| CPC H04L 43/024 (2013.01) [H04L 43/026 (2013.01); H04L 43/062 (2013.01); H04L 43/0894 (2013.01); H04L 47/2441 (2013.01)] | 20 Claims |
|
1. A method comprising:
obtaining, by a processing system including at least one processor, a first sampled flow record for a first flow in a network, wherein the first sampled flow record is one of a plurality of sampled flow records for a plurality of flows in the network, wherein the first flow is one of the plurality of flows, wherein the first sampled flow record comprises information regarding selected packets of the first flow, wherein the plurality of sampled flow records is selected from a set of flow records for a set of flows in the network, and wherein the set of flows includes the plurality of flows;
deriving, by the processing system from the first sampled flow record, a data volume of the first flow and a duration of the first flow;
determining, by the processing system, a first flow metric for the first flow that is calculated from a first difference between the data volume of the first flow and a weighted duration of the first flow, wherein the weighted duration of the first flow comprises a duration of the first flow modified by a weighting factor, wherein the duration of the first flow is from a beginning of the first flow to an end of the first flow, wherein the first flow metric is one of a plurality of flow metrics for the plurality of flows, wherein the plurality of flow metrics is determined from the plurality of sampled flow records; and
classifying, by the processing system, the first flow into one of at least two classes, based upon the first flow metric and at least a first flow metric threshold, wherein a first class of the at least two classes exceeds the at least the first flow metric threshold, and wherein a second class of the at least two classes does not exceed the at least the first flow metric threshold.
|