The possibility of using LACP protocol in anomaly detection systems

Abstract

This article presents the use of the Link Aggregation Control Protocol (LACP) for detection of anomalies in network traffic. The idea itself is based on checking the representativeness of a single LACP link for the whole traffic transmitted by the aggregation. This approach allows to reduce the requirements for the performance of threat detection systems, and thus reduce their implementation costs and the gives a possibility of using probes (IDS or IPS) directly in the core of the network. The authors also examine the influence of hashing algorithms used for the particular LACP link on the possibility of using of developed method and on the level of intrusion detection.