Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows

Dinh Nguyen Dao; Rhongho Jang; Changhun Jung; David Mohaisen; Dae Hun Nyang

doi:10.1109/DSN53405.2022.00042

Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows

Dinh Nguyen Dao, Rhongho Jang, Changhun Jung, David Mohaisen, Dae Hun Nyang

Department of Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

4 Scopus citations

Abstract

Cardinality estimation has become an essential building block of modern network monitoring systems due to the increasing concerns of cyberattacks (e.g., Denial-of-Service, worm, spammer, scanner, etc.). However, the ever-increasing attack scale and the diversity of patterns (i.e., flow size distribution) will produce a biased estimation of existing solutions if apply a monotonic hypothesis for network traffic. The most representative solution is virtual HyperLogLog (vHLL), which extended the proven HLL, a single element cardinality estimation solution, to a multi-tenant version using a memory random sharing and noise elimination approach. In this paper, we show that the assumption made by vHLL's does not work for large-scale network traffic with diverse flow distributions. To resolve the issue, we propose a novel noise elimination method, called Rank Recovery-based Spread Estimator (RRSE), which is tolerant to both attack and normal traffic scenarios while using limited computation and storage. We show that our recovery function is more reliable than state-of-the-art approaches. Moreover, we implemented RRSE in a programmable switch to show the feasibility.

Original language	English
Title of host publication	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	331-342
Number of pages	12
ISBN (Electronic)	9781665416931
DOIs	https://doi.org/10.1109/DSN53405.2022.00042
State	Published - 2022
Event	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 - Baltimore, United States Duration: 27 Jun 2022 → 30 Jun 2022

Publication series

Name	Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

Conference

Conference	52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022
Country/Territory	United States
City	Baltimore
Period	27/06/22 → 30/06/22

Bibliographical note

Publisher Copyright:
© 2022 IEEE.

Keywords

Cardinality Estimation
Network Anomaly Detection
Programmable Switch
Sketch

Access to Document

10.1109/DSN53405.2022.00042

Cite this

Dao, D. N., Jang, R., Jung, C., Mohaisen, D., & Nyang, D. H. (2022). Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 (pp. 331-342). (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN53405.2022.00042

Dao, Dinh Nguyen ; Jang, Rhongho ; Jung, Changhun et al. / Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 331-342 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

@inproceedings{c930e357044a466c87f2655d9b0aa1aa,

title = "Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows",

abstract = "Cardinality estimation has become an essential building block of modern network monitoring systems due to the increasing concerns of cyberattacks (e.g., Denial-of-Service, worm, spammer, scanner, etc.). However, the ever-increasing attack scale and the diversity of patterns (i.e., flow size distribution) will produce a biased estimation of existing solutions if apply a monotonic hypothesis for network traffic. The most representative solution is virtual HyperLogLog (vHLL), which extended the proven HLL, a single element cardinality estimation solution, to a multi-tenant version using a memory random sharing and noise elimination approach. In this paper, we show that the assumption made by vHLL's does not work for large-scale network traffic with diverse flow distributions. To resolve the issue, we propose a novel noise elimination method, called Rank Recovery-based Spread Estimator (RRSE), which is tolerant to both attack and normal traffic scenarios while using limited computation and storage. We show that our recovery function is more reliable than state-of-the-art approaches. Moreover, we implemented RRSE in a programmable switch to show the feasibility.",

keywords = "Cardinality Estimation, Network Anomaly Detection, Programmable Switch, Sketch",

author = "Dao, {Dinh Nguyen} and Rhongho Jang and Changhun Jung and David Mohaisen and Nyang, {Dae Hun}",

note = "Publisher Copyright: {\textcopyright} 2022 IEEE.; 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022 ; Conference date: 27-06-2022 Through 30-06-2022",

year = "2022",

doi = "10.1109/DSN53405.2022.00042",

language = "English",

series = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "331--342",

booktitle = "Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022",

}

Dao, DN, Jang, R, Jung, C, Mohaisen, D & Nyang, DH 2022, Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows. in Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Institute of Electrical and Electronics Engineers Inc., pp. 331-342, 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022, Baltimore, United States, 27/06/22. https://doi.org/10.1109/DSN53405.2022.00042

Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows. / Dao, Dinh Nguyen; Jang, Rhongho; Jung, Changhun et al.
Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 331-342 (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows

AU - Dao, Dinh Nguyen

AU - Jang, Rhongho

AU - Jung, Changhun

AU - Mohaisen, David

AU - Nyang, Dae Hun

PY - 2022

Y1 - 2022

N2 - Cardinality estimation has become an essential building block of modern network monitoring systems due to the increasing concerns of cyberattacks (e.g., Denial-of-Service, worm, spammer, scanner, etc.). However, the ever-increasing attack scale and the diversity of patterns (i.e., flow size distribution) will produce a biased estimation of existing solutions if apply a monotonic hypothesis for network traffic. The most representative solution is virtual HyperLogLog (vHLL), which extended the proven HLL, a single element cardinality estimation solution, to a multi-tenant version using a memory random sharing and noise elimination approach. In this paper, we show that the assumption made by vHLL's does not work for large-scale network traffic with diverse flow distributions. To resolve the issue, we propose a novel noise elimination method, called Rank Recovery-based Spread Estimator (RRSE), which is tolerant to both attack and normal traffic scenarios while using limited computation and storage. We show that our recovery function is more reliable than state-of-the-art approaches. Moreover, we implemented RRSE in a programmable switch to show the feasibility.

AB - Cardinality estimation has become an essential building block of modern network monitoring systems due to the increasing concerns of cyberattacks (e.g., Denial-of-Service, worm, spammer, scanner, etc.). However, the ever-increasing attack scale and the diversity of patterns (i.e., flow size distribution) will produce a biased estimation of existing solutions if apply a monotonic hypothesis for network traffic. The most representative solution is virtual HyperLogLog (vHLL), which extended the proven HLL, a single element cardinality estimation solution, to a multi-tenant version using a memory random sharing and noise elimination approach. In this paper, we show that the assumption made by vHLL's does not work for large-scale network traffic with diverse flow distributions. To resolve the issue, we propose a novel noise elimination method, called Rank Recovery-based Spread Estimator (RRSE), which is tolerant to both attack and normal traffic scenarios while using limited computation and storage. We show that our recovery function is more reliable than state-of-the-art approaches. Moreover, we implemented RRSE in a programmable switch to show the feasibility.

KW - Cardinality Estimation

KW - Network Anomaly Detection

KW - Programmable Switch

KW - Sketch

UR - http://www.scopus.com/inward/record.url?scp=85136322570&partnerID=8YFLogxK

U2 - 10.1109/DSN53405.2022.00042

DO - 10.1109/DSN53405.2022.00042

M3 - Conference contribution

AN - SCOPUS:85136322570

T3 - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

SP - 331

EP - 342

BT - Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022

Y2 - 27 June 2022 through 30 June 2022

ER -

Dao DN, Jang R, Jung C, Mohaisen D, Nyang DH. Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows. In Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 331-342. (Proceedings - 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2022). doi: 10.1109/DSN53405.2022.00042

Minimizing Noise in HyperLogLog-Based Spread Estimation of Multiple Flows

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this