Bitmap Algorithms for Counting Active Flows on High-Speed Links

Estan, Cristian; Varghese, George; Fisk, Mike

doi:10.1109/tnet.2006.882836

Cited by 155 publications

(68 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure 6 shows a corresponding probability density for the three configurations. 9 We see that while using the summary statistics framework imposes overhead, it remains small for scan detection (0.4 percentage points more). The difference with the top-k script (1.6 percentage points more) is more noticeable due to the increased cost per observation that the more expensive maintenance of the probabilistic data structure entails.…”

Section: Computational Overheadmentioning

confidence: 86%

“…To give just a few examples of research efforts presenting applications and/or corresponding data structures, the literature includes work on finding port scanners in backbones [24], efficiently counting the number of network flows in high-speed environments [16,9], detecting attacks against routers [1], computing real-time traffic summaries [15], or identifying elephant flows [8]. However, all of these efforts remain specific to their particular target application, while our work provides a framework on top of which one can implement such analyses.…”

Section: Communication Overheadmentioning

confidence: 99%

See 1 more Smart Citation

Count Me In: Viable Distributed Summary Statistics for Securing High-Speed Networks

Amann

Hall

Sommer

2014

Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

Abstract. Summary statistics represent a key primitive for profiling and protecting operational networks. Many network operators routinely measure properties such as throughput, traffic mix, and heavy hitters. Likewise, security monitoring often deploys statistical anomaly detectors that trigger, e.g., when a source scans the local IP address range, or exceeds a threshold of failed login attempts. Traditionally, a diverse set of tools is used for such computations, each typically hard-coding either the features it operates on or the specific calculations it performs, or both. In this work we present a novel framework for calculating a wide array of summary statistics in real-time, independent of the underlying data, and potentially aggregated from independent monitoring points. We focus on providing a transparent, extensible, easy-to-use interface and implement our design on top of an open-source network monitoring system. We demonstrate a set of example applications for profiling and statistical anomaly detection that would traditionally require significant effort and different tools to compute. We have released our implementation under BSD license and report experiences from real-world deployments in large-scale network environments.

show abstract

Section: Computational Overheadmentioning

confidence: 86%

Section: Communication Overheadmentioning

confidence: 99%

Count Me In: Viable Distributed Summary Statistics for Securing High-Speed Networks

Amann

Hall

Sommer

2014

Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

show abstract

“…Identifying superspreaders provides very important information for many other applications, such as port scanner and Distributed Denial of Service (DDoS) attack detection, worm propagation measurement, and hot spots localization in peer-to-peer (p2p) and Content Delivery Networks (CDN) [1,2,3,4,5,6].…”

Section: Introductionmentioning

confidence: 99%

Line speed accurate superspreader identification using dynamic error compensation

Cheng

Tang

2013

Computer Communications

View full text Add to dashboard Cite

“…In this algorithm, we also design an effective data streaming structure that can maintain the information of every flow and IP address through a high-speed link in the limited memory resource. The SDAS adopts multiple network measurement technologies, such as the data streaming structure [3][4][5] to record the flow, the sample and hold technique [6][7][8] to decrease the non-superpoints measurement and to improve the accuracy of the superpoints detection, the non-uniform sampling technique [9,10] to adjust the probability in the adaptive process. Experiment results and the mathematics analysis show that the SDAS is better than conventional algorithms in the adaptive function, resource consumption and measuring accuracy, so it can be used to detect the superpoints accurately and timely in the high speed links.…”

Section: Introductionmentioning

confidence: 99%

Adaptive sampling algorithm for detection of superpoints

Cheng

Gong

Ding

et al. 2008

Sci. China Ser. F-Inf. Sci.

View full text Add to dashboard Cite

The superpoints are the sources (or the destinations) that connect with a great deal of destinations (or sources) during a measurement time interval, so detecting the superpoints in real time is very important to network security and management. Previous algorithms are not able to control the usage of the memory and to deliver the desired accuracy, so it is hard to detect the superpoints on a high speed link in real time. In this paper, we propose an adaptive sampling algorithm to detect the superpoints in real time, which uses a flow sample and hold module to reduce the detection of the non-superpoints and to improve the measurement accuracy of the superpoints. We also design a data stream structure to maintain the flow records, which compensates for the flow Hash collisions statistically. An adaptive process based on different sampling probabilities is used to maintain the recorded IP addresses in the limited memory. This algorithm is compared with the other algorithms by analyzing the real network trace data. Experiment results and mathematic analysis show that this algorithm has the advantages of both the limited memory requirement and high measurement accuracy.superpoints detection, adaptive process, flow sample and hold, collision compensation

show abstract

Bitmap Algorithms for Counting Active Flows on High-Speed Links

Cited by 155 publications

References 15 publications

Count Me In: Viable Distributed Summary Statistics for Securing High-Speed Networks

Count Me In: Viable Distributed Summary Statistics for Securing High-Speed Networks

Line speed accurate superspreader identification using dynamic error compensation

Adaptive sampling algorithm for detection of superpoints

Contact Info

Product

Resources

About