Advancing Network Monitoring with Packet-Level Records and Selective Flow Aggregation

Ina Berenice Fink, Ike Kunze, Pascal Hein, Jan Pennekamp, Benjamin Standaert, Klaus Wehrle, Jan Rüth
May 2025
PDF Cite GitHub

Abstract

Due to its superior efficiency, network operators frequently prefer flow monitoring over full packet captures. However, packet-level information is crucial for the timely and reliable detection, investigation, and mitigation of security incidents. Currently, no solution effectively balances these two contradicting approaches, forcing network operators to compromise between efficiency and accuracy. In this paper, we thus propose HybridMon, a hybrid solution that combines condensed packet-level monitoring with selective flow-based aggregation to strike a new balance between efficiency and accuracy. Operating on the data plane of P4-programmable switches, HybridMon enables fine-grained, practical, and flexible network monitoring at Tbps speeds. We validate the effectiveness of HybridMon through extensive evaluations using Internet backbone and university campus traffic traces, demonstrating its reliability and performance in network forensics and intrusion detection contexts. Our results show that HybridMon reliably monitors all flows while reducing the output bandwidth to 12 % to 20 % compared to packet monitoring when exporting standard features.

Type
Conference paper
Publication
Proceedings of the 2025 IEEE/IFIP Network Operations and Management Symposium (NOMS '25)
Security Services Control and Data Plane Programmability Monitoring and Measurements
Ina Berenice Fink, M.Sc.
Ina Berenice Fink, M.Sc.
Researcher
Ike Kunze, M.Sc.
Ike Kunze, M.Sc.
Researcher
Placeholder Avatar
Pascal Hein
Dr. rer. nat. Jan Pennekamp
Dr. rer. nat. Jan Pennekamp
Postdoctoral Researcher
Benjamin Standaert
Benjamin Standaert
Klaus Wehrle
Klaus Wehrle
Head of Group
Dr. Jan Rüth
Dr. Jan Rüth