Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1016/j.comnet.2015.08.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:Real-time characterization of network traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We further analyze the impact of ordering of data items on the memory usage and accuracy of LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.

Aiping Li,Yi Han,Bin Zhou,Weihong Han,Yan Jia

2012-01-01

Applied Mathematics & Information Sciences

Abstract:Monitoring network data streams in real-time to check security event become more and more important along with the rapid growth of Internet applications. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (e.g., volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is either too expensive or too slow. We propose building compact summaries of the traffic data using the notion of sketches. In this paper, we proposed an IP address traceability network anomaly detection method at right time based on the summary data structure. In this method, the network traffic information is recorded into sketch online in every circle which is used to detect anomalies. By using EWMA forecasting model to get each circle forecast value, it computes the error sketch between the recoded value and forecast value and detects heavy network traffic change based on Mean-Standard deviation in the error sketch. The method is effective in detecting DDoS attack, scan attack. And it can trace the IP address of victim host. Evaluated by the experiment, the results show that this method takes up little computing and memory resources and is suitable for anomaly detection under the high-speed network traffic.

Balachander Krishnamurthy,Subhabrata Sen,Yin Zhang,Yan Chen

DOI: https://doi.org/10.1145/948205.948236

2003-01-01

Abstract:ABSTRACTTraffic anomalies such as failures and attacks are commonplace in today's network, and identifying them rapidly and accurately is critical for large network operators. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (eg, volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is either too expensive or too slow. We propose building compact summaries of the traffic data using the notion of sketches. We have designed a variant of the sketch data structure, k-ary sketch, which uses a constant, small amount of memory, and has constant per-record update and reconstruction cost. Its linearity property enables us to summarize traffic at various levels. We then implement a variety of time series forecast models (ARIMA, Holt-Winters, etc.) on top of such summaries and detect significant changes by looking for flows with large forecast errors. We also present heuristics for automatically configuring the model parameters.Using a large amount of real Internet traffic data from an operational tier-1 ISP, we demonstrate that our sketch-based change detection method is highly accurate, and can be implemented at low computation and memory costs. Our preliminary results are promising and hint at the possibility of using our method as a building block for network anomaly detection and traffic measurement.

Yongquan Fu,Dongsheng Li,Siqi Shen,Yiming Zhang,Kai Chen

DOI: https://doi.org/10.48550/arXiv.1905.03113

2019-05-08

Abstract:Network monitoring is vital in modern clouds and data center networks for traffic engineering, network diagnosis, network intrusion detection, which need diverse traffic statistics ranging from flow size distributions to heavy hitters. To cope with increasing network rates and massive traffic volumes, sketch based approximate measurement has been extensively studied to trade the accuracy for memory and computation cost, which unfortunately, is sensitive to hash collisions. In addition, deploying the sketch involves fine-grained performance control and instrumentation. This paper presents a locality-sensitive sketch (LSS) to be resilient to hash collisions. LSS proactively minimizes the estimation error due to hash collisions with an autoencoder based optimization model, and reduces the estimation variance by keeping similar network flows to the same bucket array. To illustrate the feasibility of the sketch, we develop a disaggregated monitoring application that supports non-intrusive sketching deployment and native network-wide analysis. Testbed shows that the framework adapts to line rates and provides accurate query results. Real-world trace-driven simulations show that LSS remains stable performance under wide ranges of parameters and dramatically outperforms state-of-the-art sketching structures, with over $10^3$ to $10^5$ times reduction in relative errors for per-flow queries as the ratio of the number of buckets to the number of network flows reduces from 10\% to 0.1\%.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

罗娜,李爱平,吴泉源,陆华彪

DOI: https://doi.org/10.3724/sp.j.1001.2009.03685

2009-01-01

Journal of Software

Abstract:In this paper,an anomaly detection method is proposed based on the summary data structure—sketch.It records the network traffic information in sketch online and detects anomalies at every circle.After using EWMA forecasting model to get each circle's forecast sketch,this paper computes the errors between the recoded sketch and forecast sketch.Then,the network traffic change reference is constructed by establishing the Mean-Standard deviation model on the error sketch.The method is effective in detecting DDOS attack,scan attack and so on.Particularly,it can track the IP address of anomaly.Evaluated by the experiment,this method can detect anomaly in the backbone network with small computing and memory resource.

Feng Wang,Yongning Tang,Lixin Gao,Guang Cheng

DOI: https://doi.org/10.1109/smds49396.2020.00012

2020-01-01

Abstract:As 5G/IoT networks constantly growing and evolving, proliferated network traffic bring an unprecedented challenge to detecting and identifying flow anomalies, such as heavy hitters, heavy changes and superspreaders. Many flow data analytics have been proposed to tackle the problem. Sketch-based approaches are the most commonly used flow analytics service, in which a compressed data structure is used to keep a summary of the original data and estimate traffic statistics such as flow size for all traffic flows. However, those approaches either induce information losses due to sampling or incur computational and space overheads for key recovery. In this paper, we propose a new lightweight traffic analytics service, called BC-sketch, for faster and more accurate detection of heavy keys using very small number of counters. BC-sketch provides reversible sketch using an extensible data structure designed to accommodate different sketch-based solutions. BC-sketch can be efficiently provisioned as a traffic analytics service in resource constrained IoT devices, or integrated to various virtual network environments as a virtual service to detect heavy hitter, superspreader and heavy change. To demonstrate its effectiveness, we use BC-sketch to detect heavy hitters, superspreaders, and heavy changes. Both theoretical analysis and experimental evaluations show that BC-sketch can provide higher precision for identifying those traffic anomalies with low memory and computational overheads.

Xiaojun Cheng,Xuyang Jing,Zheng Yan,Xian Li,Pu Wang,Wei Wu

DOI: https://doi.org/10.1016/j.jnca.2023.103659

IF: 7.574

2023-07-01

Journal of Network and Computer Applications

Abstract:Learning-based sketch improves accuracy and reduces the space overhead of traditional sketches by using machine learning to recognize input data patterns. However, most learning-based sketches adopts offline learning to train a learning model, which shows poor accuracy in measuring dynamic network traffic. To accommodate unpredictable changes in network traffic, it is urgent to study a learning-based sketch that not only supports timely updating recognition rules but also keeps accurate and efficient network traffic measurement. We propose a novel adaptive learning-based sketch (ALSketch) to accurately and efficiently measure dynamic network traffic with online machine learning. ALSketch incrementally constructs a learner to identify hot and cold flows and store them separately. Such a strategy reduces hash conflicts and improves estimated accuracy under limited memory usage. We perform extensive comparative experiments to verify the performance of ALSketch. Experimental results reveal that the average relative error of ALSketch is approximately 1 . 86 ∼ 5 . 25 times lower than that of traditional sketches under the same memory conditions.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Robert T. Schweller,Ashish Gupta,Elliot Parsons,Yan Chen

DOI: https://doi.org/10.1145/1028788.1028814

2004-01-01

Abstract:Traffic anomalies such as failures and attacks are increasing in frequency and severity, and thus identifying them rapidly and accurately is critical for large network operators. The detection typically treats the traffic as a collection of flows and looks for heavy changes in traffic patterns (e.g., volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is not scalable. The recently proposed sketch-based schemes [14] are among the very few that can detect heavy changes and anomalies over massive data streams at network traffic speeds. However, sketches do not preserve the key (e.g., source IP address) of the flows. Hence, even if anomalies are detected, it is difficult to infer the culprit flows, making it a big practical hurdle for online deployment. Meanwhile, the number of keys is too large to record. To address this challenge, we propose efficient reversible hashing algorithms to infer the keys of culprit flows from sketches without storing any explicit key information. No extra memory or memory accesses are needed for recording the streaming data. Meanwhile, the heavy change detection daemon runs in the background with space complexity and computational time sublinear to the key space size. This short paper describes the conceptual framework of the reversible sketches, as well as some initial approaches for implementation. See [23] for the optimized algorithms in details. comment We further apply various emph IP-mangling algorithms and emph bucket classification methods to reduce the false positives and false negatives. Evaluated with netflow traffic traces of a large edge router, we demonstrate that the reverse hashing can quickly infer the keys of culprit flows even for many changes with high accuracy.

Siddharth Bhatia,Mohit Wadhwa,Kenji Kawaguchi,Neil Shah,Philip S. Yu,Bryan Hooi

2023-07-13

Abstract:Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges and subgraphs in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? For example, in intrusion detection, existing work seeks to detect either anomalous edges or anomalous subgraphs, but not both. In this paper, we first extend the count-min sketch data structure to a higher-order sketch. This higher-order sketch has the useful property of preserving the dense subgraph structure (dense subgraphs in the input turn into dense submatrices in the data structure). We then propose 4 online algorithms that utilize this enhanced data structure, which (a) detect both edge and graph anomalies; (b) process each edge and graph in constant memory and constant update time per newly arriving edge, and; (c) outperform state-of-the-art baselines on 4 real-world datasets. Our method is the first streaming approach that incorporates dense subgraph search to detect graph anomalies in constant memory and time.

Data Structures and Algorithms,Artificial Intelligence,Machine Learning

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Lu Tang,Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/infocom41043.2020.9155541

2020-01-01

Abstract:Superspreaders (i.e., hosts with numerous distinct connections) remain severe threats to production networks. How to accurately detect superspreaders in real-time at scale remains a non-trivial yet challenging issue. We present SpreadSketch, an invertible sketch data structure for network-wide superspreader detection with the theoretical guarantees on memory space, performance, and accuracy. SpreadSketch tracks candidate superspreaders and embeds estimated fan-outs in binary hash strings inside small and static memory space, such that multiple SpreadSketch instances can be merged to provide a network-wide measurement view for recovering superspreaders and their estimated fan-outs. We present formal theoretical analysis on SpreadSketch in terms of space and time complexities as well as error bounds. Trace-driven evaluation shows that SpreadSketch achieves higher accuracy and performance over state-of-the-art sketches. Furthermore, we prototype SpreadSketch in P4 and show its feasible deployment in commodity hardware switches.

Lu Tang,Yao Xiao,Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tnet.2022.3198738

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Superspreaders (i.e., hosts with numerous distinct connections) remain severe threats to production networks. How to accurately detect superspreaders in real-time at scale remains a non-trivial yet challenging issue. We present SpreadSketch, an invertible sketch data structure for network-wide superspreader detection with the theoretical guarantees on memory space, performance, and accuracy. SpreadSketch tracks candidate superspreaders and embeds estimated fan-outs in binary hash strings inside small and static memory space, such that multiple SpreadSketch instances can be readily merged to provide a network-wide measurement view for recovering superspreaders and their estimated fan-outs. We present formal theoretical analysis on SpreadSketch in terms of space and time complexities as well as error bounds. We further extend SpreadSketch with a fast and small data structure that filters out the packets of high-frequency connections from sketch processing, so as to improve the update performance of SpreadSketch while maintaining the accuracy guarantees. Trace-driven evaluation shows that SpreadSketch achieves higher accuracy and performance over state-of-the-art sketches and remains accurate in detecting real-world worms and DDoS attacks. Furthermore, we prototype SpreadSketch in P4 and show its feasible deployment in commodity hardware switches.

Qun Huang,Patrick P. C. Lee,Yungang Bao

DOI: https://doi.org/10.1145/3230543.3230559

2018-01-01

Abstract:Network measurement is challenged to fulfill stringent resource requirements in the face of massive network traffic. While approximate measurement can trade accuracy for resource savings, it demands intensive manual efforts to configure the right resource-accuracy trade-offs in real deployment. Such user burdens are caused by how existing approximate measurement approaches inherently deal with resource conflicts when tracking massive network traffic with limited resources. In particular, they tightly couple resource configurations with accuracy parameters, so as to provision sufficient resources to bound the measurement errors. We design SketchLearn, a novel sketch-based measurement framework that resolves resource conflicts by learning their statistical properties to eliminate conflicting traffic components. We prototype SketchLearn on OpenVSwitch and P4, and our testbed experiments and stress-test simulation show that SketchLearn accurately and automatically monitors various traffic statistics and effectively supports network-wide measurement with limited resources.

Yating Liu,Yuantao Gu

DOI: https://doi.org/10.1109/dsw.2018.8439923

2018-01-01

Abstract:Network anomaly detection refers to automatically identifying the flows associated with anomalous events, which is the first line of defense against attacks in network security system. This paper proposes a new reliable unsupervised detector Multiple Sketches and Clustering (MSC) combining sketches (random projections) and clustering to blindly identify anomalies without relying on signatures or labeled traffic data. Multiple random projections and voting strategy alleviate the potential misclassification of single analysis and ensure a lower false positive rate. The K-means++ clustering detection detects both known and unknown anomalies accurately and triggers a higher true positive rate without any prior information about traffic data or anomaly patterns. The results on the MAWILAB backbone network dataset reveal that the novel detector outperforms the state-of-the-art detectors.

Robert Schweller,Zhichun Li,Yan Chen,Yan Gao,Ashish Gupta,Yin Zhang,Peter A. Dinda,Ming-Yang Kao,Gokhan Memik

DOI: https://doi.org/10.1109/tnet.2007.896150

2007-01-01

IEEE/ACM Transactions on Networking

Abstract:A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e. g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. To address this challenge, we propose the reversible sketch data structure along with reverse hashing algorithms to infer the keys of culprit flows. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gb/s for 40-byte packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.

Shangsen Li,Lailong Luo,Deke Guo

2020-01-01

Abstract:Network measurement probes the underlying network to support upper-level decisions such as network management, network update, network maintenance, network defense and beyond. Due to the massive, speedy, unpredictable features of network flows, sketches are widely implemented in measurement nodes to record the frequency or estimate the cardinality of flows approximately. At their cores, sketches usually maintain one or multiple counter array(s), and relies on hash functions to select the counter(s) for each flow. Then the space-efficient sketches from the distributed measurement nodes are aggregated to provide statistics of the undergoing flows. Currently, tremendous redesigns and optimizations have been proposed to further improve the sketches for better network measurement performance. However, the existing reviews or surveys mainly focus on one particular aspect of measurement tasks. Researchers and engineers in the network measurement community desire an all-in-one survey which covers the whole processing pipeline of sketch-based network measurement. To this end, we present the first comprehensive survey in this area. We first introduce the preparation of flows for measurement, then detail the most recent investigations of design, aggregation, decoding, application and implementation of sketches for network measurement. To summary the existing efforts, we conduct an in-depth study of the existing literature, covering more than 80 sketch designs and optimization strategies. Furthermore, we conduct a comprehensive analysis and qualitative/quantitative comparison of the sketch designs. Finally, we highlight the open issues for future sketch-based network measurement research.

Tong Yang,Lun Wang,Yulong Shen,Muhammad Shahzad,Qun Huang,Xiaohong Jiang,Kun Tan,Xiaoming Li

DOI: https://doi.org/10.1145/3229543.3229545

2018-01-01

Abstract:Network monitoring and management require accurate statistics of a variety of flow-level metrics, such as flow sizes, top-k flows, and number of flows. Arguably, the most commonly used data structure to record and measure these metrics is the sketch. While a significant amount of work has already been done on sketching techniques, there is still a lot of room for improvement because the accuracy of existing sketches depends a lot on the nature of network traffic and varies significantly as the network traffic characteristics change. In this paper, we propose the idea of employing machine learning to reduce this dependence of the accuracy of sketches on network traffic characteristics and present a generalized machine learning framework that increases the accuracy of sketches significantly. We further present three case studies, where we applied our framework on sketches for measuring three well-known flow-level network metrics. Experimental results show that machine learning helps decrease the error rates of existing sketches by up to 202 times.

Hengrui Wang,Huiping Lin,Zheng Zhong,Tong Yang,Muhammad Shahzad

DOI: https://doi.org/10.1109/tc.2022.3185560

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Network monitoring and management require accurate statistics of a variety of flow-level metrics such as flow sizes, top- $k$ flows, and number of flows. Arguably, the current best technique to measure these metrics is sketches. While a significant amount of work has already been done on sketching techniques, there is still a lot of room for improvement because the accuracy of existing sketches varies with changing characteristics of network traffic. In this paper, we propose the idea of using machine learning to improve the accuracy of sketches, and propose a generic machine learning framework to reduce the dependence of accuracy of sketches on network traffic characteristics. We further present three case studies, where we applied our machine learning framework on sketches for measuring three flow-level network metrics, namely flow sizes, top- $k$ flows, and number of flows. We implemented and extensively evaluated this framework for these three metrics using both real-world and synthetic traffic traces. To the best of our knowledge, this is the first work that uses machine learning to reduce the dependence of sketching techniques on the characteristics of network traffic. We have released all our traces and implementation codes at Github.

Shangsen Li,Lailong Luo,Deke Guo

2020-01-01

Abstract: Network measurement probes the underlying network to support upper-level decisions such as network management, network update, network maintenance, network defense and beyond. Due to the massive, speedy, unpredictable features of network flows, sketches are widely implemented in measurement nodes to record the frequency or estimate the cardinality of flows approximately. At their cores, sketches usually maintain one or multiple counter array(s), and relies on hash functions to select the counter(s) for each flow. Then the space-efficient sketches from the distributed measurement nodes are aggregated to provide statistics of the undergoing flows. Currently, tremendous redesigns and optimizations have been proposed to further improve the sketches for better network measurement performance. However, the existing reviews or surveys mainly focus on one particular aspect of measurement tasks. Researchers and engineers in the network measurement community desire an all-in-one survey which covers the whole processing pipeline of sketch-based network measurement. To this end, we present the first comprehensive survey in this area. We first introduce the preparation of flows for measurement, then detail the most recent investigations of design, aggregation, decoding, application and implementation of sketches for network measurement. To summary the existing efforts, we conduct an in-depth study of the existing literature, covering more than 80 sketch designs and optimization strategies. Furthermore, we conduct a comprehensive analysis and qualitative/quantitative comparison of the sketch designs. Finally, we highlight the open issues for future sketch-based network measurement research.

Shangsen Li,Lailong Luo,Deke Guo,Qianzhen Zhang,Pengtao Fu

DOI: https://doi.org/10.48550/arXiv.2012.07214

2020-12-14

Data Structures and Algorithms

Abstract:Network measurement probes the underlying network to support upper-level decisions such as network management, network update, network maintenance, network defense and beyond. Due to the massive, speedy, unpredictable features of network flows, sketches are widely implemented in measurement nodes to approximately record the frequency or estimate the cardinality of flows. At their cores, sketches usually maintain one or multiple counter array(s), and rely on hash functions to select the counter(s) for each flow. Then the space-efficient sketches from the distributed measurement nodes are aggregated to provide statistics of the undergoing flows. Currently, tremendous redesigns and optimizations have been proposed to improve the sketches for better network measurement performance. However, existing reviews or surveys mainly focus on one particular aspect of measurement tasks. Researchers and engineers in the network measurement community desire an all-in-one survey that covers the entire processing pipeline of sketch-based network measurement. To this end, we present the first comprehensive survey of this area. We first introduce the preparation of flows for measurement, then detail the most recent investigations of design, aggregation, decoding, application and implementation of sketches for network measurement. To summarize the existing efforts, we carry out an in-depth study of the existing literature, covering more than 90 sketch designs and optimization strategies. Furthermore, we conduct a comprehensive analysis and qualitative/quantitative comparison of the sketch designs. Finally,we highlight the open issues for future sketch-based network measurement research.