said to be meta aggregates, or "aggregates of aggregates". It will be more obvious when there are more sessions involved, creating more aggregates. With only three sessions as here, it's not possible to draw any conclusions of aggregates at all. This is just an example.

Summary

An aggregate flow can be seen as what a firewall rule would look like, if to enclose the traffic in question, but nothing else.

See also: session

Ping Research

ASDIC