Abstract
Detecting flows that have a large number of packets is an important function in network monitoring. Those flows known as elephants are typically few but account for a significant fraction of the traffic and it may be interesting to treat them differently. In high-speed networks, the number of flows can be very large and it is not practical to keep a list of the active flows. Instead, approximate data structures commonly referred to as sketches are used to detect elephant flows. The use of sketches significantly reduces the memory and computational effort needed to detect elephants at the cost of small inaccuracies in the detection. For example, the Count-Min Sketch (CMS) is widely used to estimate the frequency of elements in a set in general and the number of packets per flow in particular. However, the use of sketches also opens the door for an attacker to try to make that a specific flow that is not an elephant is detected as such. In this letter, an algorithm to perform such an attack on a Count-Min Sketch is presented and evaluated. The analysis and simulation results show that the attacker can create fake elephants even when he does not have any knowledge of how the Count-Min Sketch is implemented.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
