Active flows in diagnostic of troubleshooting on backbone links

In this paper, we propose a novel approach to finding and predicting anomalous network states based on a flow monitoring mechanism. We assume that number of active flows can show a real network state. Moreover, the dependence between flow number and link utilisation allows us to derive an equation for the confidence interval on high-loaded network links. Experiments have been conducted that confirmed the basic position of the model and identified the anomaly network states. A software package based on this model has been created that allows the prevention of DDoS attacks. For successful operation of this software the number of active flows that single IP address can generate has been analysed.