網路監控目前已廣泛的應用在網路上，相較於基於封包(packet-based)的處理方式，基於資料流(flow-based)的處理方式提供更好的效能，使得許多的學者投入在此方面的研究上。在資料流監控的架構中，封包聚合成資料流後輸出至資料流快取，以供後續做進一步的分析，但由於資料流快取大小有限，當發生網路攻擊時，例如：洪水攻擊(flooding attacks)，資料流快取容易造成滿溢(overflow)，進而影響到檢測上的準正確性。
本篇論文提出SA-MRU (Size Aware-Most Recently Used)與SA-LRU (Size Aware-Least Recently Used)快取置換法，分別終結最近最常匹配成功的資料流與最近最少使用的資料流，並給予小資料流(封包數≤≦2)較高的優先權，以保留住在攻擊檢測上資訊度較高的資料流。在模擬實驗中，使用帶有SYN 洪水flooding攻擊的資料集，根據這些惡意資料流的保留情況，分別與LRU (Least Recently Used)快取置換法比較FP(false positive)誤判和漏判FN(false negative)，結果顯示，SA-MRU與SA-LRU在誤判FP部分降低了4%~5%，而在漏判FN部分則降低了1%~2%。兩者效能表現雷同，但在命中率Hit Ratio方面，SA-LRU則優於SA-MRU。

Network monitoring approaches have been popularly applied into networksproposed and developed throughout the years. However, the packet-based approach cannot easily be easily performed in at high-speeds networks, so . Therefore, researchers focusedstarted on investigating an alternative approaches, the such as flow-based approach. In a Within the typical architecture of typical flow monitoring, packets are aggregated into flows, which stored in a flow cache for , and then further analysis later. However, the flow cache size is limitedfixed. When network attacks such as flooding attacks is occur, such as flooding attacks. Fthe flow cache iswill easily overflowed, significantly reducing the accuracy of data analysis.. This results in flow data that is not expired consistently, which may impact the subsequent data analysis.
The thesis We proposesd two flow cache replacements: SA-MRU (Size Aware-Most Recently Used) and SA-LRU (Size Aware-Least Recently Used) replacement polic, which y based on the observations of many network attacks’ flow characteristics. eEvict the most and the least recently used flow records, respectively. separately, They also give higher priorities for and give small flows (the number of packets ≤≦2) higher priority to reserve more. Maintaining the important flows on parts of intrusion detection. In the simulation, the data set used traffic contains background traffic and a SYN flooding DDoS attacks. As a result, The results show that SA-MRU and SA-LRU can decrease achieve up to 4%~5% lower false positives (FP) FP and 1%~2% false negatives (FN)lower FN, compared with Least Recently Used (than LRU) cache replacement. SA-MRU and SA-LRU can achieve similar performance, but the latter In the part of hit ratio, SA-LRU has a higher hit ratio performance than the formerSA-MRU.

[1] J. Quittek, T. Zseby, B. Claise, and S. Zander, “Requirements for IP Flow Information Export (IPFIX),” RFC 3917 (Informational), Jul. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc3917.txt
[2] R. Hofstede, P. Celeda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, and A. Pras, “Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX,” IEEE Communications Surveys & Tutorials, May 2014.
[3] Cisco Systems, Inc., “Introduction to Cisco IOS NetFlow - A Technical Overview,” May 2012. [Online]. Available: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
[4] N. Brownlee, “Flow-Based Measurement: IPFIX Development and Deployment,” IEICE Transactions on Communications, 2011, Vol. 94, no. 8, pp. 2190-2198.
[5] A. Balamash, and M. Krunz, “An overview of web caching replacement algorithms,” IEEE Communications Surveys & Tutorials, 2004.
[6] T. Pan, X. Guo, C. Zhang, W. Meng, and B. Liu, ”ALFE: A replacement policy to cache elephant flows in the presence of mice flooding,” IEEE International Conference on Communications (ICC) , June 2012.
[7] M. Zadnik, and M. Canini, “Evaluation and design of cache replacement policies under flooding attacks,” International Wireless Communications and Mobile Computing Conference (IWCMC), July 2011.
[8] M. S. Kim, H. J. Kong, S. C. Hong, S. H. Chung, and J. W. Hong, “A flow-based method for abnormal network traffic detection,” IEEE/IFIP Network Operations and Management Symposium (NOMS), April 2004.
[9] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, “An overview of IP flow-based intrusion detection,” IEEE Communications Surveys & Tutorials, April 2010.
[10] C. Hu, S. Wang, J. Tian, B. Liu, Y. Cheng, and Y. Chen, “Accurate and efficient traffic monitoring using adaptive non-linear sampling method,” IEEE 27th Conference on Computer Communications, April 2008.
[11] G. Androulidakis, and S. Papavassiliou, “Improving network anomaly detection via selective flow-based sampling,” IET Communications, March 2008.
[12] IANA, “IP Flow Information Export (IPFIX) Entities,” June 2013. [Online]. Available: http://www.iana.org/assignments/ipfix/ipfix.xml
[13] G. Sadasivan, N. Brownlee, B. Claise, and J. Quittek, “Architecture for IP Flow Information Export,” RFC 5470 (Informational), Internet Engineering Task Force, March 2009. [Online]. Available: http: //www.ietf.org/rfc/rfc5470.txt
[14] USC/LANDER project, “USC-LANDER/DARPA_2009_DDoS_attack-20091105” May 2015. [Online]. Available: http://www.isi.edu/ant/lander