ExtendedSketch: Fusing Network Traffic for Super Host Identification With a Memory Efficient Sketch

Abstract

Super host refers to the host that has a high cardinality or exhibits a big change in a network. Facing big-volume network traffic, sketches have been widely applied to identify super hosts in an efficient and accurate way. However, most sketches cannot flexibly balance memory usage and accuracy in host cardinality estimation. Setting an inappropriate counter size for a sketch could either lead to inaccurate host cardinality estimation or cause memory waste. In order to solve this issue, we propose a novel extensible and reversible sketch, named ExtendedSketch, to achieve accurate super host identification with high memory efficiency. The core idea of ExtendedSketch is to monitor low-cardinality hosts with small-sized counters while dynamically extending the size of counters when monitoring high-cardinality hosts by applying an adaptive extension strategy. Such the strategy can adaptively increase counter size according to network traffic status at runtime, which not only ensures the accuracy of high-cardinality host estimation but also avoids unnecessary memory consumption. We perform theoretical analysis and conduct a series of experimental evaluations on ExtendedSketch based on real world network traffic. Experimental results show that under same memory usage, compared to the state-of-the-art, ExtendedSketch achieves <inline-formula><tex-math notation="LaTeX">$1.4{ \sim }7.5$</tex-math></inline-formula> times smaller error rate in estimating host cardinality with <inline-formula><tex-math notation="LaTeX">$1.9{ \sim }26.7$</tex-math></inline-formula> times better accuracy on super host identification and <inline-formula><tex-math notation="LaTeX">$95 {\sim }2^{15}$</tex-math></inline-formula> times faster speed on abnormal address reconstruction. Its advance in accuracy and efficiency demonstrates the practical significance of ExtendedSketch for super host identification.