DCAP: Detecting misbehaving flows via collaborative aggregate policing

Chen Nee Chuah, Lakshminarayanan Subramanian, Randy H. Katz

Research output: Contribution to journalArticlepeer-review


This paper proposes a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow accounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit. Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(√n), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83%) of the misbehaving flows with almost zero false alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9%). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.

Original languageEnglish (US)
Pages (from-to)5-18
Number of pages14
JournalComputer Communication Review
Issue number5
StatePublished - Oct 2003


  • Flow-level accounting
  • Misbehaving flow detection
  • Traffic policing

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'DCAP: Detecting misbehaving flows via collaborative aggregate policing'. Together they form a unique fingerprint.

Cite this