Abstract
Super host refers to the host that has a high cardinality or exhibits a big change in a network. Facing big-volume network traffic, sketches have been widely applied to identify super hosts in an efficient and accurate way. However, most sketches cannot flexibly balance memory usage and accuracy in host cardinality estimation. Setting an inappropriate counter size for a sketch could either lead to inaccurate host cardinality estimation or cause memory waste. In order to solve this issue, we propose a novel extensible and reversible sketch, named ExtendedSketch, to achieve accurate super host identification with high memory efficiency. The core idea of ExtendedSketch is to monitor low-cardinality hosts with small-sized counters while dynamically extending the size of counters when monitoring high-cardinality hosts by applying an adaptive extension strategy. Such the strategy can adaptively increase counter size according to network traffic status at runtime, which not only ensures the accuracy of high-cardinality host estimation but also avoids unnecessary memory consumption. We perform theoretical analysis and conduct a series of experimental evaluations on ExtendedSketch based on real world network traffic. Experimental results show that under same memory usage, compared to the state-of-the-art, ExtendedSketch achieves <inline-formula><tex-math notation="LaTeX">$1.4{ \sim }7.5$</tex-math></inline-formula> times smaller error rate in estimating host cardinality with <inline-formula><tex-math notation="LaTeX">$1.9{ \sim }26.7$</tex-math></inline-formula> times better accuracy on super host identification and <inline-formula><tex-math notation="LaTeX">$95 {\sim }2^{15}$</tex-math></inline-formula> times faster speed on abnormal address reconstruction. Its advance in accuracy and efficiency demonstrates the practical significance of ExtendedSketch for super host identification.
Highlights
S UPER host identification plays an important role in network management, which can be applied to detect network attacks (e.g., Distributed Denial of Service (DDoS) attacks [1], network scanning [2]), track hot-spot web content [3], monitor user activities [4]
We give an overview of ExtendedSketch. It is a novel data structure for super host identification originally proposed in this paper: its structure is adaptively adjusted based on the distribution of host cardinality, which is totally different from any existing sketches
We proposed ExtendedSketch, a novel extensible and reversible data structure, for host cardinality estimation
Summary
S UPER host identification plays an important role in network management, which can be applied to detect network attacks (e.g., Distributed Denial of Service (DDoS) attacks [1], network scanning [2]), track hot-spot web content [3], monitor user activities [4]. We propose a novel extensible and reversible sketch to solve the above challenges about identifying super hosts facing skewed network traffic, named ExtendedSketch. The extensibility makes ExtendedSketch feasible to be applied into analyzing skewed big-volume traffic with high memory efficiency and super host identification accuracy. (1) We propose an extensible, mergeable and reversible sketch to estimate host cardinality and further identify super hosts, named ExtendedSketch It can achieve memory efficiency, fast traffic processing, and accurate reconstruction of addresses of super hosts at the same time. It is a novel data structure for super host identification originally proposed in this paper: its structure is adaptively adjusted based on the distribution of host cardinality, which is totally different from any existing sketches.
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call