Figure 1: Hades: System Architecture
2. Source IP
3. Destination IP
4. Time-to-live (TTL) value
5. Transport layer protocol (TCP/UDP)
6. TCP or UDP payload length (as applicable)
The extracted features are stored in a .csv file at each
data collector. Instead of transferring large .pcap files,
these .csv files are periodically transferred from all data
collectors to the Hadoop Distributed File System (HDFS)
[3]. For the purpose of data sanitization, all packets which
are found to not contain a valid IPv4 header are removed
(E.g- corrupted packets). Presently Hades does not support
IPv6. The present approach of Hades also disregards all
packets corresponding layers below the IP layer, such as
ARP broadcast messages. The implications of this choice
will be further discussed in section 4.