Security and Communication Networks

Research Article

Efficient Extraction of Network Event Types from NetFlows

Algorithm 7

Heuristic subset search for ports-IPs entropy difference limit.
1: function SUBSETSEARCH(formulaentropy, Flows)
2:  portBuckets groupBy(Flows, unique(Flows.Ports))
3:  ipBuckets groupBy(Flows, unique(Flows.Ips))
4:  entropies
5:  for all flow    Flows do                  each calculation    O(1)
6:   EDflowentropyDiffAfterRemovalOf(portBuckets, ipBuckets, flow)
7:  end for
8:  heapFlows heap(Flows,  ED)                flows sorted w.r.t. ED
9:  while entropyportBuckets−  entropyipBuckets    formula.Diff do
10:    mFl   heapFlows.removeMax()
11:   remove(portBuckets, ipBuckets, mFl)
12:  entropies   update(entropies, mFl)                constant O(1)
13:  for all flow    ((portBuckets    mFl.port)    (ipBuckets    mFl.ip)) do
14:   EDflow  entropyDiffAfterRemovalOf(portBuckets, ipBuckets, flow)
15:   heapFlows.heapify(flow, EDflow)
16:  end for
17: end while
18: return flows
19: end function