基于流记录的主干网活跃IP地址空间检测

掌握IP地址的实际使用情况对于网络管理和网络安全等研究领域有着重要的意义.提出一种以抽样流记录为分析数据源的活跃地址检测算法，其核心思路是将存在双向通信流量作为地址活跃判定条件.算法基于被动测量技术，以流记录为分析数据源使其可以在主干网边界运行.讨论了抽样、伪造地址等问题对算法的影响以及相应的应对策略，用DPI分析检验了算法的准确性和有效性.最后基于NBOS平台，将其部署在CERNET全部38个主节点，完成了全网活跃IP地址空间的检测.

Backbone Active IP Address Space Detection Based on Flow Records

Understanding the utilization of IP addresses is very important for the research of network administrators and network security. This paper proposes a methodology of detecting active IP addresses based on sampled flow records. The core idea of the methodology is that IP addresses with two-way communication traffic are active. The method is based on passive measurements and uses sampled flow records as data source, making it possible to be deployed at the boundary of backbones. Furthermore, the impacts of flows'' sampling and spoofed traffic on the method are discussed. DPI technology is used to validate accuracy and efficiency of the method. Finally, the method is deployed at all 38 nodes of CERNET, detecting active IP address space in the whole CERENT network.