TY - GEN
T1 - Reverse hashing for high-speed network monitoring
T2 - INFOCOM 2006: 25th IEEE International Conference on Computer Communications
AU - Schweller, Robert
AU - Li, Zhichun
AU - Chen, Yan
AU - Gao, Yan
AU - Gupta, Ashish
AU - Zhangf, Yin
AU - Dinda, Peter A
AU - Kao, Ming-Yang
AU - Memik, Gokhan
N1 - Funding Information:
The authors are grateful to Bill Rossow and Kenta Suzuki for their comments on earlier versions of the manuscript. The AIRS/AMSU product was provided by Goddard Earth Sciences (GES) Data and Information Services Center (DISC) (http://disc.sci.gsfc.nasa.gov) and the TRMM PR (2A25) data set by the Japan Aerospace Exploration Agency (JAXA) (https://www.gportal.jaxa.jp/gp/top.html). The data sets also crucial, although not explicitly presented, in the current analysis are the GPROF 2010 precipitation product from Colorado State University (http://rain.atmos.colostate.edu/RAINMAP), the AMSR-E SST and CWV product by Remote Sensing Systems (http://www.remss.com), the CloudSat data sets by the CloudSat Data Processing Center (http://www.cloudsat.cira.colostate.edu), and QuikSCAT data from the NASA Jet Propulsion Laboratory (https://podaac.jpl.nasa.gov/QuikSCAT). H.M. is supported by the Japan Society for the Promotion of Science (JSPS) Grant-in-Aid (KAKENHI) for Challenging Exploratory Research (26610150). Z. J. L. would like to acknowledge funding support by NASA grant NNX12AC13G and support from JPL CloudSat and Radar Science and Engineering group.
PY - 2006
Y1 - 2006
N2 - A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space. To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.
AB - A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space. To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.
UR - http://www.scopus.com/inward/record.url?scp=34249780184&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34249780184&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2006.203
DO - 10.1109/INFOCOM.2006.203
M3 - Conference contribution
AN - SCOPUS:34249780184
SN - 1424402212
SN - 9781424402212
T3 - Proceedings - IEEE INFOCOM
BT - Proceedings - INFOCOM 2006
Y2 - 23 April 2006 through 29 April 2006
ER -