{"title":"Online Detection of 1D and 2D Hierarchical Super-Spreaders in High-Speed Networks","authors":"Haorui Su, Qingjun Xiao","doi":"10.1145/3600061.3600080","DOIUrl":null,"url":null,"abstract":"Traditionally, a firewall tracks the per-flow spread of each source and destination IP address to detect network scans and DDoS attacks. It is not designed with hierarchical IP addresses in mind. However, cyberattacks nowadays become more stealthy. To evade the detection, they treat a network subnet instead of a single IP as the victim of an attacking campaign. Therefore, we focus on a new problem: online estimation of each hierarchical flow’s cardinality (or spread), in order to detect the hierarchical super-spreaders (HSSs), which correspond to the IP subnet receiving numerous network connections from an extraordinarily large number of source IPs. For detecting such one-dimensional HSSs, the recent work Hierarchical virtual bitmap estimator (HVE) has been proposed. But it fails to handle the two-dimensional HSSs, and it can not be queried online due to its very high query overhead. In this paper, we propose the Hon-vHLL sketch to address these limitations. It is an innovative hierarchical extension of On-vHLL to support the estimation of conditional spreads for either 1D or 2D hierarchical flows. Hon-vHLL allocates an On-vHLL sketch for each hierarchical level bucket and query conditional spread by merging the virtual estimators of hierarchical flows. We evaluate its performance based on CAIDA network traces. The results show that our Hon-vHLL can improve the query throughput by 578 times than HVE, and also achieve 11% higher HSS detection accuracy.","PeriodicalId":228934,"journal":{"name":"Proceedings of the 7th Asia-Pacific Workshop on Networking","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 7th Asia-Pacific Workshop on Networking","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3600061.3600080","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Traditionally, a firewall tracks the per-flow spread of each source and destination IP address to detect network scans and DDoS attacks. It is not designed with hierarchical IP addresses in mind. However, cyberattacks nowadays become more stealthy. To evade the detection, they treat a network subnet instead of a single IP as the victim of an attacking campaign. Therefore, we focus on a new problem: online estimation of each hierarchical flow’s cardinality (or spread), in order to detect the hierarchical super-spreaders (HSSs), which correspond to the IP subnet receiving numerous network connections from an extraordinarily large number of source IPs. For detecting such one-dimensional HSSs, the recent work Hierarchical virtual bitmap estimator (HVE) has been proposed. But it fails to handle the two-dimensional HSSs, and it can not be queried online due to its very high query overhead. In this paper, we propose the Hon-vHLL sketch to address these limitations. It is an innovative hierarchical extension of On-vHLL to support the estimation of conditional spreads for either 1D or 2D hierarchical flows. Hon-vHLL allocates an On-vHLL sketch for each hierarchical level bucket and query conditional spread by merging the virtual estimators of hierarchical flows. We evaluate its performance based on CAIDA network traces. The results show that our Hon-vHLL can improve the query throughput by 578 times than HVE, and also achieve 11% higher HSS detection accuracy.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
