網路監控目前被廣泛的應用在網路上，相較於基於封包(packet-based)的處理方式，基於資料流(flow-based)的處理方式提供更好的效能，使得許多的學者投入在基於資料流的研究上。在資料流監控的架構中，封包經過採樣並聚合成資料流後輸出，以供後續進一步的分析，但由於執行封包採樣後，所得到資料流資訊並不完整，進而影響到檢測上的準確性。
本篇論文提出EOF(Estimation Original Flows)資料流數量估計，利用採樣資料流數目及封包採樣率p，基於二項式分布隨機採樣，以迭代方法估計出原始資料流數量，可讓入侵檢測系統得到正確的資料流數目。實驗說明EOF可精準估計資料流數量，在封包採樣率為0.25時，平均估計誤差率為0.24%，我們也針對封包採樣率對採樣資料流數量影響做分析，採樣後資料流數量占原始資料流數量的百分比會稍高於封包採樣率，原因為即使封包採樣率不高，封包數多的資料流仍有很高的機率會被採樣到。

Network monitoring approaches have been popularly applied into networks. However, the packet-based approach cannot be easily performed in high-speed networks, so researchers focused on investigating an alternative approach, the flow-based approach. In a typical architecture of flow monitoring, packets are first sampled and then aggregated into flows for further analysis later. However, packet sampling will cause the inaccuracy on estimating the number of original flows, significantly reducing the accuracy of data analysis.
This thesis proposes the EOF (Estimating Original Flows) algorithm to estimate the number of original flows. We use the number of sampled flows and the packet sampling rate p to iteratively deduce the number of original flows based on Binomial distribution sampling. EOF can correctly estimate the correct number of original flows for the needs on detecting intrusions. When the sampling rate is 0.25, the average estimation error ratio is 0.24%. We also investigate the influence of the sampling rate on the number of sampled flows. The ratio of sampled flows over the original flows is slightly higher than the sampling rate because the flows having a lot of packets still have a high probability to be sampled even under a small sampling rate.

[1] J. Quittek, T. Zseby, B. Claise, and S. Zander, “Requirements for IP Flow Information Export (IPFIX),” RFC 3917 (Informational), Jul. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc3917.txt
[2] Rick Hofstede, Pavel Celeda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras, “Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX,” IEEE Communications Surveys & Tutorials, May 2014.
[3] Cisco Systems, Inc., “Introduction to Cisco IOS NetFlow - A Technical Overview,”
May 2012. [Online]. Available: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
[4] N. Brownlee, “Flow-Based Measurement: IPFIX Development and Deployment,” IEICE Transactions on Communications, 2011, Vol. 94, no. 8, pp. 2190-2198.
[5] Myung-Sup Kim, Hun-Jeong Kong, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong, “A flow-based method for abnormal network traffic detection,” IEEE/IFIP Network Operations and Management Symposium (NOMS), April 2004.
[6] IANA, “IP Flow Information Export (IPFIX) Entities,” June 2013. [Online]. Available: http://www.iana.org/assignments/ipfix/ipfix.xml
[7] G. Sadasivan, N. Brownlee, B. Claise, and J. Quittek, “Architecture for IP Flow Information Export,” RFC 5470 (Informational), Internet Engineering Task Force, March 2009. [Online]. Available: http: //www.ietf.org/rfc/rfc5470.txt
[8] J. Wang, R. Li, and W. Ren, “Adaptive packet sampling method based on the prediction of availability using exponential smoothing,” International Conference on Information Science and Technology (ICIST), 2013, pp. 632-635.
[9] J. M. C. Silva, and S. R. Lima, “Multiadaptive Sampling for Lightweight Network Measurements,” IEEE 21st International Conference on Computer Communications and Networks (ICCCN), 2012, pp. 1-7.
[10] C. Hu, S. Wang, J. Tian, B. Liu, Y. Cheng, and Y. Chen, “Accurate and efficient traffic monitoring using adaptive non-linear sampling method,” IEEE 27th Conference on Computer Communications, 2008, pp. 26-30.
[11] G. Cheng, "Estimating the number of active flows from sampled packets," IEEE Network Operations and Management Symposium (NOMS), 2012, pp. 675-678.
[12] Liebeherr J., Burchard A., Ciucu F.,” Non-asymptotic Delay Bounds forNetworks with Heavy-Tailed Traffic,” IEEE INFOCOM, 2010.
[13] The MAWI Working Group of the WIDE Project, “samplepoint-F/2015/201501011400” May 2015. [Online]. Available: http://mawi.wide.ad.jp/mawi/samplepoint-F/2015/201501011400.html