Online identification of hierarchical heavy hitters

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications

Full text

Pdf (274 KB)

Source

Internet Measurement Conference archive
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement table of contents

Taormina, Sicily, Italy

SESSION: Identification and classification table of contents

Pages: 101 - 114

Year of Publication: 2004

ISBN:1-58113-821-0

Authors

Yin Zhang	AT&T Labs -- Research, Florham Park, NJ
Sumeet Singh	University of California, San Diego, CA
Subhabrata Sen	AT&T Labs -- Research, Florham Park, NJ
Nick Duffield	AT&T Labs -- Research, Florham Park, NJ
Carsten Lund	AT&T Labs -- Research, Florham Park, NJ

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 5, Downloads (12 Months): 72, Citation Count: 21

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1028788.1028802 What is a DOI?

ABSTRACT

In traffic monitoring, accounting, and network anomaly detection, it is often important to be able to detect high-volume traffic clusters in near real-time. Such heavy-hitter traffic clusters are often hierarchical (<i>ie</i>, they may occur at different aggregation levels like ranges of IP addresses) and possibly multidimensional (<i>ie</i>, they may involve the combination of different IP header fields like IP addresses, port numbers, and protocol). Without prior knowledge about the precise structures of such traffic clusters, a naive approach would require the monitoring system to examine all possible ombinations of aggregates in order to detect the heavy hitters, which can be proohibitive in terms of computation resources.

In this paper, we focus on online identification of 1-dimensional and 2-dimensional hierarchical heavy hitters (HHHs), arguably the two most important scenarios in traffic analysis. We show that the problem of HHH detection can be transformed to one of dynamic packet classification by taking a top-down approach and adaptively creating new rules to match HHHs. We then adapt several existing static packet classification algorithms to support dynamic packet classification. The resulting HHH detection algorithms have much lower worst-case update costs than existing algorithms and can provide tunable deterministic accuracy guarantees. As an application of these algorithms, we also propose robust techniques to detect changes among heavy-hitter traffic clusters. Our techniques can accommodate variability due to sampling that is increasingly used in network measurement. Evaluation based on real Internet traces collected at a Tier-1 ISP suggests that these techniques are remarkably accurate and efficient.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	H. Arsham. Time series analysis and forecasting techniques. http://obelia.jde.aca.mmu.ac.uk/resdesgn/arsham/opre330Forecast.htm.
	2	F. Baboescu, S. Singh, and G. Varghese. Packet classification for core routers: Is there an alternative to CAMs. In INFOCOM, 2003. http://citeseer.ist.psu.edu/baboescu03packet.html.
	3	Florin Baboescu , George Varghese, Scalable packet classification, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.199-210, August 2001, San Diego, California, United States
	4	Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637210]
	5	Paul Barford , David Plonka, Characteristics of network traffic flow anomalies, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA [doi>10.1145/505202.505211]
	6	George Edward Pelham Box , Gwilym Jenkins, Time Series Analysis, Forecasting and Control, Holden-Day, Incorporated, 1990
	7	George Edward Pelham Box , Gwilym M. Jenkins, Time Series Analysis: Forecasting and Control, Prentice Hall PTR, Upper Saddle River, NJ, 1994
	8	Jake D. Brutlag, Aberrant Behavior Detection in Time Series for Network Monitoring, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
	9	C. Chen and L.-M. Liu. Forecasting time series with outliers. Journal of Forecasting, 12:13--35, 1993.
	10	Cisco. Random Sampled NetFlow. http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/nfstatsa.pdf.
	11	G. Cormode, F. Korn, S. Muthukrishnan, and D. Srivastava. Finding hierarchical heavy hitters in data streams. In International Conference on Very Large Data Bases, 2003.
	12	Graham Cormode , Flip Korn , S. Muthukrishnan , Divesh Srivastava, Diamond in the rough: finding Hierarchical Heavy Hitters in multi-dimensional data, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France [doi>10.1145/1007568.1007588]
	13	Graham Cormode , S. Muthukrishnan, What's hot and what's not: tracking most frequent items dynamically, Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, p.296-306, June 09-11, 2003, San Diego, California [doi>10.1145/773153.773182]
	14	Graham Cormode , S. Muthukrishnan, An improved data stream summary: the count-min sketch and its applications, Journal of Algorithms, v.55 n.1, p.58-75, April 2005 [doi>10.1016/j.jalgor.2003.12.001]
	15	Nick Duffield , Carsten Lund, Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948228]
	16	Nick Duffield , Carsten Lund , Mikkel Thorup, Charging from sampled network usage, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA [doi>10.1145/505202.505232]
	17	Cristian Estan , George Varghese, New directions in traffic measurement and accounting, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	18	Cristian Estan , Stefan Savage , George Varghese, Automatically inferring patterns of resource consumption in network traffic, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany [doi>10.1145/863955.863972]
	19	Frank Feather , Dan Siewiorek , Roy Maxion, Fault detection in an Ethernet network using anomaly signature matching, Conference proceedings on Communications architectures, protocols and applications, p.279-288, September 13-17, 1993, San Francisco, California, United States
	20	A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In INFOCOM (3), pages 1193--1202, 2000. http://citeseer.ist.psu.edu/feldmann00tradeoffs.html.
	21	Pankaj Gupta , Nick McKeown, Packet classification on multiple fields, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.147-160, August 30-September 03, 1999, Cambridge, Massachusetts, United States
	22	Cynthia S. Hood , Chuanyi Ji, Proactive Network Fault Detection, Proceedings of the INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution, p.1147, April 09-11, 1997
	23	K. J. Houle, G. M. Weaver, N. Long, and R. Thomas. Trends in Denial of Service Attack Technology. http://www.cert.org/archive/pdf/DoS_trends.pdf.
	24	Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA [doi>10.1145/511446.511485]
	25	Irene Katzela , Mischa Schwartz, Schemes for fault identification in communication networks, IEEE/ACM Transactions on Networking (TON), v.3 n.6, p.753-764, Dec. 1995 [doi>10.1109/90.477721]
	26	Balachander Krishnamurthy , Subhabrata Sen , Yin Zhang , Yan Chen, Sketch-based change detection: methods, evaluation, and applications, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948236]
	27	G. Manku and R. Motwani. Approximate frequency counts over data streams. In International Conference on Very Large Data Bases, 2002.
	28	D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the Sapphire Slammer worm. Technical report, CAIDA, February 2003. http://www.cs.berkeley.edu/ nweaver/sapphire/.
	29	S. Muthukrishnan, Data streams: algorithms and applications, Proceedings of the fourteenth annual ACM-SIAM symposium on Discrete algorithms, January 12-14, 2003, Baltimore, Maryland
	30	Sumeet Singh , Florin Baboescu , George Varghese , Jia Wang, Packet classification using multidimensional cutting, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany [doi>10.1145/863955.863980]
	31	V. Srinivasan , S. Suri , G. Varghese, Packet classification using tuple space search, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.135-146, August 30-September 03, 1999, Cambridge, Massachusetts, United States
	32	V. Srinivasan and G. Varghese. Faster IP lookups using controlled prefix expansion. In ACM Transactions on Computer Systems, 1999.
	33	V. Srinivasan , G. Varghese , S. Suri , M. Waldvogel, Fast and scalable layer four switching, Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication, p.191-202, August 31-September 04, 1998, Vancouver, British Columbia, Canada
	34	R. S. Tsay. Outliers, level shifts, and variance changes in time series. Journal of Forecasting, 7:1--20, 1988.
	35	Amy Ward , Peter Glynn , Kathy Richardson, Internet service performance failure detection, ACM SIGMETRICS Performance Evaluation Review, v.26 n.3, p.38-43, Dec. 1998 [doi>10.1145/306225.306237]

CITED BY 21

	Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
	Deepak Agarwal , Dhiman Barman , Dimitrios Gunopulos , Neal E. Young , Flip Korn , Divesh Srivastava, Efficient and effective explanation of change in hierarchical summaries, Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, August 12-15, 2007, San Jose, California, USA
	Xin Li , Fang Bian , Mark Crovella , Christophe Diot , Ramesh Govindan , Gianluca Iannaccone , Anukool Lakhina, Detection and identification of network anomalies using sketch subspaces, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	S. Muthukrishnan, Data streams: algorithms and applications, Foundations and Trends® in Theoretical Computer Science, v.1 n.2, p.117-236, August 2005
	Qi Zhao , Jun Xu , Zhen Liu, Design of a novel statistics counter architecture with optimal space and time efficiency, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	Ashwin Lall , Vyas Sekar , Mitsunori Ogihara , Jun Xu , Hui Zhang, Data streaming algorithms for estimating entropy of network traffic, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	Jisheng Wang , lhab Hamadeh , George Kesidis , David J. Miller, Polymorphic worm detection and defense: system design, experimental methodology, and data resources, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.169-176, September 11-15, 2006, Pisa, Italy
	Yunqi Li , Jiahai Yang , Changqing An , Hui Zhang, Finding hierarchical heavy hitters in network measurement system, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea
	Xenofontas Dimitropoulos , Paul Hurley , Andreas Kind, Probabilistic lossy counting: an efficient algorithm for finding heavy hitters, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Lihua Yuan , Chen-Nee Chuah , Prasant Mohapatra, ProgME: towards programmable network measurement, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
	Haakon Ringberg , Matthew Roughan , Jennifer Rexford, The need for simulation in evaluating anomaly detectors, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Graham Cormode , Flip Korn , S. Muthukrishnan , Divesh Srivastava, Finding hierarchical heavy hitters in streaming data, ACM Transactions on Knowledge Discovery from Data (TKDD), v.1 n.4, p.1-48, January 2008
	Sheng-Ya Lin , Cheng-Chung Tan , Jyh-Charn Liu , Michael Oehler, High-speed detection of unsolicited bulk emails, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
	Haakon Ringberg , Augustin Soule , Jennifer Rexford, WebClass: adding rigor to manual labeling of traffic anomalies, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Anirudh Ramachandran , Srinivasan Seetharaman , Nick Feamster , Vijay Vazirani, Fast monitoring of traffic subpopulations, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
	Xenofontas Dimitropoulos , Marc Stoecklin , Paul Hurley , Andreas Kind, The eternal sunshine of the sketch data structure, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.17, p.3248-3257, December, 2008
	Nan Hua , Bill Lin , Jun (Jim) Xu , Haiquan (Chuck) Zhao, BRICK: a novel exact active statistics counter architecture, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
	Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Internet traffic behavior profiling for network security monitoring, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1241-1252, December 2008
	Faisal Khan , Lihua Yuan , Chen-Nee Chuah , Soheil Ghiasi, A programmable architecture for scalable and real-time network traffic measurements, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
	Yu Jin , Esam Sharafuddin , Zhi-Li Zhang, Unveiling core network-wide communication patterns through application traffic activity graph decomposition, Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems, June 15-19, 2009, Seattle, WA, USA
	Ajay Anil Mahimkar , Zihui Ge , Aman Shaikh , Jia Wang , Jennifer Yates , Yin Zhang , Qi Zhao, Towards automated performance diagnosis in a large IPTV network, ACM SIGCOMM Computer Communication Review, v.39 n.4, October 2009