Adaptive sampling method for network traffic security monitoring based on queuing theory

Present network monitoring systems need to cope with the ever-increasing amount of traffic in modern high-speed networks. These systems often perform sophisticated deep packet inspection (DPI) for anomaly detection, denial-of-service attacks detection and mitigation, intrusion detection and prevention, etc. Since DPI is resource-intensive, the monitoring devices are often not able to analyze all incoming traffic at link speeds. Consequently, sampling is employed to reduce the traffic volume and thus limit packet losses caused by resource exhaustion. Classical sampling methods select packets based on a fixed limiting parameter, regardless of the computational resource utilization of the monitoring device. This paper proposes a novel sampling approach for network traffic security monitoring that is based on an analytical model of the monitoring device. The model allows for testing adaptive sampling strategies that adjust the instantaneous sampling rate according to the input queue occupancy. The queue occupancy is used to drive the adaptation as it indicates the current relationship between available computational resources and the input traffic volume. Consequently, our approach maximizes the DPI ratio while simultaneously ensuring that the probability of packet loss due to resource exhaustion remains negligible. Analytical and simulation results are presented to demonstrate the impact of the proposed method on system parameters, along with a comparative studies.