He Huang,Yu-E Sun,Chaoyi Ma,Shigang Chen,Yang Du,Haibo Wang,Qingjun Xiao

DOI: https://doi.org/10.1109/tnet.2021.3078725

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Per-flow spread measurement in high-speed networks has many practical applications. It is a more difficult problem than the traditional per-flow size measurement. Most prior work is based on sketches, focusing on reducing their space requirements in order to fit in on-chip cache memory. This design allows measurement to be performed at the line rate, but it has to accept tradeoff with expensive computation for spread queries (unsuitable for online operations) and large errors in spread estimation for small flows. This paper complements the prior art with a new spread estimator design based on an on-chip/off-chip model which is common in practice. The new estimator supports online queries in real time and produces spread estimation with much better accuracy. By storing traffic data in off-chip memory, our new design faces a key technical challenge of efficient non-duplicate sampling. We propose a two-stage solution with on-chip/off-chip data structures and algorithms, which are not only efficient but also highly configurable for a variety of probabilistic performance guarantees. The experiment results based on real Internet traffic traces show that our estimator reduces the mean relative and absolute error by around one order of magnitude, and achieves both space-efficiency and accuracy-efficiency in flow classification for small flows compared to the prior art.

He Huang,Yu-E Sun,Chaoyi Ma,Shigang Chen,You Zhou,Wenjian Yang,Shaojie Tang,Hongli Xu,Yan Qiao

DOI: https://doi.org/10.1109/tnet.2020.2982003

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Traffic measurement in high-speed networks has many important functions in improving network performance, assisting resource allocation, and detecting anomalies. In this paper, we study a generalized problem called k-persistent spread estimation, which measures the volume of persist traffic elements in each flow that appear during at least k out of t measurement periods, where k and t are two positive integers that can be arbitrarily set in user queries, with k ≤ t. Solutions to this problem have interesting applications in network attack detection, popular content identification, user access profiling, etc. There is very limited prior art for this problem, only addressing the special case of k = t under a flawed assumption. Removing this assumption, we propose an efficient and accurate estimator for generalized k-persistent traffic measurement, with k ≤ t. Our method relies on bitwise SUM, instead of bitwise AND in the prior art, to combine the information collected from different periods. This change has fundamental impact on the probabilistic analysis that derives the estimator, particular over space-saving virtual bitmaps. Based on real network traces, we demonstrate experimentally the effectiveness of our new method in estimating the k-persistent spreads of all network flows. Our estimator performs much better than the prior art on its case of k = t. We also incorporate a sampling module to the estimator for improved flexibility, and give a use study on how to detect and find DDoS attackers using the proposed estimator.

He Huang,Yu-e Sun,Shigang Chen,Shaojie Tang,Kai Han,Jing Yuan,Wenjian Yang

DOI: https://doi.org/10.1109/INFOCOM.2018.8485998

2018-01-01

Abstract:Traffic measurement in high-speed networks has many applications in improving network performance, assisting resource allocation, and detecting anomalies. In this paper, we study a new problem called k-persistent spread estimation, which measures persist traffic elements in each flow that appear during at least k out of t measurement periods, where k and t can be arbitrarily defined in user queries. Solutions to this problem have interesting applications in network attack detection, popular content identification, user access profiling, etc. Yet, it is under-investigated as the prior work only addresses a special case with a questionable assumption. Designing an efficient and accurate k -persistent estimator requires us to use bitwise SUM (instead of bitwise AND typical in the prior art) to join the information collected from different periods. This seemly simple change has fundamental impact on the mathematical process in deriving an estimator, particular over space-saving virtual bitmaps. Based on real network traces, we show that our new estimator can accurately estimate the k -persistent spreads of the flows. It also performs much better than the existing work on the special case of measuring elements that appear in all periods.

Boyu Zhang,Yang Du,He Huang,Yu-E Sun,Guoju Gao,Xiaoyu Wang,Shiping Chen

DOI: https://doi.org/10.1007/978-3-030-95384-3_46

2022-01-01

Abstract:Per-flow spread measurement in high-speed networks, which aims to estimate the number of distinct elements of each flow, plays an important role in many practical applications. Most existing solutions adopt compact data structures (i.e., sketches) to share memory units among flows so that they can fit in limited on-chip memory, resulting in low estimation accuracy for small flows. Unlike sketch-based solutions, non-duplicate sampling measures per-flow spreads by sampling each distinct element with the same sampling probability. However, it ignores that, compared to small flows, large flows only need lower sampling probabilities to achieve the same relative estimation error, wasting significant on-chip memory for large flows. This paper presents multi-layer adaptive sampling to complement the prior work by assigning lower probabilities to larger flows. The proposed framework employs a multi-layer model to sample distinct elements, ensuring that most small flows will stay in lower layers and large flows will get to higher layers. Besides, higher layers are designed with smaller overall probabilities to ensure that larger flows have lower sampling probabilities. Experimental results based on real Internet traces show that, compared to the state-of-the-art method, our solution can reduce up to 86% average relative errors for per-flow spread estimation and reduce the FPRs and FNRs of flow misclassification by around one to two magnitudes.

Qingjun Xiao,Yan Qiao,Mo Zhen,Shigang Chen

DOI: https://doi.org/10.1109/icnp.2014.33

2014-01-01

Abstract:The persistent spread of a destination host is the number of distinct sources that have contacted it persistently in predefined t measurement periods. A persistent spread estimator is a software/hardware component on a router that inspects the arrival packets and estimates the persistent spread of each destination. This is a new primitive for network measurement that can be used to detect long-term stealthy malicious activities, which cannot be recognized by the traditional super spreader detectors that are designed only for "elephant" activities. However, the challenge is to function such an estimator in fast but small memory space (such as on-chip SRAM of line cards), in order to keep up with the high speed of switching fabric for packet forwarding. This paper presents an implementation that can use very tight memory space to deliver high estimation accuracy: Its memory expense is less than one bit per flow element in each time period, Its estimation accuracy is over 90% better than a continuous variant of Flajolet-Martin sketches, Its operating range to produce effective measurements is hundreds of times broader than the traditional bitmap. These advantages originate from a new data structure called multi-virtual bitmap, which is designed to estimate the cardinality of the intersection of an arbitrary number of sets. We have verified the effectiveness of our new estimator using the real network traffic traces from CAIDA.

Haibo Wang,Chaoyi Ma,Olufemi O. Odegbile,Shigang Chen,Jih-Kwon Peir

DOI: https://doi.org/10.1109/tnet.2022.3197968

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Flow spread measurement provides fundamental statistics that can help network operators better understand flow characteristics and traffic patterns with applications in traffic engineering, cybersecurity and quality of service. Past decades have witnessed tremendous performance improvement for single-flow spread estimation. However, when dealing with numerous flows in a packet stream, it remains a significant challenge to measure per-flow spread accurately while reducing memory footprint. The goal of this paper is to introduce new multi-flow spread estimation designs that incur much smaller processing overhead and query overhead than the state of the art, yet achieves significant accuracy improvement in spread estimation. We formally analyze the performance of these new designs. We implement them in both hardware and software, and use real-world data traces to evaluate their performance in comparison with the state of the art. The experimental results show that our best sketch significantly improves over the best existing work in terms of estimation accuracy, packet processing throughput, and online query throughput.

Quanwei Zhang,Qingjun Xiao,Yuexiao Cai

DOI: https://doi.org/10.1016/j.comnet.2023.110059

IF: 5.493

2023-01-01

Computer Networks

Abstract:For a high-speed network, it is an important task to process the IP packet stream using limited memory and measure its statistical metrics of interest. While many algorithms have been proposed to estimate the cardinality of a single data stream (i.e., the number of distinct elements), it remains a great challenge when a stream contains numerous sub-streams, called flows. In this paper, we focus on a problem of designing a generic data structure to measure multiple types of per-flow statistics in a high-speed stream, including per-flow cardinality, top-K super-spreading flows with the greatest cardinalities, per-flow cardinality moments and per-flow cardinality distribution. Previous solutions for generic measurement mainly focus on the frequency-related statistics measurement, while this paper makes a step forward to support deduplication, i.e., cardinality-related measuring. To address this new problem, we propose a generic sketch named M2D. The challenge is that the per-flow cardinality distribution is often highly skewed with a small proportion of super-spreaders. To tame the skewness, we adopt the adjustable progressive sampling technique, which samples subsets of flows by an exponentially decreasing probability according to their cardinalities. Based on the sampled super-spreaders, we estimate the moments of per-flow cardinalities with different orders. We finally apply the method of moments to reconstruct the per-flow cardinality distribution with no priori knowledge about its formula. Our experiments show M2D’s high memory efficiency (average savings of 38%) and satisfactory distribution estimation accuracy (2% to 98% improvement) than other algorithms.

Hanwen Zhang,He Huang,Yu-E Sun,Zhaojie Wang

DOI: https://doi.org/10.1109/icnp59255.2023.10355571

2023-01-01

Abstract:Spread estimation is an essential issue in high-speed networks with wide applications, such as network billing, quality of service, anomaly detection, etc. As a promising technique, sketch can efficiently estimate per-flow spread with only a small memory cost. Many studies focus on improving the performance of sketches. However, these works primarily focus on optimizing the counter level or sketch level without considering the scenario of multi-spread estimation, which is crucial for improving memory utilization and detecting anomalies. In this paper, we propose an efficient flow information compression algorithm based on the on-chip/off-chip hybrid framework to estimate multiple flow spreads. In the on-chip memory, we filter out non-duplicates and sample them to the off-chip space for recording. In the off-chip memory, we compress each sampled non-duplicate to a carefully designed bit-cube. When the measurement is finished, we separate corresponding KV-flows from a specific flow based on the user query. Then, we rebuild this flow to a subset group based on the duplicate number of each KV-flow. Finally, according to the Multi-set theory, we derive an accurate multi-spread estimate formula to solve this issue with a high throughput and small on-chip memory usage. Furthermore, we evaluate the performance of our proposed estimator using real Internet traffic traces downloaded from CAIDA. Experiments show that, compared to the state-of-the-art, our proposal achieves a 97.2% lower average relative error in per-destination source flow spread estimation with a tight on-chip memory, e.g., 320KB. And our proposed method achieves 31.86 higher processing throughput.

Haibo Wang

DOI: https://doi.org/10.14778/3681954.3681988

IF: 2.5

2024-07-01

Proceedings of the VLDB Endowment

Abstract:This paper addresses the challenge of identifying super spreaders within large, high-speed data streams. In these streams, data is segmented into flows, with each flow's spread defined as the number of distinct items it contains. A super spreader is characterized as a flow with a notably large spread. Current compact solutions, known as sketches, are designed to fit within the constrained memory of online devices. However, they struggle to accurately track the spread of all flows due to the substantial memory requirement for monitoring a single flow --- a problem exacerbated when numerous flows are involved. To overcome these limitations, this study proposes a more precise sketch-based approach. Our solution introduces an innovative non-duplicate sampler that effectively eliminates duplicates, allowing for accurate post-sampling count of flow spread using only counters. Additionally, it incorporates an exponential-weakening decay technique to highlight large flows, markedly enhancing the accuracy of super spreader identification. We offer a comprehensive theoretical analysis of our method. Trace-driven experiments validate that our approach statistically surpasses existing state-of-the-art solutions in identifying super spreaders. It also demonstrates the lowest time required to restore super spreaders and significantly reduces bandwidth consumption by an order of magnitude when offline restoration is conducted remotely.

computer science, information systems, theory & methods

Yang Du,He Huang,Yu-e Sun,An Liu,Guoju Gao,Boyu Zhang

DOI: https://doi.org/10.1007/978-3-030-73194-6_28

2021-01-01

Abstract:High-cardinality flow detection over the big network data stream plays an important role in many practical applications. To process large and fast data streams in real-time, most existing work uses compact data structures like sketches to fit themself in high-speed but small on-chip memory. However, this design suffers from expensive computation and thus only supports periodical high-cardinality flow detection. Although NDS can provide online flow cardinality estimation, it is designed to estimate all flows accurately. In contrast, high-cardinality flow detection only concerns whether a flow's cardinality exceeds a certain threshold. This paper complements the prior work by proposing an online high-cardinality flow detection method with high resource efficiency. Based on the on-chip/off-chip design, the proposed method reduces large flows' resource consumption by constructing a virtual bitmap sharing module over the physical bitmap. We evaluate the performance of the proposed method using the real-world Internet traces downloaded from CAIDA. The experimental results show that our method can save up to 65.8% on-chip memory when bounding the same constraints for false-positive rates and false-negative rates.

Yang Du,He Huang,Yu-E Sun,Shigang Chen,Guoju Gao,Xiaoyu Wang,Shenghui Xu

DOI: https://doi.org/10.1109/infocom48880.2022.9796702

2022-01-01

Abstract:Per-flow spread measurement in high-speed networks can provide indispensable information to many practical applications. However, it is challenging to measure millions of flows at line speed because on-chip memory modules cannot simultaneously provide large capacity and large bandwidth. The prior studies address this mismatch by entirely using on-chip compact data structures or utilizing off-chip space to assist limited on-chip memory. Nevertheless, their on-chip data structures record massive transient elements, each of which only appears in a short time interval in a long-period measurement task, and thus waste significant on-chip space. This paper presents short-term memory sampling, a novel spread estimator that samples new elements while only holding elements for short periods. Our estimator can work with tiny on-chip space and provide accurate estimations for online queries. The key of our design is a short-term memory duplicate filter that reports new elements and filters duplicates effectively while allowing incoming elements to override the stale elements to reduce on-chip memory usage. We implement our approach on a NetFPGA-equipped prototype. Experimental results based on real Internet traces show that, compared to the state-of-the-art, short-term memory sampling reduces up to 99% of on-chip memory usage when providing the same probabilistic assurance on spread-estimation error.

Shouyou Song,Pu Wang,Yangchun Li,Nanyang Wang,Wei Jiang

DOI: https://doi.org/10.1109/dsc59305.2023.00079

2023-01-01

Abstract:Super spreaders are the flow that have a large number of distinct connections (also called spread), which related with many threats to networks. Estimating flow spread is the crucial step in super spreader detection. However, existing methods cannot achieve flow spread estimation in terms of accurate, efficient, and reversible simultaneously. All these characteristics is highly required for high-speed network measurement. In this paper, we propose MorphSketch, a new data structure that estimates flow spread for super spreader detection with high accuracy, memory efficiency, high throughput and reversibility. MorphSketch combines hashing with sampling to process packets in order to improve throughput. It uses self-morph bitmap to record spread information, which can adaptively enlarge the upper bound of spread estimation under limited memory usage to ensure accuracy and memory efficiency. Moreover, MorphSketch can track candidate super spreader by comparing corresponding spread information, which realizes reversibility in super spreader detection. We perform a series of performance evaluations on real world traffic trace. Experiment results demonstrate that under same memory usage, the MorphSketch significantly outperforms existing work in terms of accuracy and efficiency.

Shaolong Zhou,Hanwen Zhang,Guoju Gao,Yu-e Sun,He Huang,Xiaoyu Wang,Yihuai Wang

DOI: https://doi.org/10.1007/978-981-97-7241-4_21

2024-01-01

Abstract:Finding flows with a large spread (i.e., the number of distinct elements) in multiple periods has many practical applications, such as detecting network scanners, click fraud, and DDoS attacks, etc.. Most previous works focus on finding persistent flows or estimating flow spreads. To the best of our knowledge, there is no previous work to find the flows with spread exceeding the threshold frequently. In this paper, we study a new problem called finding k-persistent t-spread flows in highspeed networks, which detects the flows whose spreads exceed a preset threshold t during at least inverted right perpendicular k * T inverted left perpendicular out of T measurement periods, where k is an element of (0, 1], and the parameters can be arbitrarily defined. To this end, we propose a novel sketch, called KTSketch, to find k-persistent t-spread flows in real time. The key idea of KTSketch is first to find out those flows whose spread exceeds the threshold t in the current period as potential flows and then separately estimate their spreads to find k-persistent t-spread flows. We compare the performance of KTSketch with three baseline solutions (Bloom Filter+Count-Min, VHLL, and FreeBS-SSD). The experimental results show that KTSketch can achieve around 49.4%, 59.0%, 27.1% higher F1 score, 3.89, 2.13, 13.8 times higher throughput, and 43.1%, 81.2%, 72.2% lower ARE, respectively.

Haibo Wang,Dimitrios Melissourgos,Chaoyi Ma,Shigang Chen

DOI: https://doi.org/10.1145/3589979

Abstract:Data streaming has many applications in network monitoring, web services, e-commerce, stock trading, social networks, and distributed sensing. This paper introduces a new problem of real-time burst detection in flow spread, which differs from the traditional problem of burst detection in flow size. It is practically significant with potential applications in cybersecurity, network engineering, and trend identification on the Internet. It is a challenging problem because estimating flow spread requires us to remember all past data items and detecting bursts in real time requires us to minimize spread estimation overhead, which was not the priority in most prior work. This paper provides the first efficient, real-time solution for spread burst detection. It is designed based on a new real-time super spreader identifier, which outperforms the state of the art in terms of both accuracy and processing overhead. The super spreader identifier is in turn based on a new sketch design for real-time spread estimation, which outperforms the best existing sketches.

Xingang Shi,Dah-Ming Chiu,John C. S. Lui

DOI: https://doi.org/10.1016/j.comnet.2009.12.003

IF: 5.493

2009-01-01

Computer Networks

Abstract:Flow level information is important for many applications in network measurement and analysis. In this work, we tackle the ''Top Spreaders'' and ''Top Scanners'' problems, where hosts that are spreading the largest numbers of flows, especially small flows, must be efficiently and accurately identified. The identification of these top users can be very helpful in network management, traffic engineering, application behavior analysis, and anomaly detection. We propose novel streaming algorithms and a ''Filter-Tracker-Digester'' framework to catch the top spreaders and scanners online. Our framework combines sampling and streaming algorithms, as well as deterministic and randomized algorithms, in such a way that they can effectively help each other to improve accuracy while reducing memory usage and processing time. To our knowledge, we are the first to tackle the ''Top Scanners'' problem in a streaming way. We address several challenges, namely: traffic scale, skewness, speed, memory usage, and result accuracy. The performance bounds of our algorithms are derived analytically, and are also evaluated by both real and synthetic traces, where we show our algorithm can achieve accuracy and speed of at least an order of magnitude higher than existing approaches.

Haibo Wang,Chaoyi Ma,Olufemi O. Odegbile,Shigang Chen,Jih-Kwon Peir

DOI: https://doi.org/10.14778/3447689.3447707

IF: 2.5

2021-01-01

Proceedings of the VLDB Endowment

Abstract:Measuring flow spread in real time from large, high-rate data streams has numerous practical applications, where a data stream is modeled as a sequence of data items from different flows and the spread of a flow is the number of distinct items in the flow. Past decades have witnessed tremendous performance improvement for single-flow spread estimation. However, when dealing with numerous flows in a data stream, it remains a significant challenge to measure per-flow spread accurately while reducing memory footprint. The goal of this paper is to introduce new multi-flow spread estimation designs that incur much smaller processing overhead and query overhead than the state of the art, yet achieves significant accuracy improvement in spread estimation. We formally analyze the performance of these new designs. We implement them in both hardware and software, and use real-world data traces to evaluate their performance in comparison with the state of the art. The experimental results show that our best sketch significantly improves over the best existing work in terms of estimation accuracy, data item processing throughput, and online query throughput.

Dah Ming Chiu,Xingang Shi

2011-01-01

Abstract:The scale and complexity of today's networks are increasing at a staggering pace, and so are the characteristics of data traffic and diverse applications or services in the networks. Their interdependencies also become more and more complicated, which ask for advanced network traffic measurement and analysis techniques. Besides packet level and flow level statistics, it is also important to monitor and understand the behavior of network users and applications, from the perspective of how they communicate with each other. For example, a popular server may attract a lot of connections from interested users; P2P peers often form clusters with intensive communications with each other; Botnet zombies receive regular commands from their botmaster and they may join a malicious campaign later to spread out a mass of spam emails or launch a DDoS attack. Such high level communication patterns as massive concurrent connections or causality of events are often useful behavior signatures of certain applications, or act as indications of anomaly. They can be very helpful in network management, traffic engineering, application behavior analysis, and anomaly detection. In this thesis, we study three interesting and useful communication patterns, including top spreaders, top scanners, and flow correlations. They have practical usage, especially in network management and anomaly detection. However, there is very little support from the network itself for high quality measurement of such non-trivial statistics, and the ever-increasing link speed and traffic volume have brought even greater challenges to our measurement and analysis. We take the approach of data streaming algorithms. First, we propose a general scheme called multiplexed sketches to efficiently estimate statistics of a large number of streams. Then we design appropriate algorithms that can accompany the multiplexed sketches to efficiently track each of the three communication patterns we have proposed. Particularly, we design a general "filter-tracker-digester" framework, where the filter provides a rough statistics estimation, the tracker tracks the IDs of potential candidate spreaders or scanners, and the digester is implemented as multiplexed sketches for accurate statistics estimation. Several challenges are addressed in our design, including traffic scale, skewness, speed, memory usage, and result accuracy. The performance of our algorithms is analyzed both mathematically and experimentally. We show they can achieve accuracy and speed of at least an order of magnitude higher than alternative approaches.

Aiping Li,Yi Han,Bin Zhou,Weihong Han,Yan Jia

2012-01-01

Applied Mathematics & Information Sciences

Abstract:Monitoring network data streams in real-time to check security event become more and more important along with the rapid growth of Internet applications. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (e.g., volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is either too expensive or too slow. We propose building compact summaries of the traffic data using the notion of sketches. In this paper, we proposed an IP address traceability network anomaly detection method at right time based on the summary data structure. In this method, the network traffic information is recorded into sketch online in every circle which is used to detect anomalies. By using EWMA forecasting model to get each circle forecast value, it computes the error sketch between the recoded value and forecast value and detects heavy network traffic change based on Mean-Standard deviation in the error sketch. The method is effective in detecting DDoS attack, scan attack. And it can trace the IP address of victim host. Evaluated by the experiment, the results show that this method takes up little computing and memory resources and is suitable for anomaly detection under the high-speed network traffic.

Yang Du,He Huang,Yu-E Sun,Shigang Chen,Guoju Gao

DOI: https://doi.org/10.1109/infocom42981.2021.9488425

2021-01-01

Abstract:Per-flow traffic measurement in the high-speed network plays an important role in many practical applications. Due to the limited on-chip memory and the mismatch between off-chip memory speed and line rate, sampling-based methods select and forward a part of flow traffic to off-chip memory, complementing sketch-based solutions in estimation accuracy and online query support. However, most current work uses the same sampling probability for all flows, overlooking that the sampling rates different flows require to meet the same accuracy constraint are different. It leads to a waste in storage and communication resources. In this paper, we present self-adaptive sampling, a framework to sample each flow with a probability adapted to flow size/spread. Then we propose two algorithms, SAS-LC and SAS-LOG, which are geared towards per-flow spread estimation and per-flow size estimation by using different compression functions. Experimental results based on real Internet traces show that, when compared to NDS in per-flow spread estimation, SAS-LC can save around 10% on-chip space and reduce up to 40% communication cost for large flows. Moreover, SAS-LOG can save 40% on-chip space and reduce up to 96% communication cost for large flows than NDS in per-flow size estimation.

Yifan Han,He Huang,Yang Du,Yu-E Sun,Jia Liu,Hongli Xu

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom59178.2023.00036

2023-01-01

Abstract:Per-flow size measurement has wide applications in data center networks, such as flow scheduling, anomaly detection, and traffic engineering. To fit the module into limited on-chip memory and catch up with the line speed, existing works either use the bit sharing scheme to compress the flow information or require complex calculations to screen out large flows, resulting in substantial accuracy loss or heavy memory accesses, especially failing to measure medium-sized flows accurately, which are meaningful for practical applications such as usage accounting and billing. In light of this, we propose a new Hierarchical Sketch that adopts a hybrid on-chip/off-chip architecture to detect and estimate the flows whose size exceeds the threshold t (threshold-t flows for short) to cover both large and medium-sized flows. In Hierarchical Sketch, we design an on-chip bucket array together with an adaptive update scheme to record potential candidates for threshold$-t$ flows within one memory access as well as filter out unwanted flows. Besides, the flow records are downloaded to off-chip space for high memory efficiency and supporting online queries. We also implement a prototype on the NetFPGA development platform. Experimental results show that Hierarchical Sketch is up to 72.61% more accurate and 245% faster than the best baseline.