Article

Sketch-based change detection: methods, evaluation, and applications

Authors:

Balachander Krishnamurthy,

Subhabrata Sen,

Yan ChenAuthors Info & Claims

IMC '03: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement

Pages 234 - 247

https://doi.org/10.1145/948205.948236

Published: 27 October 2003 Publication History

Abstract

Traffic anomalies such as failures and attacks are commonplace in today's network, and identifying them rapidly and accurately is critical for large network operators. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (eg, volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is either too expensive or too slow. We propose building compact summaries of the traffic data using the notion of sketches. We have designed a variant of the sketch data structure, k-ary sketch, which uses a constant, small amount of memory, and has constant per-record update and reconstruction cost. Its linearity property enables us to summarize traffic at various levels. We then implement a variety of time series forecast models (ARIMA, Holt-Winters, etc.) on top of such summaries and detect significant changes by looking for flows with large forecast errors. We also present heuristics for automatically configuring the model parameters.Using a large amount of real Internet traffic data from an operational tier-1 ISP, we demonstrate that our sketch-based change detection method is highly accurate, and can be implemented at low computation and memory costs. Our preliminary results are promising and hint at the possibility of using our method as a building block for network anomaly detection and traffic measurement.

References

[1]

N. Alon, Y. Matias, and M. Szegedy. The space complexity of approximating the frequency moments. Journal of Computer and System Sciences, 58(1):137--147, 1999.]]

Digital Library

[2]

H. Arsham. Time series analysis and forecasting techniques. http://obelia.jde.aca.mmu.ac.uk/resdesgn/arsham/pre330Forecast.htm.]]

[3]

P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, November 2002.]]

Digital Library

[4]

P. Barford and D. Plonka. Characteristics of network traffic flow anomalies. In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, November 2001.]]

Digital Library

[5]

G. E. P. Box, W. G. Hunter, and J. S. Hunter. Statistics for Experimenters. John Wiley, 1978.]]

[6]

G. E. P. Box and G. M. Jenkins. Time Series Analysis, Forecasting and Control. Holden-Day, 1976.]]

Digital Library

[7]

G. E. P. Box, G. M. Jenkins, and G. C. Reinsel. Time Series Analysis, Forecasting and Control. Prentice-Hall, Englewood Cliffs, 1994.]]

Digital Library

[8]

P. Brockwell and R. Davis. Introduction to Time Series and Forecasting. Springer, 1996.]]

[9]

J. Brutlag. Aberrant behavior detection in time series for network monitoring. In Proc. USENIX LISA XIV, New Orleans, LA, December 2000. http://www.usenix.org/events/lisa2000/full\_papers/brutlag/brutlag_html/index.html.]]

Digital Library

[10]

J. Carter and M. Wegman. Universal classes of hash functions. Journal of Computer and System Sciences, 18:143--154, 1979.]]

[11]

M. Charikar, K. Chen, and M. Farach-Colton. Finding frequent items in data streams. In Proc. of ICALP 2002, pages 693--703, 2002. http://www.cs.princeton.edu/~moses/papers/frequent.ps.]]

Digital Library

[12]

C. Chen and L.-M. Liu. Forecasting time series with outliers. Journal of Forecasting, 12:13--35, 1993.]]

[13]

C. Chen and L.-M. Liu. Joint estimation of model parameters and outlier effects in time series. Journal of the American Statistical Association, 88:284--297, 1993.]]

[14]

G. Cormode and S. Muthukrishnan. What's hot and what's not: Tracking most frequent items dynamically. In Proc. ACM PODC '2003, July 2003.]]

Digital Library

[15]

M. Datar and S. Muthukrishnan. Estimating rarity and similarity over data stream windows. Technical Report 2001-21, DIMACS Technical Report, November 2001.]]

[16]

N. Devillard. Fast median search: an ansi c implementation, July 1998. http://ndevilla.free.fr/median/median.pdf.]]

[17]

C. Estan and G. Varghese. New directions in traffic measurement and accounting. In Proc. ACM SIGCOMM '2002, Pittsburgh, PA, August 2002.]]

Digital Library

[18]

F. Feather, D. Siewiorek, and R. Maxion. Fault detection in an ethernet network using anomaly signature matching. In Proc. ACM SIGCOMM '93, 1993.]]

Digital Library

[19]

S. Floyd, M. Handley, J. Padhye, and J. Widmer. Equation-based congestion control for unicast applications. In Proc. ACM SIGCOMM '00, August 2000.]]

Digital Library

[20]

K. Fox, R. Henning, J. Reed, and R. Simonian. A neural network approach towards intrusion detection. Technical report, Technical Report, Harris Corporation, July 1990.]]

[21]

A. C. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan, and M. J. Strauss. Quicksand: Quick summary and analysis of network data. Technical Report 2001-43, DIMACS Technical Report, November 2001.]]

[22]

C. Hood and C. Ji. Proactive network fault detection. In Proc. IEEE INFOCOM '97, Kobe, Japan, April 1997.]]

Digital Library

[23]

K. J. Houle, G. M. Weaver, N. Long, and R. Thomas. Trends in Denial of Service Attack Technology. http://www.cert.org/archive/pdf/DoS_trends.pdf.]]

[24]

P. Indyk. Stable distributions, pseudorandom generators, embeddings and data stream computation. In Proc. of the 41st Symposium on Foundations of Computer Science, 2000.]]

Digital Library

[25]

J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In Proceedings of the World Wide Web Conference, Honolulu, Hawaii, May 2002. http://www.research.att.com/~bala/papers/www02-fc.html.]]

Digital Library

[26]

I. Katzela and M. Schwartz. Schemes for fault identification in communication networks. IEEE/ACM Transactions on Networking, 3(6):753--764, December 1995.]]

Digital Library

[27]

M. J. Lebo and W. H. Moore. Foreign policy behavior and fractional integration. Journal of Conflict Resolution, 1(47):13--32, February 2003. http://garnet.acns.fsu.edu/~whmoore/research/Lebo&Moore2003.pdf.]]

[28]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The Spread of the Sapphire/Slammer Worm. Technical report, Technical Report, February 2003. http://www.cs.berkeley.edu/~nweaver/sapphire/.]]

[29]

D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Proc. of the USENIX Security Symposium, Washington D.C., August 2001. http://www.cs.ucsd.edu/~savage/papers/UsenixSec01.pdf.]]

Digital Library

[30]

S. Muthukrishnan. Data streams: Algorithms and applications, 2003. Manuscript based on invited talk from 14th SODA. Available from http://www.cs.rutgers.edu/~muthu/stream-1-1.ps.]]

Digital Library

[31]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23--24):2435--2463, December 1999. ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz.]]

Digital Library

[32]

M. Roesch. Snort -- Lightweight Intrusion Detection for Networks. In Proc. USENIX Lisa~'99, Seattle, WA, November 1999.]]

Digital Library

[33]

M. Thorup and Y. Zhang. Tabulation based 4-universal hashing with applications to second moment estimation, 2003. Under submission. Available from http://www.research.att.com/~yzhang/papers/hash-tm03.ps.]]

[34]

J. Toelle and O. Niggemann. Supporting intrusion detection by graph clustering and graph drawing. In Proc. RAID '2000, Toulouse, France, October 2000.]]

[35]

R. S. Tsay. Time series model specification in the presence of outliers. Journal of the American Statistical Association, 81:132--141, 1986.]]

[36]

R. S. Tsay. Outliers, level shifts, and variance changes in time series. Journal of Forecasting, 7:1--20, 1988.]]

[37]

T.S. Huang, G. J. Yang, and G. Y. Tang. A fast two-dimensional median filtering algorithm. IEEE transactions on acoustics, speech and signal processing, 27(1), February 1979.]]

[38]

A. Ward, P. Glynn, and K. Richardson. Internet service performance failure detection. Performance Evaluation Review, August 1998.]]

Digital Library

[39]

M. Wegman and J. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 22:265--279, 1981.]]

[40]

N. Ye. A markov chain model of temporal behavior for anomaly detection. In Workshop on Information Assurance and Security, West Point, NY, June 2000.]]

Cited By

Feng WGao JChen XAntichi GBasat RShao MZhang YYu M(2024)F3: Fast and Flexible Network Telemetry with an FPGA coprocessorProceedings of the ACM on Networking10.1145/36963972:CoNEXT4(1-22)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1145/3696397
Friedman R(2024)An Evaluation of Software Frequency SketchesProceedings of the 18th ACM International Conference on Distributed and Event-based Systems10.1145/3629104.3666028(18-29)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3629104.3666028
Li WPatras PChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Stable-Sketch: A Versatile Sketch for Accurate, Fast, Web-Scale Data Stream ProcessingProceedings of the ACM Web Conference 202410.1145/3589334.3645581(4227-4238)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645581
Show More Cited By

Index Terms

Sketch-based change detection: methods, evaluation, and applications
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Reversible sketches for efficient and accurate change detection over network data streams
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

Traffic anomalies such as failures and attacks are increasing in frequency and severity, and thus identifying them rapidly and accurately is critical for large network operators. The detection typically treats the traffic as a collection of flows and ...
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

In traffic monitoring, accounting, and network anomaly detection, it is often important to be able to detect high-volume traffic clusters in near real-time. Such heavy-hitter traffic clusters are often hierarchical (<i>ie</i>, they may occur at ...
Towards generic traffic change detection in the data plane
CoNEXT-SW '21: Proceedings of the CoNEXT Student Workshop

Identifying traffic changes accurately sits at the core of many network tasks, from congestion analysis to intrusion detection. Modern telemetry systems perform traffic change detection but restrict their detection to heavy-hitters, failing to identify ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '03: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement

October 2003

328 pages

ISBN:1581137737

DOI:10.1145/948205

Program Chair:
Mark Crovella
Boston University, MA

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

IMC03

Sponsor:

IMC03: Internet Measurement Conference

October 27 - 29, 2003

FL, Miami Beach, USA

Acceptance Rates

IMC '03 Paper Acceptance Rate 32 of 109 submissions, 29%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

425
Total Citations
View Citations
2,696
Total Downloads

Downloads (Last 12 months)121
Downloads (Last 6 weeks)8

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Feng WGao JChen XAntichi GBasat RShao MZhang YYu M(2024)F3: Fast and Flexible Network Telemetry with an FPGA coprocessorProceedings of the ACM on Networking10.1145/36963972:CoNEXT4(1-22)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1145/3696397
Friedman R(2024)An Evaluation of Software Frequency SketchesProceedings of the 18th ACM International Conference on Distributed and Event-based Systems10.1145/3629104.3666028(18-29)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3629104.3666028
Li WPatras PChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Stable-Sketch: A Versatile Sketch for Accurate, Fast, Web-Scale Data Stream ProcessingProceedings of the ACM Web Conference 202410.1145/3589334.3645581(4227-4238)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645581
Li LXie KPei SWen JLiang WXie G(2024)CS-Sketch: Compressive Sensing Enhanced Sketch for Full Traffic MeasurementIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.330512511:3(2338-2352)Online publication date: May-2024
https://doi.org/10.1109/TNSE.2023.3305125
Liu YXie X(2024)A Probabilistic Sketch for Summarizing Cold Items of Data StreamsIEEE/ACM Transactions on Networking10.1109/TNET.2023.331642632:2(1287-1302)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3316426
Voronov TRaz DRottenstreich O(2024)A Framework for Anomaly Detection in Blockchain Networks With SketchesIEEE/ACM Transactions on Networking10.1109/TNET.2023.329825332:1(686-698)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3298253
Lv ZLei ZXie LFalco NShi CYou Z(2024)Novel Distribution Distance Based on Inconsistent Adaptive Region for Change Detection Using Hyperspectral Remote Sensing ImagesIEEE Transactions on Geoscience and Remote Sensing10.1109/TGRS.2024.337852662(1-12)Online publication date: 2024
https://doi.org/10.1109/TGRS.2024.3378526
Cheng ZGao GHuang HSun YDu YWang H(2024)BurstDetector: Real-Time and Accurate Across-Period Burst Detection in High-Speed NetworksIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621114(2338-2347)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621114
Babai EOkamura K(2024)A Contextual Approach for Improving Anomalous Network Traffic Flows Prediction2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00353(2203-2208)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00353
Liu ZDong FLiu CDeng XYang TZhao YLi JCui BZhang G(2024)WavingSketch: an unbiased and generic sketch for finding top-k items in data streamsThe VLDB Journal10.1007/s00778-024-00869-633:5(1697-1722)Online publication date: 29-Jul-2024
https://doi.org/10.1007/s00778-024-00869-6
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents