Network traffic monitoring based on IP Flows is a standard monitoring approach that can be deployed to various network infrastructures, even the large IPS-based networks connecting millions of people. Since flow records traditionally contain only limited information (addresses, transport ports, and amount of exchanged data), they are also commonly extended for additional features that enable network traffic analysis with high accuracy. Nevertheless, the flow extensions are often too large or hard to compute, which limits their deployment only to smaller-sized networks. This paper proposes a novel extended IP flow called NetTiSA (Network Time Series Analysed), which is based on the analysis of the time series of packet sizes. By thoroughly testing 25 different network classification tasks, we show the broad applicability and high usability of NetTiSA, which often outperforms the best-performing related works. For practical deployment, we also consider the sizes of flows extended for NetTiSA and evaluate the performance impacts of its computation in the flow exporter. The novel feature set proved universal and deployable to high-speed ISP networks with 100\,Gbps lines; thus, it enables accurate and widespread network security protection.

翻译：基于IP流的网络流量监测是一种标准化的监测方法，可部署于多种网络基础设施中，甚至包括连接数百万用户的基于大型IPS的网络。由于传统流记录仅包含有限信息（地址、传输端口及交换数据量），因此通常对其进行扩展以增加额外特征，从而支持高精度的网络流量分析。然而，流扩展往往过于庞大或难以计算，这限制了其仅能部署于较小规模网络。本文提出一种新型扩展IP流——NetTiSA（网络时间序列分析），其基于数据包大小的时间序列分析。通过对25种不同网络分类任务的全面测试，我们展示了NetTiSA的广泛适用性与高实用性，该方案在多数场景下优于现有最优相关研究。针对实际部署，我们还考虑了经NetTiSA扩展后的流大小，并评估了其在流导出器中计算时对性能的影响。该新型特征集被证明具有通用性，可部署于支持100 Gbps线路的高速ISP网络，从而实现准确且广泛的网络安全防护。