Citation
Highly Efficient Data Structures and Probabilistic Measurement Methods on Big Network Data

Material Information

Title:
Highly Efficient Data Structures and Probabilistic Measurement Methods on Big Network Data
Creator:
Zhou, You
Place of Publication:
[Gainesville, Fla.]
Florida
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (112 p.)

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Science
Computer and Information Science and Engineering
Committee Chair:
CHEN,SHIGANG
Committee Co-Chair:
PEIR,JIHKWON
Committee Members:
XIA,YE
FANG,YUGUANG

Subjects

Subjects / Keywords:
big-network-data -- compact-data-structures -- probabilistic-measurement-methods -- security -- traffic-measurement
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre:
bibliography ( marcgt )
theses ( marcgt )
government publication (state, provincial, terriorial, dependent) ( marcgt )
born-digital ( sobekcm )
Electronic Thesis or Dissertation
Computer Science thesis, Ph.D.

Notes

Abstract:
There is hardly any other data set whose size can rival the big network data that flows on the Internet. Massive and distributed data are increasingly prevalent in modern networks. Performing traffic measurement on such massive-volume network data pose huge challenges. In this dissertation, we aim to develop new methods that reduce the big network data to measurement summaries, and propose efficient traffic measurement on big network data (in the form of summaries). We start with the problem of per-flow traffic measurement, which is a fundamental problem in the era of big network data providing critical information for many practical applications including capacity planning, traffic engineering, data accounting, resource management, and scan/intrusion detection in modern computer networks. It is challenging to design highly compact data structures for approximate per-flow measurements. We show that a highly compact virtual counter architecture can achieve fast processing speed (slightly more than 1 memory access per packet) and provide accurate measurement results under tight memory allocation. Extensive experiments based on real network trace data demonstrate its superior performance over the best existing work. Our second work focuses on per-flow traffic measurement for big network data stream over sliding windows. Traditional research focused on using compact data structures to estimate flow sizes from the beginning of the data stream (i.e., landmark window model). However, for many applications, the most recent elements of a stream are more significant than those arrived long time ago. Therefore, we consider the sliding window model and propose two different schemes, ACE and S-ACE, that approximate per-flow counting in the sliding window of a given size. Instead of allocating a separated data structure for each flow, both schemes utilize counter sharing idea to reduce memory footprint, so they can be implemented in on-chip SRAM in modern routers to keep up with the line speed. We discover that ACE has to reset the window periodically to give precise estimates. We apply the segment window idea in S-ACE that achieves persistently accurate estimates. Our simulations studies and experimental evaluation base on real traffic trace demonstrate that S-ACE can achieve high accuracy even with a very tight memory space. Finally, we study the problem of persistent spread measurement, which is to count the number of distinct elements that persist in each network flow for predefined time periods. It has many practical applications including detecting long-term stealthy network activities in the background of normal-user activities, such as stealthy DDoS attack, stealthy network scan, or faked network trend, which cannot be detected by traditional flow cardinality measurement. With big network data, one challenge is to measure the persistent spreads of a massive number of flows without incurring too much memory overhead as such measurement may be performed at the line speed by network processors with fast but small on-chip memory. We propose a highly compact Virtual Intersection HyperLogLog (VI-HLL) architecture for this purpose. It achieves far better memory efficiency than the best prior work of V-Bitmap, and in the meantime drastically extends the measurement range. Theoretical analysis and extensive experiments demonstrate that VI-HLL provides good measurement accuracy even in very tight memory space of less than 1 bit per flow. ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (Ph.D.)--University of Florida, 2017.
Local:
Adviser: CHEN,SHIGANG.
Local:
Co-adviser: PEIR,JIHKWON.
Statement of Responsibility:
by You Zhou.

Record Information

Source Institution:
UFRGP
Rights Management:
Applicable rights reserved.
Classification:
LD1780 2017 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

HIGHLYEFFICIENTDATASTRUCTURESANDPROBABILISTICMEASUREMENTMETHODSONBIGNETWORKDATAByYOUZHOUADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2017

PAGE 2

c2017YouZhou

PAGE 3

Tomyfamily

PAGE 4

ACKNOWLEDGMENTSFirstandforemost,Iwouldliketoexpressmydeepestgratitudeandspecialappreciationtomyadvisor,Prof.ShigangChen,forhisextraordinarysupport,tirelessguidance,understanding,andencouragementduringmyPh.D.studyatUniversityofFlorida.Iamprivilegedtohavesuchatremendousmentor,whoisalwaysenthusiastic,patient,helpfulandoptimistic.Hisadviceonbothresearchaswellasonmycareerhavebeenpriceless.Icouldnothaveimaginedhavingabetteradvisorandmentorformygraduatestudy.IwouldliketogivemyspecialgratitudetoProf.YeXia,Prof.Jih-KwonPeir,Prof.YuguangFangandProf.RenatoFigueiredoforservingasmycommitteemembersevenathardship.TheirbrilliantcommentsandsuggestionshelpedmeinallthetimeofmystudyatUniversityofFlorida.Iwouldalsoliketothanktheresearchersandcolleaguesinmyresearchgroup.TheyareTaoLi,WenLuo,YanQiao,ZhenMo,YianZhou,MinChen,YoulinZhang,OlufemiOdegbile,QingjunXiao,ZhipingCaiandJiaLiu.Thanksforoeringalotofsuggestionsandencouragementsthroughoutmygraduatestudy.MyappreciationalsogoestomyfriendsatUniversityofFlorida.TheyareNingZhao,YanDeng,ShuangLin,YangChen,XiTao,YupengYan,XiaofengZhou,DihongGong,ChengliangYang,YuanZhou,YunxiLiu,YunZhu,KangfuChenandHaochengZhou.TheymakemylifeinGainesvillefulloffunandIwillneverforgetit.Lastbutnottheleast,Iwouldliketogivemygreatestthankstomyfamily.Theirunconditionallove,understandingandencouragementhavealwaysbeenthestrongestsupporttome.Withoutthem,noneofthesewouldhavebeenpossible. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS ................................... 4 LISTOFTABLES ...................................... 8 LISTOFFIGURES ..................................... 9 ABSTRACT ......................................... 11 CHAPTER 1INTRODUCTION ................................... 13 1.1TracMeasurementandBigNetworkData .................. 13 1.2FlowModel ................................... 14 1.3PerformanceMetrics ............................... 14 1.3.1ProcessingTime ............................. 14 1.3.2MemoryRequirement ........................... 14 1.3.3EstimationAccuracy ........................... 15 1.4EcientFlowSizeMeasurement ........................ 15 1.5FlowSizeMeasurementoverSlidingWindows ................. 16 1.6EcientPersistentSpreadMeasurement .................... 17 1.7OutlineoftheDissertation ............................ 19 2HIGHLYCOMPACTVIRTUALCOUNTERSFORPER-FLOWTRAFFICMEASUREMENTTHROUGHREGISTERSHARING .......................... 20 2.1RelatedWork .................................. 20 2.2DesignofVirtualCounters ............................ 21 2.2.1Motivation ................................ 21 2.2.2CounterSharing ............................. 22 2.2.3RegisterSharing ............................. 23 2.3VirtualHyperLogLogCounterArchitecture ................... 23 2.3.1OnlineEncoding ............................. 23 2.3.2OineEstimation ............................ 24 2.4Experiments ................................... 25 2.4.1ExperimentSetup ............................ 25 2.4.2ProcessingTime ............................. 26 2.4.3EstimationAccuracyandMemoryOverhead ............... 26 2.4.4ImpactofValues ............................ 29 2.5Summary ..................................... 31 3PER-FLOWCOUNTINGFORBIGNETWORKDATASTREAMOVERSLIDINGWINDOWS ...................................... 32 3.1RelatedWork .................................. 32 5

PAGE 6

3.2Preliminaries ................................... 33 3.2.1NetworkDataStreamandSlidingWindows ............... 33 3.2.2ProblemStatement ............................ 34 3.2.3RandomizedCounterSharing ...................... 35 3.3AgingCounterEstimationoverSlidingWindows ................ 36 3.3.1VirtualAgingCounter .......................... 36 3.3.2OnlineOperation ............................. 37 3.3.2.1Agingstep ........................... 37 3.3.2.2Encodingstep ......................... 38 3.3.3RealTimeFlowSizeEstimation ..................... 38 3.3.4ACEPerformanceAnalysis ........................ 39 3.4SegmentAgingCounterEstimationoverSlidingWindows ........... 41 3.4.1SegmentDesign ............................. 41 3.4.2SegmentAgingCounter ......................... 42 3.4.3OnlineOperation ............................. 44 3.4.3.1\Virtual"agingstep ...................... 45 3.4.3.2Encodingstep ......................... 45 3.4.4RealTimeFlowSizeEstimation ..................... 46 3.4.5S-ACEPerformanceAnalysis ....................... 46 3.5SimulationStudies ................................ 48 3.5.1SimulationSetup ............................. 48 3.5.2S-ACEv.s.ACE ............................. 49 3.5.2.1Processingtime ........................ 49 3.5.2.2Memoryoverheadandestimationaccuracy .......... 49 3.5.3AgingStepinS-ACE ........................... 54 3.6ExperimentalEvaluation ............................. 56 3.7Summary ..................................... 59 4PERSISTENTSPREADMEASUREMENTFORBIGNETWORKDATABASEDONREGISTERINTERSECTION ........................... 60 4.1PracticalImportance ............................... 60 4.2PriorArtandChallenges ............................. 61 4.3ProblemStatement ............................... 63 4.4Preliminaries ................................... 68 4.4.1HyperLogLog(HLL)Algorithm ...................... 68 4.4.2HLL-BasedPersistentSpreadEstimation ................ 70 4.4.2.1Register-unionapproach .................... 71 4.4.2.2Register-intersectionapproach ................. 72 4.5IntersectionHLLEstimator ........................... 73 4.5.1ProbabilityofIntersectionRegisterValue ................ 73 4.5.2I-HLLEstimator ............................. 77 4.5.3AccuracyAnalysis ............................ 80 4.6VirtualI-HLLArchitecture ............................ 82 4.6.1Motivation ................................ 82 6

PAGE 7

4.6.2RegisterSharingandVirtualHLLSketch ................ 83 4.6.3RecordFlowElementsinA ....................... 85 4.6.4VI-HLLEstimator ............................ 86 4.6.5AccuracyAnalysis ............................ 88 4.6.5.1Relativebias .......................... 89 4.6.5.2Relativestandarderror ..................... 90 4.7Simulations .................................... 91 4.7.1SimulationSetup ............................. 91 4.7.2VI-HLLv.s.V-Bitmap .......................... 92 4.7.3ImpactofValuetonVI-HLL ...................... 98 4.7.4ImpactofValueSNRjonVI-HLL .................... 98 4.7.5ImpactofValuesonVI-HLL ...................... 102 4.8Summary ..................................... 102 5CONCLUSIONS .................................... 103 APPENDIX ATHEPARTIALDERIVATIVEOFGS(N,K) ..................... 104 BANALYSISOF,2AND 2 ............................. 105 REFERENCES ........................................ 107 BIOGRAPHICALSKETCH ................................. 112 7

PAGE 8

LISTOFTABLES Table page 2-1ComparisonofprocessingtimebyCTandVHC. ................... 26 3-1ComparisonofprocessingtimebyACEandS-ACE. ................. 49 4-1Notations ....................................... 84 8

PAGE 9

LISTOFFIGURES Figure page 1-1Multi-periodanalysisofdatasketches. ........................ 18 2-1Flowsizedistribution.Eachpointrepresentsthenumber(y-coordinate)ofowsthathaveacertainsize(x-coordinate). ........................ 21 2-2Anillustrationofcountersharing. ........................... 22 2-3EstimationresultsbyCTwhenmemorysizeM=0.25MB,0.5MB,1MB,and2MB. 27 2-4EstimationresultsbyVHCwiths=512whenmemorysizeM=0.25MB,0.5MB,1MB,and2MB. .................................... 28 2-5RelativebiasBias(^n n).Fromlefttoright,memorysizeM=0.25MB,0.5MB,1MB,and2MB. ....................................... 29 2-6RelativestandarderrorStdErr(^n n).Fromlefttoright,memorysizeM=0.25MB,0.5MB,1MB,and2MB. ................................ 29 2-7EstimationresultsandrelativestandarderrorsofVHCunderdierentvalueofs.MemorysizeM=1MB. ............................... 30 3-1AnexampleofslidingwindowswithW=3. ..................... 34 3-2Anillustrationofcountersharing. ........................... 35 3-3Anillustrationofsegmentwindowdesign. ...................... 41 3-4Anexampleofmemoryreuse. ............................. 43 3-5RelativebiasofACEwhenM=0.5MB,1MB,and2MB .............. 50 3-6RelativestandarderrorofACEwhenM=0.5MB,1MB,and2MB ........ 51 3-7RelativebiasofS-ACEwhenM=0.5MB,1MB,and2MB ............. 52 3-8RelativestandarderrorofS-ACEwhenM=0.5MB,1MB,and2MB ....... 53 3-9RelativebiasBias(^n n)withdierentagingpercentage. ................ 55 3-10RelativestandarderrorStdErr(^n n)withdierentagingpercentage. ......... 56 3-11Per-owcountingusingS-ACEinshorttimeinterval. ................ 57 3-12Per-owcountingusingS-ACEinlongtimeinterval. ................. 58 3-13S-ACEestimatesoffourowsfortimepointtbetween107and1.1107. ..... 58 4-1StealthyDDoSattack. ................................. 61 9

PAGE 10

4-2Persistentspreadofapacketowtodestination97.208.145.236,withrespecttodierentperiodlengthsinthetwoplotsanddierentnumberstofperiodsonthehorizontalaxis. ..................................... 65 4-3Persistentspreadofapacketowtodestination220.221.80.140,withrespecttodierentperiodlengthsinthetwoplotsanddierentnumberstofperiodsonthehorizontalaxis. ..................................... 66 4-4Flowdistributionwithrespecttopersistentspreadunderdierenttvalues. ..... 67 4-5Flowcardinalitydistributionsfordierentows .................... 82 4-6RegistersharingandvirtualHLLsketch. ....................... 83 4-7PersistentspreadestimationusingV-Bitmapunderdierentmemoryoverhead,witht=10,SNRj=1ands=10000. .......................... 93 4-8PersistentspreadestimationusingV-Bitmapunderdierentmemoryoverhead,witht=10,SNRj=1ands=50000. .......................... 94 4-9PersistentspreadestimationusingVI-HLLunderdierentmemoryoverheadM,witht=10,SNRj=1ands=512. ........................... 95 4-10CompareVI-HLLandV-BitmapunderdierentmemoryoverheadM. ........ 96 4-11EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesoft,withM=2MB,SNRj=1ands=512. .......................... 99 4-12EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesofSNRj,withM=2MB,t=10ands=512. ........................... 100 4-13EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesofs,withM=2MB,t=10andSNRj=1. .......................... 101 10

PAGE 11

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyHIGHLYEFFICIENTDATASTRUCTURESANDPROBABILISTICMEASUREMENTMETHODSONBIGNETWORKDATAByYouZhouDecember2017Chair:ShigangChenMajor:ComputerScienceThereishardlyanyotherdatasetwhosesizecanrivalthebignetworkdatathatowsontheInternet.Massiveanddistributeddataareincreasinglyprevalentinmodernnetworks.Performingtracmeasurementonsuchmassive-volumenetworkdataposehugechallenges.Inthisdissertation,weaimtodevelopnewmethodsthatreducethebignetworkdatatomeasurementsummaries,andproposeecienttracmeasurementonbignetworkdata(intheformofsummaries).Westartwiththeproblemofper-owtracmeasurement,whichisafundamentalproblemintheeraofbignetworkdataprovidingcriticalinformationformanypracticalapplicationsincludingcapacityplanning,tracengineering,dataaccounting,resourcemanagement,andscan/intrusiondetectioninmoderncomputernetworks.Itischallengingtodesignhighlycompactdatastructuresforapproximateper-owmeasurements.Weshowthatahighlycompactvirtualcounterarchitecturecanachievefastprocessingspeed(slightlymorethan1memoryaccessperpacket)andprovideaccuratemeasurementresultsundertightmemoryallocation.Extensiveexperimentsbasedonrealnetworktracedatademonstrateitssuperiorperformanceoverthebestexistingwork.Oursecondworkfocusesonper-owtracmeasurementforbignetworkdatastreamoverslidingwindows.Traditionalresearchfocusedonusingcompactdatastructurestoestimateowsizesfromthebeginningofthedatastream(i.e.,landmarkwindowmodel).However,formanyapplications,themostrecentelementsofastreamaremoresignicant 11

PAGE 12

thanthosearrivedlongtimeago.Therefore,weconsidertheslidingwindowmodelandproposetwodierentschemes,ACEandS-ACE,thatapproximateper-owcountingintheslidingwindowofagivensize.Insteadofallocatingaseparateddatastructureforeachow,bothschemesutilizecountersharingideatoreducememoryfootprint,sotheycanbeimplementedinon-chipSRAMinmodernrouterstokeepupwiththelinespeed.WediscoverthatACEhastoresetthewindowperiodicallytogivepreciseestimates.WeapplythesegmentwindowideainS-ACEthatachievespersistentlyaccurateestimates.OursimulationsstudiesandexperimentalevaluationbaseonrealtractracedemonstratethatS-ACEcanachievehighaccuracyevenwithaverytightmemoryspace.Finally,westudytheproblemofpersistentspreadmeasurement,whichistocountthenumberofdistinctelementsthatpersistineachnetworkowforpredenedtimeperiods.Ithasmanypracticalapplicationsincludingdetectinglong-termstealthynetworkactivitiesinthebackgroundofnormal-useractivities,suchasstealthyDDoSattack,stealthynetworkscan,orfakednetworktrend,whichcannotbedetectedbytraditionalowcardinalitymeasurement.Withbignetworkdata,onechallengeistomeasurethepersistentspreadsofamassivenumberofowswithoutincurringtoomuchmemoryoverheadassuchmeasurementmaybeperformedatthelinespeedbynetworkprocessorswithfastbutsmallon-chipmemory.WeproposeahighlycompactVirtualIntersectionHyperLogLog(VI-HLL)architectureforthispurpose.ItachievesfarbettermemoryeciencythanthebestpriorworkofV-Bitmap,andinthemeantimedrasticallyextendsthemeasurementrange.TheoreticalanalysisandextensiveexperimentsdemonstratethatVI-HLLprovidesgoodmeasurementaccuracyeveninverytightmemoryspaceoflessthan1bitperow. 12

PAGE 13

CHAPTER1INTRODUCTION 1.1TracMeasurementandBigNetworkDataThereishardlyanyotherdatasetwhosesizecanrivalthebignetworkdatathatowsontheInternet.Massiveanddistributeddataareincreasinglyprevalentinmodernnetworksashigh-speedroutersforwardpacketsathundredsofgigabitsoreventerabitspersecond.TheannualglobalIPtracisexpectedtopasszettabyteby2016[ 1 ].Bigdataalsohappensatthenetworkedge.Forafewexamples,Googlehandlesover40,000searchquerieseverysecond[ 2 ],and500milliontweetsareproducedperday[ 3 ].Tracmeasurementonbignetworkdatacanprovidecriticalinformationformanypracticalapplicationsincludingcapacityplanning,tracengineering,dataaccounting,resourcemanagement,andscan/intrusiondetectioninmoderncomputernetworks[ 4 { 13 ].Meanwhile,tracmeasurementandclassicationatsuchhighspeedsandwithsuchmassivevolumesposesignicantchallenges[ 10 14 { 25 ].Modernroutersforwardpacketsfromincomingportstooutgoingportsviaswitchingfabricattheextraordinaryspeeds.Tosustainhighthroughput,onlinemodulesfortracmeasurement,packetsscheduling,accesscontrol,andqualityofserviceareoftenimplementedonnetworkprocessors,bypassingmainmemoryandCPUalmostentirely.Tokeepupwiththelinespeedofmodernrouters,thetracmeasurementmoduleshouldminimizetheprocessingtimeperpacket,andneedstobedesignedinhighspeedbutexpensiveon-diememory(suchasSRAM)[ 26 ][ 27 ].However,theon-diememoryinanetworkprocessorissmall,typicallyafewmegabytes,andmayhavetobesharedamongrouting/performance/measurement/securityfunctionsonthesamechip.Hence,ThelimitedSRAMsizeposesmajorchallengefortracmeasurementoverbignetworkdata.Therearepracticalscenarioswithgreatdisparitybetweenmemorydemandandavailability,whichrequiresonlinetracmeasurementtobeimplementedascompactaspossible.Therefore,exactmeasurementofbignetworkdataisofteninfeasibleduetoexcessively 13

PAGE 14

highmemoryrequirementandcomputation/communicationoverhead,whereasapproximateestimationwithprobabilisticguaranteesisaviableoption. 1.2FlowModelMostpaststudyontracmeasurementforbignetworkdatafocusedonmonitoringper-owcardinalities,per-owsizes,andheavyhitters(owsthathavelargesizes),whichsupportnumerousapplicationsastheconceptofowcanbeexiblydened[ 13 28 { 36 ].Inthisdissertation,werefertopacketstreamsatrouters,tracrecordsgeneratedbythenetworkdevices,andapplication-baseddataatnetworkedgeallasnetworkdata.Wemodelnetworkdataasasetofows,eachpresentingadatasubsetdenedbasedonthemeasurementrequirements.Eachowisuniquelyidentiedbyoneormultipleeldsinthepacketheaders,calledowlabel,whichcanbeexiblydenedbasedonapplicationneeds.Asexamples,theowsundermeasurementmaybeper-sourceows(withowlabelbeingthesourceaddress),per-destinationows,TCPows,WWWows,orapplication-specicows.Theelementsundermeasurementcanbedestinationaddresses,sourceaddresses,ports,valuesinotherheaderelds,orevenkeywordsthatappearinpacketpayload. 1.3PerformanceMetricsInthisdissertation,weemploythefollowingthreemetricstoevaluatetheperformanceofourtracmeasurementschemes. 1.3.1ProcessingTimeTheaveragetimerequiredforencodinganelementinaow,particularlymeasuredbytheaveragenumberofmemoryaccessesandthenumberofhashvaluecomputationsasin[ 26 ]and[ 27 ].Inordertokeepupwiththelinespeedofmodernrouters,theprocessingtimeforencodingapacketshouldbemadeassmallaspossible. 1.3.2MemoryRequirementTheminimalmemory(inthesequelmemoryreferstoSRAM)requiredtoachievereasonablysoundmeasurementresultsforthetracmeasurement.Thegreatdisparityinmemorydemandandsupplyrequiresustoimplementascompactaspossibleonlinetrac 14

PAGE 15

measurementmodules.Hencewemainlyfocusonthememoryrequirementforimplementingcompactmeasurementdatastructures. 1.3.3EstimationAccuracyLetnbetheactualmeasurementofaow,and^nbetheestimationresultgivenbythemeasurementscheme.WeevaluatetheestimationaccuracybytherelativebiasBias(^n n)andrelativestandarderrorStdErr(^n n),denedbelowas[ 27 ]: Bias(^n n)=E(^n n))]TJ /F6 11.955 Tf 11.95 0 Td[(1,StdErr(^n n)=r Var(^n n)=p Var(^n) n.(1{1)Clearly,smallervaluesofrelativebiasandrelativestandarderrorrepresentmoreaccuratemeasurementresults.Givenacertainavailablememoryspace,theestimationresultsshouldbemadeasmoreaccurateaspossible. 1.4EcientFlowSizeMeasurementPer-owsizemeasurementoverbignetworkdatastreamconsistingofnumerousowsisafundamentalprobleminnetworktracmeasurement.Ithasmanyimportantapplicationsinvariousdomainssuchasloadbalancing,capacityplanning,resourcefairness,andintrusiondetection.Inageneraldenition,per-owsizemeasurement[ 26 27 37 { 39 ]istocountthenumberofpacketsineachow(orcalledowsize).WemaymeasurethenumberofpacketsineachTCPow,thedatavolumeofeachvoice-over-IPsession,thenumberofbytesthateachhostdownloads,thenumberofSYNpacketssentfromeachsourceaddress,orthenumberofSYN-ACKpacketssenttoeachaddress.Suchper-owdataarehelpfultoprovideimportantinformationforcapacityplanning,tracengineering,andanomalydetectioninmoderncomputernetwork[ 10 11 17 19 40 { 45 ].Forexample,measuringthenumberofSYN-ACKpacketsprovidesameanstodetectSYNattacksorwormscanning[ 43 ][ 11 ].Foranotherexample,Internetserviceprovidercancombinetheper-owtracinformationtoaligntracdistributioninthenetwork,andhelpdiscovernetworktracpatternsandreducethecongestion. 15

PAGE 16

Manyapproaches[ 16 26 27 38 39 42 44 { 46 ]havebeenproposedtoestimateowsizes.Inordertokeepupwiththelinespeedofmodernnetworkdevices(e.g.,routers),theper-owtracmeasurementmoduleneedstobeimplementedinSRAM.GivingonecounterforeachowrequiresmorememorythantheavailablesizeonSRAM.Oneimportantthreadofresearchinthisareaisbasedonsketch.TherepresentativeworkincludesCount-Minsketch[ 16 ],whicharetypicallyoptimizedandhavebeenimplementedinhardware.Althoughthememoryneededtoencodeeachowhasbeengreatlyreduced,whenthenumberofowsareextremelylarge,thememoryrequirementisstillveryhigh.Wepresentanovelcounterarchitectureforper-owtracmeasurementthatcanfurtherimprovethememoryandprocessingtimeeciencyaswellasmeasurementaccuracy.Weintroduceregistersharingtoproposeadesignofvirtualcounters,whereeachowisallocatedavirtualcounterofmultipleregisters,andthesevirtualcountersshareacommonregisterpool.Thevirtualcounterscanachievefarbettermemoryeciencythanpreviousbestapproachesincluding[5][7].WetakeadvantageofournovelvirtualcounterstoproposeahighlycompactandfastcounterarchitecturecalledVirtualHyperLogLogCounter(VHC)forper-owtracmeasurement,whichachievesfasterprocessingtimethanthebeststateofart.Toencodeapacket,VHConlyrequiresslightlymorethan1memoryaccessandcanworkunderatightmemorywherethepreviousbestapproach[ 27 ]doesnotperformwell. 1.5FlowSizeMeasurementoverSlidingWindowsTraditionalresearchfocusedonestimatingowsizesfromthebeginningofthedatastream(i.e.,landmarkwindowmodel).Inthelandmarkmodel,givena\landmark"timepoint,thedataanalysisareonlyonthedatastreamwhichfallsbetweenthelandmarkandthecurrenttimepoint.Whenmoreandmoreelementspassthroughtherouter,thelandmarkwindowrunsoutofcapacity,andhastoresettozeroperiodically[ 47 ].Thisisthemajordisadvantageofthismodel.Formanyreal-timeapplications,themostrecentelementsofastreamaremoresignicantthanthosearrivedlongtimeago[ 48 49 ],whichgivesrisetotheslidingwindowmodel.Forexample,anISPmaymonitorthedatastreamstoidentifytheuserwhosendsmost 16

PAGE 17

packetsinthelasthour.Inthecounterbasedslidingwindowmodel,itremovesanexpiredelementasanewelementarrives,therebyitalwaysmaintainsthemostrecentWelementsinthedatastream.Thisdissertationmainlyfocusesonper-owcounting(i.e.,per-owsizemeasurement)underthisslidingwindowmodel.Toachieveoptimalmemoryeciency,weadoptthecountersharingideatotheslidingwindowmodel,andproposetwonovelper-owcountingschemes,ACEandS-ACE.ThememoryoverheadofACEandS-ACEisthesameasrandomizedcountersharingin[ 26 ],whichisverycompactforhardwareimplementationinrouters.ForACE,weproposeanagingalgorithmtoeliminateoneelementasanewelementcomes.Itissimpleandecient,butrequiresresettingtheslidingwindowperiodicallytogiveaccurateowsizeestimates.Toachievepersistentlyaccurateper-owcountingwithoutperiodicalslidingwindowresetting,weproposeanovelsegmentwindowdesignintheadvancedS-ACEscheme.S-ACEachievestheoptimalprocessingspeed,twomemoryaccessestoencodeoneelement.OurextensivesimulationsaswellasexperimentalevaluationsbasedonrealnetworktractracedemonstratethatS-ACEcanworkinverytightmemoryspacewithhighaccuracy. 1.6EcientPersistentSpreadMeasurementFlowcardinalityestimation[ 29 50 { 52 ]isanotherfundamentalprobleminnetworktracmeasurement.Itestimatesthenumberofdistinctelementsineveryowduringpre-denedmeasurementperiods.Forexample,foreachper-sourceow,ifdestinationaddressesaretreatedaselements,thenaow'scardinalityisthenumberofdistinctdestinationaddressesthattheowsourcehascontacted,whichcanbeusedforscandetection.Existingresearchonowcardinalityestimationmainlyfocusesonanalysingtracsketchesfromonemeasurementperiod,whichisthesummaryoftherawtracdatainthattimeperiod.Sinceonlinestoragecanonlyholdlimitedinformation,thesketchesareusuallyooadedtoaserveraftereachmeasurementperiodforlong-termstorageandoinequery.Westudyanunder-investigatedproblemofanalyzingsketchesacrossmultipleperiodsasshowninFigure 1-1 .Inparticular,weareinterestedinmeasuringthepersistentspreadofeachow, 17

PAGE 18

Figure1-1. Multi-periodanalysisofdatasketches. whichisdenedasthenumberofdistinctelementsthatshowupinanetworkowduringacertainnumberofconsecutivemeasurementperiods.Theobjectiveofthisresearchistoimprovethememoryeciencyandenlargetherangeofpersistentspreadmeasurement,whilekeepinggoodaccuracy.Ourmaincontributionsaresummarizedbelow.First,wedesignahighlyecientpersistentspreadestimatorcalledIntersectionHLL(I-HLL)thatworksovermultiplemeasurementperiods.EveryowisallocatedaseparateHLLsketchofregisterstorecorditscardinalityinameasurementperiod.WeapplyregisterintersectionovertheseriesofHLLsketchesproducedforaowduringagivennumberofmeasurementperiods.WethenemploymaximumlikelihoodestimationtodeveloptheformulaoftheI-HLLestimatorthatcomputesanestimateoftheow'spersistentspread.Weformallyanalyzetheaccuracyoftheestimation,andshowI-HLLhasalargeestimationrange.Second,tofurtherimprovememoryeciency,weintroduceregistersharingontopofI-HLLandproposeahighlycompactVirtualIntersectionHLL(VI-HLL)architecturetomeasurethepersistentspreadsofalargenumberofowssimultaneously.Similarto[ 53 ],eachowisallocatedavirtualHLLsketchofmultipleregisters,andthevirtualHLLsketchesofallowsshareacommonpoolofphysicalregisters.Butunlike[ 53 ]thatmeasuresow 18

PAGE 19

cardinalityinoneperiod,ourVI-HLLdealswithpersistentcardinalityovermultipleperiods.VI-HLLachievesfarbettermemoryeciencyandmuchlargerrangethanthebestexistingwork(V-Bitmap[ 54 ])onpersistentcardinalitymeasurement.Finally,notonlydowemathematicallyanalyzetheestimationaccuracyofVI-HLL,butalsoperformextensiveexperimentstocompareitwithV-Bitmap.TheexperimentalresultsdemonstratethesuperiorperformanceofVI-HLL.Interestingly,itsestimationaccuracyimproveswhenthenumberofmeasurementperiodsincreases. 1.7OutlineoftheDissertationTherestofthisdissertationisorganizedasfollows.Chapter 2 showsahighlycompactvirtualcounterarchitectureforper-owtracmeasurement.Chapter 3 presentstwoschemesforper-owcountingforbignetworkdatastreamoverslidingwindows.Chapter 4 proposesecientpersistentspreadmeasurementforbignetworkdata.Chapter 5 drawstheconclusion. 19

PAGE 20

CHAPTER2HIGHLYCOMPACTVIRTUALCOUNTERSFORPER-FLOWTRAFFICMEASUREMENTTHROUGHREGISTERSHARING 2.1RelatedWorkTokeepupwiththelinespeedofmodernrouters,theper-owmeasurementmoduleshouldminimizetheprocessingtimeperpacket,andneedstobedesignedinhighspeedbutexpensiveon-dieSRAM[ 26 ][ 27 ].ThelimitedSRAMsizeposesmajorchallengeforper-owtracmeasurement.IthasbeendemonstratedthatgivingeachowacounterinSRAMcannotscalefortoday'sbignetworkdata[ 40 ].Inaddition,exactcountingforeachowisalsonotpracticalduetolargememoryandcomputationoverhead.Therefore,approximateestimationthatcanprovideprobabilisticguaranteesbecomestheonlyviableoption.Therepresentativestate-of-artestimationmethodsincludeCounterBraids[ 38 ][ 39 ],randomizedcountersharing[ 26 ],andCounterTree[ 27 ].CounterBraids(CB)[ 38 ][ 39 ]givesaccurateper-owmeasurement.Itreducesmemoryoverheadbysharingcountersamongows.Thecountersarearrangedintwoormorelevels,andeachowismappedtokcountersateverylevel.Whentherearetwolevelsandk=3,CBperforms6(occasionally12)memoryaccessestoencodeonepacket,whichlimitsitsonlinespeed.Lietal.[ 26 ]proposedacountersharingarchitecturecalledrandomizedcountersharing.Eachowisrecordedbyhundredsofcounters,andowssharetheircountersrandomlyfromacommoncounterpool.Ittakes2memoryaccessesand1hashcomputationtoencodeeachpacket.Itsmajordrawbackisthattheestimationrangeislimited[ 27 ].Chenetal.[ 27 ]proposedatwo-dimensionalcountersharingarchitecturecalledCounterTree(CT);notonlydoowssharetheircounters,butthecounterssharetheirhigh-orderbitsbasedonatreestructure.Itachievesbettermemoryeciencythanallpreviouswork.Nevertheless,CTstillrequiresatleast2bitsperowinmemoryconsumptionandslightlymorethan2memoryaccessesperpacketinprocessingtime.OurexperimentsbasedonrealnetworktracedatashowthatCTcannotworkwellunderatightmemoryspace,e.g.,lessthan 20

PAGE 21

Figure2-1. Flowsizedistribution.Eachpointrepresentsthenumber(y-coordinate)ofowsthathaveacertainsize(x-coordinate). 1bitperow.Otherapproachesemployanonlinesamplingmodulewhereeacharrivingpacketissampledwithaprobabilitybeforebeingencodedtoacounter.However,[ 37 ]demonstratesthataggressivesamplingintroducessignicanterror,especiallyforsmall-sizeows. 2.2DesignofVirtualCounters 2.2.1MotivationAccordingtothestudyin[ 55 ],9%oftheowsaccountfor90%oftheInternettrac.Withoutlossofgenerality,weusetherealnetworktracecapturedbythemaingatewayofouruniversityasanexample,whichcontainsabout68millionTCPowsand750millionpackets.TheowsizedistributionisillustratedinFigure 2-1 inlogscale,whereeachpointrepresentsthenumber(y-coordinate)ofowsthathaveaparticularsize(x-coordinate).Clearly,thevastmajorityofowshavesmallsizes,whileonlyasmallnumberofowshavelargesizes.Withalargenumberofows,itisnotadvisabletomaintainonecounterforeachow,giventhelimitedsizeofSRAM.Thereasonisthat,whenwedon'tknowtheowsizesinadvance(whichareinfactwhatwewanttogureout),thesizesofallcountersshouldbesetaccordingtothe`elephant'owsthathavelargeowsizes.Toachievereasonablyaccuratemeasurementresultsfor`elephant'ows,eachcountermayneedtobeaslargeas32bits.Thistranslatestoatotalmemoryconsumptionofasmuchas272MBforthe68millionTCP 21

PAGE 22

Figure2-2. Anillustrationofcountersharing. ows,whichisobviouslynotacceptable.Ifwetakeacloseranalysis,wecanobservethatforthemajorityofowsthathavesmallsizes,thehigh-orderbitsintheircountersareactuallyunder-utilizedasmanyorevenmostofthemremainzeros.Toimprovethememoryeciency,countersharingshouldbeenabledamongtheowstoutilizetheseunusedbits. 2.2.2CounterSharingAcommoncountersharingmechanismisillustratedinFigure 2-2 ,whereeachcellrepresentsabasecounter.Eachowrandomlypicksanumberofbasecountersfromthephysicalcounterarraytoformitsvirtualcounter.Sincethevirtualcountersofallowssharethesamebasecounterpool(physicalcounterarray),largeowscan`borrow'memoryfromsmallowstoutilizetheunder-utilizedbasecounters.Lietat.[ 26 ]adoptthisbasicideatoproposetheircountingarchitecturewithonedimensionalbase-countersharing.However,sincesmallowsdominateallnetworkows,manyhigh-orderbitsofthebasecountersarestillunder-utilized.Ifwereducethenumberofhigh-orderbits,themeasurementrangeisalsoreduced.Toconstructmorecompactbasecounterswhileallowingalargemeasurementrange,Chenetal.[ 27 ]proposeatwo-dimensionalcountersharingidea,whichallowsbasecounterstosharehigh-orderbits.Thememoryeciencyisimproved,butitintroducesmorenoisesamongbasecounters,whichleadstoinaccurateestimationswhenthememoryspaceistight.WewillexplainmoreinSection 2.4 22

PAGE 23

2.2.3RegisterSharingThereisarelatedbranchofresearchformeasuringowcardinality[ 50 { 52 ],whichisdenedasthenumberofdistinctelementscarriedbyaow,whereelementscanbedenedbasedonapplicationneeds.TheHyperLogLog(HLL)sketches[ 52 ]useve-bitregisterswithanestimationrangeofupto109.ArecentworkonvirtualHyperLogLogsketchessharesregistersamongtheowstoreducethememoryconsumption[ 53 ].Wehavetwogoalsinthiswork.First,wewanttoseeiftheideaof[ 53 ]canbeadaptedforanewvirtualHyperLogLogcounterarchitecture(VHC)thatmeasuresowsize(i.e.,numberofpacketsineachow).Second,weperformexperimentstoevaluatehowwellsuchacounterarchitectureperformsincomparisonwiththebestexistingow-sizeestimator. 2.3VirtualHyperLogLogCounterArchitectureInthissection,werstdescribethedesignofaVHCcounterarchitecture,andthenanalyzeitsmeasurementaccuracy.VHCincludesanonlineencodingmoduleandanoineestimationmodule.Theonlineencodingmodulerecordsthepacketstothecounterarchitectureinrealtime,whiletheoineestimationmodulemeasuresthesizesofallowsbasedonthecounterdatarecordedfromonlineencoding. 2.3.1OnlineEncodingIntheonlineencodingmodule,aregisterarrayCofmHLLregistersisusedtostorethepacketinformationofallows.Foranarbitraryowf,wherefistheowlabel,wepseudo-randomlyselectsregistersfromCtologicallyformavirtualcounterCf,anduseCftoencodethepacketsinowf.DenotetheithregisterintheCfasCf[i],0i
PAGE 24

Atthebeginningofeachmeasurementperiod,allregistersinCareinitializedtozeros.Whenapacketarrives,therouterextractsitsowlabelffromitsheader,generatesapseudo-randomnumberqtoselectaregisterCf[qmods]=C[H(fH(qmods))modm],andupdatesthevalueofthisregisterasfollows:Generateanotherpseudo-randombinarynumberq0.Letbetheindexoftheleftmost1inq0.Namely,q0isequaltothenumberofleadingzerosinq0.Forexample,ifq0=001...,then=2.Toupdatethevalueoftheregister,therouterperformsthefollowingHyperLogLogoperation[ 52 ]: C[p]=max)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(C[p],+1,(2{2)wherep=H(fH(qmods))modm.Hence,toencodeapacket,therouteronlyneedstocalculateonehashfunction,generatetwopseudo-randomnumbers,andperformatmosttwomemoryaccesses:readingC[p]andwritingC[p]backifitsvaluechanges.Generally,theprobabilitytoupdatetheregisterC[p]isrelativelysmall(approachingtozero)whenthetotalnumberofpacketsmappedtothisregisterislarge.Therefore,theprocessingtimeforeachpacketwillbeslightlymorethan1memoryaccessonaverage.WewillexplainmoreinSection 2.4.2 withexperimentresults. 2.3.2OineEstimationAttheendofeachmeasurementperiod,theregisterarrayCisooadedtoaserverforlong-termstorageandoinequery.Consideranarbitraryowfunderoinequery.WereconstructitsvirtualcounterCf,whereCf[i]=C[H(fH(i))modm],0i
PAGE 25

TheaveragenoiseperregisteroverthewholearrayCisN)]TJ /F5 7.97 Tf 6.58 0 Td[(n mN m,whereNisthetotalsizeofallows.WecantreatCastheHyperLoglogsketchesthatrecordallNpacketsandthereforeestimatethevalueofNfromCusingtheHyperLogLogformula[ 52 ];let^NbetheestimatedvalueofN.Therefore,wehave es^N m.(2{4)Applying( 2{4 )in( 2{3 ),wehave n^ns)]TJ /F3 11.955 Tf 11.96 0 Td[(s^N m.(2{5) 2.4Experiments 2.4.1ExperimentSetupWeimplementVHCaswellasthestateofartCT,andcomparethemthroughextensiveexperimentsusingrealnetworktractraces.ThenetworktractracesweusewerecollectedbyCisco'NetFlowatthemaingatewayofouruniversity.Theowsintheexperimentscanbeper-sourceows,per-destinationowsandTCPows,whichallleadtothesimilarresults.Withoutlossofgenerality,weuseTCPowsforpresentation.Thenetworktraceweusecontainsabout68millionTCPowsand750millionpackets.Thetracesegmentusedforourexperimentcontains126,569,701packetswhicharegeneratedby11,453,043ows.Theaverageowsizeis11.05packets/ow.TheperformancemetricsinSection 1.3 areusedinourexperimentevaluation,includingper-packetprocessingtime,memoryrequirement,andestimationaccuracy.Weruntwosetsofexperimentstoevaluatethesemetrics.TherstsetisusedtoevaluatetheimpactofmemorysizeonthemeasurementaccuracyofCTandVHC.WevarytheavailablememoryspaceMfrom0.25MB,0.5MB,1MBto2MB,whichtranslatestoapproximately0.2bits/ow,0.4bits/ow,0.8bits/owand1.6bits/ow,respectively.Tomakeafaircomparison,CTandVHCaregiventhesamememoryspacetoprocesstheTCPtractraceineachcase.ForCT,weimplementaCounterTreearchitecturewithdegreexedto3,virtualcountersizexedto100,andnodecountersizexedto4bitsasChenetal.[ 27 ]didintheirexperiments. 25

PAGE 26

Table2-1. ComparisonofprocessingtimebyCTandVHC. memorysize(MB)numberofmemoryaccessesnumberofhashcomputaions CTVHCCTVHC 0.252.131.02110.52.131.031112.121.061122.111.1011 ThesecondsetofexperimentsevaluatestheimpactofthevirtualcountersizesontheperformanceofVHC.WexthememoryspaceM=1MB,andvaryswithdierentvaluestoobserveitsestimationaccuracy. 2.4.2ProcessingTimeIntherstsetofexperiments,werecordtheaveragenumberofmemoryaccessesandhashcomputationsforencodingapacketbyCTandVHC.ThecomparisonresultsarepresentedinTable 2-1 .BothCTandVHConlyneed1hashcomputationforeachpackettoallocateitscorrespondingcounter,whicharequiteecient.Inaddition,CTneedsmorethan2memoryaccessestoencodeapacket.[ 27 ]givesanupperboundofamortizednumberofmemoryaccesses2+1 2b+1,wherebisthesizeofnodecounter.Whenb=4,theupperboundequalsto2.13.Bycontrast,VHConlyrequiresslightlymorethan1memoryaccesstoencodeapacketasshowninthetable.Thisisconsistenttoourpreviousanalysis.RecallfromtheonlineencodingmoduleinSection 2.3.1 ,VHConlyrequires1memoryaccesstoreadthevalueintheregister,andonlyneedstowriteitbackwithaverysmallprobability.Moreover,theaveragenumberofmemoryaccessesofVHCdecreaseswhenlessmemoryareavailablesinceeachregisterissharedbymoreows,whichreducestheupdatingfrequency.Clearly,VHCismoreecientthanCTintermsofprocessingtime. 2.4.3EstimationAccuracyandMemoryOverheadWestudytheestimationaccuracyofCTandVHCwhentheavailablememoryrangesfrom0.25MB,0.5MB,1MBto2MB.TheexperimentresultsofCTandVHCarepresentedin 26

PAGE 27

Figure2-3. EstimationresultsbyCTwhenmemorysizeM=0.25MB,0.5MB,1MB,and2MB. Figure 2-3 andFigure 2-4 ,respectively.EachgureincludesfourplotsunderdierentmemorysizesM.Eachpointineachplotrepresentsaow,wherethexcoordinateistheactualowsizenandtheycoordinateistheestimatedowsize^n.Theequalityline,y=x,isalsoshown.Clearly,thecloserapointistotheequalityline,themoreaccuratetheestimateis.InFigure 2-3 ,therstplotshowswhentheavailablememoryistightM=0.25MB(0.2bit/ow),CTgivesmeaninglessresultsformajorityofows.Asthememorysizeincreases 27

PAGE 28

Figure2-4. EstimationresultsbyVHCwiths=512whenmemorysizeM=0.25MB,0.5MB,1MB,and2MB. from0.25MBto1MBasshowninthesecondandthirdplots,CTbecomesmoreclustered,butstillcannotyieldreasonableestimates.Whentheavailablememoryspaceincreasesto2MB,thefourthplotshowsthepointsareclusteredtotheequalityline,whichindicatesacceptableestimates.Figure 2-4 showstheexperimentresultsofVHC.Clearly,VHCcangenerateveryaccurateestimatesforbothsmallandlargeowsasmostpointscloselyfollowtheequalitylineforallfourplots.Thisistrueevenunderatightmemory,e.g.,M=0.25MB(0.2bit/ow)as 28

PAGE 29

Figure2-5. RelativebiasBias(^n n).Fromlefttoright,memorysizeM=0.25MB,0.5MB,1MB,and2MB. Figure2-6. RelativestandarderrorStdErr(^n n).Fromlefttoright,memorysizeM=0.25MB,0.5MB,1MB,and2MB. therstplotshows.Moreover,throughregistersharing,VHCcaneasilyhandlewidecountingrangeswithoutmodifyingpresetparameters,whichisrequiredby[ 27 ]inordertogeneratesoundmeasurementresultswhenfacingdierenttracsituations.Therefore,VHCprovidesamorerobustandexiblesolutionforreal-lifenetworktracmeasurement.TherelativebiasBias(^n n)andrelativestandarderrorStdErr(^n n)ofCTandVHCaregiveninFigure 2-5 andFigure 2-6 ,eachofwhichincludesfourplotswithadierentsizeofmemoryM.Fromthesetwogures,wecanseethatbothCTandVHCbecomemoreaccuratewhenmorememoryspaceisused.ItisalsoclearthatVHChassmallerrelativebiasandrelativestandarderrorsthanCT,whichdemonstratesVHCisindeedmoreaccuratethanCT. 2.4.4ImpactofValuesOursecondsetofexperimentsstudytheimpactofthevirtualcountersizesontheperformanceofVHC.Wextheavailablememorysizeto1MB,andvarythevalueofsfrom512to128,256to1024.TheresultsarerepresentedinFigure 2-7 .Therstthreeplotsareestimationresultsunders=128,256and1024.Correspondingrelativestandarderrors 29

PAGE 30

Figure2-7. EstimationresultsandrelativestandarderrorsofVHCunderdierentvalueofs.MemorysizeM=1MB. areillustratedinthefourthplot.Clearly,whensisrelativelysmall(s=128),therelativestandarderrorsarelargerthanwhens=256ors=512forlargesizeows.However,whensgetslargeenough(s=1024),theestimationaccuracyforlargesizeowsstabilizes,buttheestimationaccuracyforsmallsizeowsbecomesnoticeablyworse.Combiningthesetwoeects,inpractice,itmaybemoreappropriatetochooseavirtualcountersizeofeither256or512. 30

PAGE 31

2.5SummaryInthiswork,wepresentahighlycompactandfastcounterarchitectureforper-owtracmeasurement,calledVirtualHyperLogLogCounter(VHC),whichachievesfasterprocessingspeed(slightlymorethan1memoryaccessperpacket)andprovidesmoreaccuratemeasurementresultsthanthebestexistingwork.Moreover,VHCperformswellinatightmemoryspace(lessthan1bitperow)whereCTcannolongerwork.ExtensiveexperimentsbasedonrealnetworktracedatademonstratethesuperiorperformanceofVHC. 31

PAGE 32

CHAPTER3PER-FLOWCOUNTINGFORBIGNETWORKDATASTREAMOVERSLIDINGWINDOWS 3.1RelatedWorkNetworkdatastreamsariseinmanyapplicationssuchashigh-speednetworktracmeasurement,Internetdataanalysis,nance,etc[ 10 11 19 37 40 56 ].Per-owcountingoverbignetworkdatastreamconsistingofnumerousowsisafundamentalproblem.Inageneraldenition,per-owcountingistocountthenumberofelementsforeachow,orowsizeinshort.Ithasmanyimportantapplicationsinvariousdomainssuchasloadbalancing,capacityplanning,resourcefairness,andintrusiondetection.Manyapproaches[ 16 26 27 38 39 42 44 { 46 ]havebeenproposedtoestimateowsizes.TherepresentativeworkincludesCount-Minsketch[ 16 ],whicharetypicallyoptimizedandhavebeenimplementedinhardware.Theseapproachescanmainlyanswerpointqueries.Thatis,givenaowlabel,theycanprovideanestimationfortheowsize.Althoughthememoryneededtoencodeeachowhasbeengreatlyreduced,whenthenumberofowsareextremelylarge,thememoryrequirementisstillveryhigh.Tofurtherreducememoryoverhead,betteralternativesarecountersharingmethods[ 26 27 38 39 ].Inparticular,[ 26 ]leveragesacountersharingmechanism,whereallowsshareacommonmemoryspace.Therefore,itcandoper-owcountingforbignetworkdatastreams.Traditionalresearchfocusedonestimatingowsizesfromthebeginningofthedatastream(i.e.,landmarkwindowmodel).Inthelandmarkmodel,givena\landmark"timepoint,thedataanalysisareonlyonthedatastreamwhichfallsbetweenthelandmarkandthecurrenttimepoint.Formanyreal-timeapplications,themostrecentelementsofastreamaremoresignicantthanthosearrivedlongtimeago[ 35 48 49 ],whichgivesrisetotheslidingwindowmodel.Inthecounterbasedslidingwindowmodel,itremovesanexpiredelementasanewelementarrives,therebyitalwaysmaintainsthemostrecentWelementsinthedatastream.Thisworkmainlyfocusesonper-owcountingunderthisslidingwindowmodel. 32

PAGE 33

Dataretal.[ 57 ]rstintroducetheslidingwindowmodelindatastreams,andproposeanexponentialhistogramtoprovideapproximationforbasiccounting.Zhuetal.[ 58 ]subdividetheslidingwindowsequallyintobasicwindowstofacilitatetheecienteliminationofolddata.However,itonlyprovidesaccuratestatistics(e.g.,DiscreteFourierTransform)whenabasicwindowisexpired,andcannotgiveaccurateestimatewhensomeelementsintheoldestbasicwindowareactive.Arasuetal.[ 59 ]studytheproblemofmaintainingcountsandquantilesoverastreamslidingwindow,andtherearesomework[ 60 61 ]toimproveitsperformance.However,theydon'tsupportconstanttimepointqueryandneedtoallocatememorydynamically.Typically,theyneedmorememoryspacethanthelandmarkmodel,whichmakesthemhardtoimplementinhardware.Inthiswork,wetackletheper-owcountingproblemforbignetworkdatastreamoverslidingwindows. 3.2Preliminaries 3.2.1NetworkDataStreamandSlidingWindowsWeconsideranetworkdatastreamSasatimeorderedseriesofelementshe0,e1,e2,...ei,...i,wherethesubscriptisthearrivingsequenceorderindex,calledtimepoint.Forexample,theelementeiispassingbytherouterattimepointi.Eachelementisassociatedwithaowlabelf.Aowfconsistsoftheelementswiththesameowlabelf.Theowlabelcanbeexiblydeneddependingonapplicationcontext.Forexample,theowlabelcanbesourceaddress,destinationaddressorotheruser-denedowidentiers.Aslidingwindow[ 58 ]overanetworkdatastreamSisamulti-setoflastWelementsofthestreampassedbysofar,wherethenonnegativeintegerWiscalleditswindowsize.Therefore,giventhelengthoftheslidingwindowWandthecurrenttimepointt(i.e.,whentheelementetarrived),theslidingwindowmaintainsthemostrecentWelementsinS,hemaxf0,t)]TJ /F5 7.97 Tf 6.58 0 Td[(W+1g,...,eti,whichcanbedenotedbyWin(t,W).AnexampleofslidingwindowswithwindowsizeW=3foranetworkdatastreamisillustratedinFig. 3-1 33

PAGE 34

Figure3-1. AnexampleofslidingwindowswithW=3. 3.2.2ProblemStatementTheproblemwetackleinthisworkistheper-owtracmeasurementoverslidingwindows.Atanytimepointt,weneedtomaintainadatastructureforthelastWelementsWin(t,W)overanetworkdatastreamS.Givenowf,thedatastructurecanbeusedtoreturntheestimatedowsizeoff(i.e.,thenumberofelementswithowlabelf)intheslidingwindowWin(t,W).Thegoalistominimizethememoryrequirementinsuchcontinuouscomputation,aswellastokeepupwiththehigh-speednetworkdatastreamprocessinginrealtime.Clearly,weareonlyinterestedintherecentpast.Itisdesirableifwecanremovetheelementsoutsideaslidingwindow.Ontheonehand,asthenetworkdatainaslidingwindowcontinuouslychangeasnewelementsarrive,itisinfeasibletoremovetheexactoutdatedelementswithoutusingaspaceofO(W).Therefore,onemajorchallengeistodevelopaspace-ecienttechniquetocontinuouslysummarizeadatastreamintheslidingwindowmodel.Ontheotherhand,whenthedatastreamovertheslidingwindowissummarized,welosethetemporalinformationrelatedtotheexpiredelements,whichcausestheaccuracyproblem.Hence,theotherchallengeistomeasureper-owsizeoverslidingwindowswithhighapproximateaccuracy. 34

PAGE 35

3.2.3RandomizedCounterSharingFornetworkdatastreams,Lietal.[ 26 ]proposedanecientper-owtracmeasurementschemecalledrandomizedcountersharing.Thisschemeleveragesacountersharingmechanism,whichisillustratedinFig. 3-2 .Eachowrandomlypicksanumberofcountersfromthephysicalcounterarraytoformitsvirtualcounter.Whenrecodinganelementofaparticularow,itrandomlymapstoacounteroftheow'svirtualcounter,andincreasesthecounterbyone.Toestimatethesizeofaow,itrstaddsupthevaluesofthecountersthattheowismappedto,andthenremovesthenoiseintroducedbyotherows.Sincethevirtualcountersofallowssharethesamecounterpool(physicalcounterarray),largeowscan`borrow'memoryfromsmallowstoutilizetheavailablecounterbits.Thisscheme[ 26 ]canachievereasonablyaccurateresultsforper-owsizeestimationevenunderverytightmemoryspace. Figure3-2. Anillustrationofcountersharing. Thisrandomizedcountersharingschemeworksperfectlyoverthelandmarkwindowmodel,whichmaintainsallelementsinthenetworkdatastreamseensofar.However,intheslidingwindowmodelthatweconsiderinthiswork,onlythelastWelementsareofinterest.TheactualcontentsofmostrecentWelementschangebecausetheoldestelementisremovedwhenanewelementarrives.Thismakestheexistingper-owtracmeasurementbasedonawholedatastreamnottriviallyapplicable. 35

PAGE 36

3.3AgingCounterEstimationoverSlidingWindowsInthissection,weadoptrandomizedcountersharingtotheslidingwindowmodel,andproposeanAgingCounterEstimation(ACE)schemetomeasureper-owtracoverslidingwindows.InourACEscheme,whenanewelementarrives,tomaintainthemostrecentWelementsintheslidingwindow,werstprocessanagingalgorithminthepreviouswindow,whichtriestoremovetheoldestelement,andthenencodethenewelementasdescribedinrandomizedcountersharing.BelowwedescribetheACEschemeindetail.ACEincludesanonlineoperationmoduleandarealtimeestimationmodule.Theonlineoperationmodulerecordsthedatastreamoverslidingwindowtothephysicalcounterarray,whiletherealtimeestimationmoduleanswersqueriesofowsizesbasedondatarecordedfromtheonlineoperationmodule.Werstgiveourdatastructuredesign. 3.3.1VirtualAgingCounterTheowsizeinformationoverslidingwindowisstoredinanagingcounterarrayCofmcounters.TheithcounterinCisdenotedbyC[i],0i
PAGE 37

agingcounterarrayCandvirtualagingcounterCfaredenotedbyCtandCtfattimepointt,respectively. 3.3.2OnlineOperationWhenanelementetarrivesattimepointt,theroutertakestwostepstoprocessthenewelement,anagingstepandanencodingstep.Theagingsteptriestoremovetheoldestelementinthepreviouswindowattimepointt)]TJ /F6 11.955 Tf 12.49 0 Td[(1,andtheencodingsteprecordsthenewelementetinCtoformthecurrentwindow.ThewindowafteronlineoperationofetisdenotedasdWin(t,W).WepointoutthatdWin(t,W)canbeslightlydierentfromtherealwindowWin(t,W)duetotheapproximatedeletionintheagingstep. 3.3.2.1AgingstepTheelementsinthenetworkdatastreamarrivecontinuouslyandexpireafterexactlyWsteps.Therefore,whenthetotalnumberofelementsinthewindowislessthanW(i.e.,t
PAGE 38

counterinCanddecreasesitbyoneifapplicable. Algorithm3.1. AgingAlgorithmInput:agingcounterarrayCt)]TJ /F9 7.97 Tf 6.59 0 Td[(1whichrecordsdWin(t)]TJ /F6 11.955 Tf 11.96 0 Td[(1,W)Result:deleteoneelementinCt)]TJ /F9 7.97 Tf 6.58 0 Td[(1 1: isDeleted=false; 2: whileisDeleted=falsedo 3: selectacounterCt)]TJ /F9 7.97 Tf 6.59 0 Td[(1[r]uniformlyatrandom; 4: ifCt)]TJ /F9 7.97 Tf 6.58 0 Td[(1[r]>0then 5: Ct)]TJ /F9 7.97 Tf 6.59 0 Td[(1[r]=Ct)]TJ /F9 7.97 Tf 6.58 0 Td[(1[r])]TJ /F6 11.955 Tf 11.95 0 Td[(1; 6: isDeleted=true; 7: endif 8: endwhile 3.3.2.2EncodingstepAfterremovingoneelementfromthepreviouswindowdWin(t)]TJ /F6 11.955 Tf 12.45 0 Td[(1,W),therouterthenencodesthenewcomingelementetasfollows.Itrstextractsitsowlabelf,generatesarandomintegerqtoselectacounterCf[qmods]fromowf'svirtualagingcounterCf,andincreasesitbyone.Hence, Ct[p]=Ct)]TJ /F9 7.97 Tf 6.58 0 Td[(1[p]+1,(3{2)wherep=H(fR[qmods])modm.Therefore,withonedeletionandoneinsertion,thecounterarrayCtmaintainsthenewslidingwindowdWin(t,W)withxedsizeW. 3.3.3RealTimeFlowSizeEstimationToanswerthesizeofowfintheslidingwindowunderqueryattimepointt,similartotherandomizedcountersharingschemein[ 26 ],werstaddupthevaluesofitsvirtualagingcounterCf,andthenremovethenoiseintroducedbyotherowsfromthesumPs)]TJ /F9 7.97 Tf 6.59 0 Td[(1i=0Ctf[i].Letntbetheactualsizeofowfattimepointt,and^ntbetheestimatedowsize.Duetocountersharing,eachelementofotherowshasaprobabilityofs mtobeencodedinoneofthe 38

PAGE 39

scountersinowf'svirtualagingcounter,therebytheexpectednoiseinCfiss(W)]TJ /F5 7.97 Tf 6.59 0 Td[(nt) msW m(ntW).Hence,wehaventPs)]TJ /F9 7.97 Tf 6.59 0 Td[(1i=0Ctf[i])]TJ /F5 7.97 Tf 12.18 4.7 Td[(sW m,andtheestimatedsize^ntofowfattimepointtis ^nt=s)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xi=0Ctf[i])]TJ /F3 11.955 Tf 13.15 8.09 Td[(sW m.(3{3) 3.3.4ACEPerformanceAnalysisWhent
PAGE 40

AccordingtoAlgorithm 3.1 ,everycounterhasalmostthesameprobability1 mtobeselectedintheagingstep(theprobabilityforacounterwithzerovalueisverysmall).Hence,theprobabilityforItY=1is P(ItY=1)=s m.(3{8)WithregardtotheindicatorItX,ifet2f(i.e.,It=1),theelementwillbeencodedinCf.Otherwise,ifet=2f(i.e.,It=0),duetocountersharing,theelementcanbemappedtoCfwithaprobabilitys m.SotheprobabilityofItX=1is P(ItX=1)=P(It=1)+s mP(It=0)=)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 15.24 8.09 Td[(s mP(It=1)+s m.(3{9)Combining( 3{6 )( 3{8 )( 3{9 ),theexpectationvalueof^nt)]TJ /F6 11.955 Tf 12.06 0 Td[(^nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1is E(^nt)]TJ /F6 11.955 Tf 12.05 0 Td[(^nt)]TJ /F9 7.97 Tf 6.58 0 Td[(1)=E(ItX))]TJ /F3 11.955 Tf 11.96 0 Td[(E(ItY)=P(ItX=1))]TJ /F14 11.955 Tf 11.95 0 Td[(P(ItY=1)=E(It))]TJ /F3 11.955 Tf 15.23 8.09 Td[(s mE(It).(3{10)Andtheexpectationvalueofnt)]TJ /F3 11.955 Tf 11.96 0 Td[(nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1is E(nt)]TJ /F3 11.955 Tf 11.96 0 Td[(nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1)=E(It))]TJ /F3 11.955 Tf 11.95 0 Td[(E(It).(3{11)Therefore,wehave E(nt)]TJ /F3 11.955 Tf 11.95 0 Td[(nt)]TJ /F9 7.97 Tf 6.58 0 Td[(1))]TJ /F3 11.955 Tf 11.96 0 Td[(E(^nt)]TJ /F6 11.955 Tf 12.05 0 Td[(^nt)]TJ /F9 7.97 Tf 6.58 0 Td[(1)=s mE(It))]TJ /F3 11.955 Tf 11.95 0 Td[(E(It).(3{12)WendtheestimatedowsizesformaMarkovchain.Fromtheequationabove,whenderiving^ntfrom^nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1,theACEschemewillintroduceasmallerror.Forexample,whenE(It)=E(It)suchthatE(^nt)]TJ /F6 11.955 Tf 12.26 0 Td[(^nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1)>E(nt)]TJ /F3 11.955 Tf 12.16 0 Td[(nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1),theestimateswillhavepositivebias.Therefore,theestimationaccuracyofACEdecreaseswhentincreases.ItmayworknewhentisslightlylargerthanW.However,astbecomeslarge(e.g.,t>2W),theslidingwindow 40

PAGE 41

Figure3-3. Anillustrationofsegmentwindowdesign. accumulatesmanyexpiredelements,whichintroducesmorenoiseinthesizeestimation,andmakesACEnolongeraccurate.ThistrendcanalsobeobservedinthesimulationresultsinSection 3.5 .OnewaytosolvethisproblemistoresetthemeasurementwindowafteraperiodoftimeT(T>W).However,whenTissettoosmall(slightlylargerthanW),thewindowisresettoooftensuchthattheslidingwindowmodelisbroken.IfwechoosealargeT,thenACEcannotprovideaccurateestimationsintheend.Hence,thechallengeishowtomaintaintheslidingwindowmodelandprovidepersistentlyaccurateowsizeestimatesforrealtimequeries. 3.4SegmentAgingCounterEstimationoverSlidingWindows 3.4.1SegmentDesignThepreviousdesignusingonedatasynopsis(oneagingcounterarrayC)dropstheorderinformationofallelements,therebyitcannotprovidepersistentlyaccurateowsizeestimatesintheslidingwindowmodel.Inthissection,weproposeanovelsegmentdesignasillustratedinFig. 3-3 ,whereweusemultipledatasynopsestostoretheelementsarrivingindierentwindowsegments.Thisdesignmaintainstherelativeorderbetweenthewindowsegmentswiththeirdatasynopses.Forexample,theelementsinleftwindowsegmentsarrivedearlierthanthoseintherightwindowsegmentsinFig. 3-3 41

PAGE 42

Eventhoughwestillcannotdistinguishtheorderwithineachwindowsegment,thisdesignsignicantlyimprovestheprobabilitytodeletethecorrectoutdatedelements.Theideaistoalwaysinsertnewelementinthenewestwindowsegmentcalled\headsegment",anddeleteoldelementintheoldestwindowsegmentcalled\tailsegment".Forexample,supposethenumberofsegmentsis100.Sincetheexpiredelementmustbeinthetailsegment,wecanlteroutatleast99%elementsinthecurrentslidingwindow.Moreover,whenallelementsinthetailsegmentareexpired,anewsegmentwindowisfullyconstructedasthenewheadsegmentandnoagingerrorexists.Wereachatimepointthatallelementsinthecurrentslidingwindowarecorrectandtheresethappensautomaticallywithoutbreakingtheslidingwindowmodel.Therefore,thisdesigncanprovidepersistentlyaccurateowsizeestimatesforrealtimequeries.However,therearestillsometechnicalchallengesinmakingoursegmentdesignusable.Forexample,whenanewelementarrives,howdoweperformtheagingstepinthetailsegmentandtheencodingstepintheheadsegment?Howtoanswerper-owcountingqueriesinrealtime?Infact,sincethesesegmentwindowsanddatasynopsesareseparateindatastructure,itisstillunclearwhetherornotwecancombinethemtodotheper-owcounting.Anotherchallengeishowtodesignanecientdatastructuretorecyclethememorywithoutallocatingnewmemoryforeachnewsegment.Whenallelementsinasegmentareexpired,wedon'twanttosimplydeleteitaswemightbeabletoreuseittostorenewcomingelements.Toanswerthesequestions,weproposeouradvancedSegmentAgingCounterEstimation(S-ACE)scheme.Belowwerstgiveourdatastructurewithsegmentdesign. 3.4.2SegmentAgingCounterThephysicalagingcounterBisdividedinto(l+1)segments,eachofwhichiscalledasegmentagingcounter.TheithsegmentisdenotedasB[i],0il.SupposethesizeofBisMandeachcounterisallocatedwithbbits,theneachsegmenthasm0=bM b(l+1)ccounters.ThejthcounterinB[i]isdenotedasB[i][j],0j
PAGE 43

Figure3-4. Anexampleofmemoryreuse. fortheheadsegmentandthetailsegmentwhentW.Thisisbecausethetailsegmentiseliminatingtheoldestelementsandtheheadsegmentisunderconstructionwithnewestelements.ButthesumoftheelementsinthesetwosegmentsisalsoW l,therebythetotalnumberofelementsintheslidingwindowisW.Eachsegmentagingcounterencodesthedataofawindowsegment,anditsdatastructureispresentedinSection 3.3.1 .ConsideranarbitraryowfconstructingitsvirtualagingcounterBf[i]intheithsegmentB[i],0il,whichcontainsscounters.Wepseudo-randomlyselectscountersfromB[i]toformit.Thej-thcounterofBf[i],denotedasBf[i][j],ischosenfromsegmentB[i]asfollows, Bf[i][j]=B[i][H(fR[i][j])modm0],0j
PAGE 44

isfull(recordedW lelements),forthenewcomingelements,weneedanewsegment,whichbecomesthenewheadsegment.Ifweallocatenewmemoryspaceforthenewsegment,thememoryoverheadwillincreaseovertime,whichisnotacceptable.Recallthattheelementsinthetailsegmentareallexpiredwhentheheadsegmentisfull.Hence,wecanresetthetailsegment,andreuseitasthenewheadsegment.Inthiscase,theprevioussecondoldestsegmentbecomesthenewtailsegment.Mathematically,wecancalculatethat,attimepointt,thesegmentagingcounterindexHoftheheadsegmentis H=t W=lmod(l+1),(3{14)andtheindexTofthetailsegmentis T=8>><>>:0t
PAGE 45

3.4.3.1\Virtual"agingstepClearly,whent
PAGE 46

counterBf[H]intheheadsegmentB[H],andincreasesitbyone.Hence, Btf[H][Q]=Bt)]TJ /F9 7.97 Tf 6.58 0 Td[(1f[H][Q]+1,(3{16)whereHisgivenby( 3{14 ).WhentWand(t+1)mod(W l)=0,therouterresetsthetailsegmentB[T],whereTisgivenby( 3{15 ),sinceallelementsinthissegmentwindowareexpired. 3.4.4RealTimeFlowSizeEstimationToanswerthesizeofaowfintheslidingwindowunderqueryattimepointt,similartoACE,werstaddupthevaluesofitsvirtualsegmentagingcountersinallsegments,andthensubtractthenoiseintroducedbyotherowsandtheproportionalexpiredelementsneinBtffromthesumPli=0Ps)]TJ /F9 7.97 Tf 6.59 0 Td[(1j=0Btf[i][j].Clearly,theexpectednoiseinBtfiss(W)]TJ /F5 7.97 Tf 6.59 0 Td[(nt) m0,sinceineachwindowsegment,eachelementofotherowshasaprobabilityofs m0tobeencodedinoneofthescountersinBtf.Inaddition,accordingtoourproportionalagingalgorithm,neisPs)]TJ /F9 7.97 Tf 6.59 0 Td[(1j=0((t+1)mod(W l))Btf[T][j] W=l.Therefore,wehave ntlXi=0s)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xj=0Btf[i][j])]TJ /F3 11.955 Tf 13.15 8.09 Td[(s(W)]TJ /F3 11.955 Tf 11.95 0 Td[(nt) m0)]TJ /F5 7.97 Tf 13.05 14.94 Td[(s)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xj=0)]TJ /F6 11.955 Tf 5.48 -9.69 Td[((t+1)mod(W l)Btf[T][j] W=l.(3{17)Hence,theestimatedsize^ntofowfattimepointtis ^nt=m0 m0)]TJ /F3 11.955 Tf 11.96 0 Td[(slXi=0s)]TJ /F9 7.97 Tf 6.58 0 Td[(1Xj=0Btf[i][j])]TJ /F3 11.955 Tf 20.59 8.09 Td[(sW m0)]TJ /F3 11.955 Tf 11.96 0 Td[(s)]TJ /F3 11.955 Tf 13.15 8.85 Td[(lm0)]TJ /F6 11.955 Tf 5.48 -9.68 Td[((t+1)mod(W l) (m0)]TJ /F3 11.955 Tf 11.96 0 Td[(s)Ws)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xj=0Btf[T][j].(3{18) 3.4.5S-ACEPerformanceAnalysisWhent
PAGE 47

arrivalelementetisrecordedinthevirtualagingcountervectorBf[H]ofowf.Atthetimepointt)]TJ /F6 11.955 Tf 11.96 0 Td[(1,theestimatedowsizeoffis ^nt)]TJ /F9 7.97 Tf 6.58 0 Td[(1=m0 m0)]TJ /F3 11.955 Tf 11.96 0 Td[(slXi=0s)]TJ /F9 7.97 Tf 6.58 0 Td[(1Xj=0Bt)]TJ /F9 7.97 Tf 6.58 0 Td[(1f[i][j])]TJ /F3 11.955 Tf 20.59 8.08 Td[(sW m0)]TJ /F3 11.955 Tf 11.96 0 Td[(s)]TJ /F3 11.955 Tf 13.15 8.84 Td[(lm0)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(tmod(W l) (m0)]TJ /F3 11.955 Tf 11.95 0 Td[(s)Ws)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xj=0Bt)]TJ /F9 7.97 Tf 6.59 0 Td[(1f[T][j].(3{19)NotethatthenewelementetwillbeencodedintheheadsegmentB[H],thecountersinothersegmentremainthesamevalue.ThatisBt)]TJ /F9 7.97 Tf 6.58 0 Td[(1f[i]=Btf[i],i2[0,l],i6=H.Combining( 3{18 )withW
PAGE 48

RecallthatItistheindicatorofwhethertheexpiredelementattimepointtcomesfromowf.Theexpectationvalueofnt)]TJ /F3 11.955 Tf 11.95 0 Td[(nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1is E(nt)]TJ /F3 11.955 Tf 11.96 0 Td[(nt)]TJ /F9 7.97 Tf 6.59 0 Td[(1)=E(It))]TJ /F3 11.955 Tf 11.95 0 Td[(E(It).(3{24)whenderiving^ntfrom^nt)]TJ /F9 7.97 Tf 6.58 0 Td[(1,S-ACEwillintroducesomeerror.Butwhenthearrivingorderofelementsfromeachowisevenlydistributed,theprobabilityforanelementofowftobeexpiredislntT W.Sotheerrorwillbeverysmall,whichwillbedemonstratedinthesimulationresultsinSection 3.5 .Moreover,WhentWand(t+1)mod(W l)=0,weresetthetailsegmentsinceallelementsinthissegmentwindowareexpired.ThecurrentwindowdWin(t,W)isthesameasrealwindowWin(t,W)suchthatS-ACEcanprovideaccurateestimatesas[ 26 ]inthelandmarkwindowmodel.Insummary,thisdesigncanprovidepersistentaccurateowsizeestimatesforrealtimequeries. 3.5SimulationStudiesInthissection,wepresentsimulationstudiesthatjustifytheperformanceanalysisofACEandS-ACE.Wecomparebothschemesintermsofprocessingtime,memoryeciencyandestimationaccuracyoverthesimulateddataasillustratedinSection 1.3 3.5.1SimulationSetupThedatasetweusetoevaluateourschemesis20simulatedtracesof107elements,generatedwithaZipfdistribution[ 62 ]ofskew1,overadomainof106possibleows.WerefertothisdatasetasZipf-1.Hence,thesimulationhas20repeatedruns,andweprovidethemeanresultsovertheseruns.ThewindowsizeWinallsimulationsis106.Wemeasurethenetworkdatastreamamong2windows.Weskiptherstwindowwhereallalgorithmsbasedonlandmarkwindowmodelcanworkne,andfocusontheperformancewhentW,wheretheslidingwindowmodelisworking.Weruntwosimulationsetstoevaluateourschemes.TherstsetofoursimulationsisusedtocompareACEandS-ACE.Weallocatethesamesizeofmemoryforbothschemes,andevaluatetheimpactofmemorysizeontheirperformance.Wevarytheavailablememoryspace 48

PAGE 49

Table3-1. ComparisonofprocessingtimebyACEandS-ACE. memoryoverhead(MB)numberofmemoryaccessesnumberofhashcomputaions ACES-ACEACES-ACE 0.253.552110.54.1821115.4521127.98211 Mfrom0.5MB,1MBto2MB.ForACE,accordingtorandomizedcountersharing[ 26 ],wesetthesizesofthevirtualagingcounterofeachowto100.ForS-ACE,wesetthenumberofsegmentwindowstol+1=101,andthesizesofvirtualagingcounterineachsegmentto16.ThesecondsetofoursimulationsevaluatestheimpactoftheagingstepinS-ACEwithregardtothemeasurementaccuracy. 3.5.2S-ACEv.s.ACE 3.5.2.1ProcessingtimeWerstcompareACEandS-ACEintermsofprocessingtime.Ineachsimulationrun,werecordtheaveragenumberofmemoryaccessesandhashcomputationsformaintainingtheslidingwindowwhenanewelementcomes.Theaverageresultsof20runsarepresentedinTable 3-1 .Bothschemesonlyneed1hashcomputationforeachpackettolocateitscorrespondingcounter.Inaddition,duetotheagingstep,ACEneedsmorethan3memoryaccessesinonlineoperation.Bycontrast,S-ACEonlyrequires2memoryaccesses.Moreover,theaveragenumberofmemoryaccessesofACEdecreaseswhenthememoryspaceisreduced.ThisisbecauseACEhaslessprobabilitytohitcounterwithvaluezerointheagingstepwhenlessmemoryareavailable.Clearly,S-ACEismoreecientthanACEintermsofprocessingtime. 3.5.2.2MemoryoverheadandestimationaccuracyWecomparetheestimationaccuracyofACEandS-ACEunderdierentavailablememoryspacewithregardtotherelativebiasandrelativestandarderror.Becausetherearetoofew 49

PAGE 50

AMemoryspaceM=0.5MB BMemoryspaceM=1MB CMemoryspaceM=2MBFigure3-5. RelativebiasofACEwhenM=0.5MB,1MB,and2MB 50

PAGE 51

AMemoryspaceM=0.5MB BMemoryspaceM=1MB CMemoryspaceM=2MBFigure3-6. RelativestandarderrorofACEwhenM=0.5MB,1MB,and2MB 51

PAGE 52

AMemoryspaceM=0.5MB BMemoryspaceM=1MB CMemoryspaceM=2MBFigure3-7. RelativebiasofS-ACEwhenM=0.5MB,1MB,and2MB 52

PAGE 53

AMemoryspaceM=0.5MB BMemoryspaceM=1MB CMemoryspaceM=2MBFigure3-8. RelativestandarderrorofS-ACEwhenM=0.5MB,1MB,and2MB 53

PAGE 54

owsforsomeowsizes,wecomputetherelativebiasandrelativestandarderrorbydividingtheowsizeaxisintomeasurementbins.WerststudytheestimationaccuracyofACE.TherelativebiasandrelativestandarderrorofACEarepresentedinFigure 3-5 andFigure 3-6 ,respectively.Eachgurecontains3plots,whoseavailablememoryrangesfrom0.5MB,1MBto2MB,fromlefttoright.Ineachplot,thex-coordinateisthetrueowsizen,y-coordinateisthetimepointt,andthez-coordinateistherelativebiasinFigure 3-5 orrelativestandarderrorinFigure 3-6 .WhenM=0.5MB,thesimulationresultsareshowninFigure 3-5A andFigure 3-6A .Wecanseethattherelativebiasandrelativestandarderrorincreaseasthetimepointtgrows.Hence,theACEschemecanonlyworkforalimitedtime,asityieldsnon-reasonableestimateswhentislarge(e.g.,t=2W).Thesametrendsareobservedinotherplots.AlthoughtheACEschemebecomesmoreaccuratewhentheavailablememoryspaceincreases,itstillcannotworkwellastincreases.ThesimulationresultsofS-ACEarepresentedinFigure 3-7 andFigure 3-8 .Whent=W(noelementisexpired),S-ACEcanprovideaccurateestimatesforallowsevenunderatightmemoryspace,e.g.,M=0.5MB.Moreover,asillustratedinFigure 3-7A andFigure 3-8A ,astimepassesby,therelativebiasandrelativestandarderrorarestabilized,andS-ACEyieldsaccuratemeasurement.Hence,S-ACEcanworkpersistentlywellinslidingwindowmodel.Also,whenMincreases,S-ACEgivesmoreaccurateestimates.Insummary,theACEschemecanonlyworkforshorttermtracmeasurementoverslidingwindowmodel.Asmentionedbefore,itneedstoresetthetimepointto0whenitcannolongerprovideaccurateresults,suchthattheslidingwindowmodelisbroken.Bycontrast,theS-ACEschemeperformspersistentlywell,therebyitsuitesforlongtermtracmeasurementovertheslidingwindowmodel. 3.5.3AgingStepinS-ACEOursegmentdesignmaintainstherelativeorderbetweenthewindowsegments.WhenanewwindowsegmentisfullyconstructedbyW lelements,wesimplyremovetheexpired 54

PAGE 55

Figure3-9. RelativebiasBias(^n n)withdierentagingpercentage. windowsegmentwithouterrorsinceallelementsinthesegmentareexpired.However,whenthenewwindowsegmentisunderconstruct(lessthanW lisencoded),theagingstepisproportionallyapproximated.Weusesimulationstojustifythisapproximationwithinthewindowsegment.Wesetthememoryspaceto1MB,thenumberofsegmentwindowsto101,andthesizesofvirtualcountervectorineachsegmentto16.Eachsegmentwindowcontainsupto104elements.WesampletheS-ACEestimationseachtimewhen2000elementsarerecorded,andcomputetheirestimationbiasanderror.Therefore,thesamplesaredividedto5categorieswith0%,20%,40%,60%and80%expiredelementsinthesegment,whicharedenotedby0%aging,20%aging,40%aging,60%agingand80%aging.Notethat100%agingpercentageisequivalenttothecaseof0%agingpercentage. 55

PAGE 56

Figure3-10. RelativestandarderrorStdErr(^n n)withdierentagingpercentage. TherelativebiasandrelativestandarderrorofthesecategorieswithdierentagingpercentagesarepresentedinFigure 3-9 andFigure 3-10 .Fromthegures,onecanseethattheestimationaccuracystaysroughlythesamenomatterhowmuchtheagingpercentageis,andtheagingprocessinS-ACEdoesnotintroducemucherrorwhenthenumberofsegmentwindowsislarge(e.g.,101). 3.6ExperimentalEvaluationWenowevaluatetheS-ACEschemebasedonrealnetworkdatastream.ThedataweuseistheCAIDAanonymizedInternetTrace2015[ 63 ],whichcontains30106packets.Theparametersaresetasfollows:W=106,M=1MB,l=100,ands=16.TheestimationresultsinshorttimeintervalandlongtimeintervalaregiveninFigure 3-11 andFigure 3-12 ,respectively.Eachgureincludes5plots,eachrepresentingtheper-owcountingresultsinadierenttimepointt.Eachpointineachplotrepresents 56

PAGE 57

Figure3-11. Per-owcountingusingS-ACEinshorttimeinterval. aow.Itsx-coordinateistheactualowsizen,andy-coordinateistheestimatedowsize^n.Theequalityline(y=x)isgivenforreference.Thecloserapointistotheequalityline,themoreaccuratetheestimationis.Clearly,S-ACEprovidesveryaccurateestimatesinbothsituations.Wethenstudytherealtimequeryontherealdatastream.Wequery3owsinthetimepointintervalfrom107to1.1107.ThecorrespondingresultsareillustratedinFigure 3-13 .Takeaowwithsourceaddress192.205.38.168anddestinationaddress133.32.39.30asanexample.Theresultsofthisowareshownintherstplot.Thetruesizeincreasesastgrows.TheestimatesofS-ACEhasthesametrendwithsmallestimationerrors.Similarly,theestimatedowsizescloselyfollowtheiractualsizesfortheothertwoows,asshowninthesecondplot(sourceaddress100.120.47.9,destinationaddress215.158.65.254)andthirdplot(sourceaddress30.196.59.77,destinationaddress92.168.216.18).Wendthattherelative 57

PAGE 58

Figure3-12. Per-owcountingusingS-ACEinlongtimeinterval. Figure3-13. S-ACEestimatesoffourowsfortimepointtbetween107and1.1107. 58

PAGE 59

standarderrorsforsmallowsarerelativelyhigher,butS-ACEisstillusefulsincetheabsoluteerrorsforsmallowsaremuchsmallerthanthoseoflargeones. 3.7SummaryInthischapter,weproposetwoschemes,ACEandS-ACE,forper-owcountinginbignetworkdatastreamovertheslidingwindowmodel.Bothschemesleveragethecountersharingidea,andgreatlyreducethememoryoverhead.ACEhastoresetthewindowperiodicallytogivepreciseestimates,whileS-ACEcanachievepersistentlyaccurateestimatesviaanovelsegmentwindowdesign.ExtensivesimulationsaswellasexperimentalevaluationsbasedonrealnetworktracedatademonstratethesuperiorperformanceofS-ACE. 59

PAGE 60

CHAPTER4PERSISTENTSPREADMEASUREMENTFORBIGNETWORKDATABASEDONREGISTERINTERSECTION 4.1PracticalImportancePersistentspreadmeasurementhasmanypracticalapplications.Traditionalsuper-spreaderdetectionistoidentifythe\elephant"owswhosecardinalitiesareabnormallylarge,andcanbeappliedtomonitoringnetworkanomalies.Forinstance,scannersmaybeidentiediftheysendprobestotoomanydestinationaddresses,i.e.,thecardinalitiesofper-sourceowsarelarge.Buttherearepracticalscenarioswhereowcardinalityaloneisinadequate|astealthyscannermayintentionallyreduceitsprobingratetoreduceitsowcardinalityinordertoevadedetection.Evenwithareducedprobingrate,aftersucienttime,thescannercanstilldiscoversystemswithvulnerabilitytoexploit.Inthiscase,measuringpersistentspreadcanhelpidentifysuchstealthyscanners.Asascannerprobesdierentdestinationaddressesovertime,itspersistentspreadiszeroorlow;ifascannerdeliberatelyrepeatedmanyofthesamedestinations,itwouldsignicantlyslowdownthealreadysmallscanningrate.Therefore,modestowcardinalitybutusuallylowpersistentspreadhelpssignalalow-ratescannerthatwandersinthedestinationaddressspace.Inthesecondexample,DDoSattacksmaybeidentiedifunusuallymanyclientssendrequeststoaserver,i.e.,thecardinalityofaper-destinationowistoohigh.However,withasmallernumberofavailableattackingmachines,astealthyDDoSattackdoesnotattempttooverwhelmthetargetserverwithexcessiverequests,buttodegradeitsperformance[ 64 ].Ifthenumberofattackingmachinesissimilartothenumberoflegitimateusers,wewillnotobserveunusualowcardinalities.Again,measuringpersistentowcardinalitymayhelp.Accordingtothestudy[ 54 ]ofreal-worldnetworktracesfromCAIDA[ 63 ],thecontinuousinteractionbetweenlegitimateusersandtheirtargetserversisnormallyshorterthantwentyminutes.Forattackers,sincetheirgoalistodegradetheperformanceofthetargetserveroveralongperiod,thesehostilemachineswillsendrequestspersistentlytothetargetserver,resultinginasignicantpersistentcardinalityovertimethatishigherthanusual. 60

PAGE 61

Figure4-1. StealthyDDoSattack. Persistentspreadmeasurementalsohasapplicationsatthenetworkedge(e.g.,websearchandsocialmedia).TakeGoogletrendsasanexample.IfGoogletreatsallclientIPsthatqueryakeywordasaow,thecardinalityoftheowsuggeststhepopularityofthekeywordbeingsearched.However,asignicantnumberofcolludingmachineswithdierentIPaddressescanperiodicallyquerythesamekeywords,andmakethesekeywordspopularinGoogletrendsastheywish.Sincenormaluserstypicallydonotquerythesamekeywordsperiodicallyforalongtime,persistentspreadmeasurementcanhelpdetectsuchlong-termsearchpatterns,wherealargesetofIPskeepqueryingthesamekeywordsovermultipleperiods.Besidesdetectingfakedpopularity,ourworkmayserveasageneralizedprimitivetoolfordetectinghiddenactivitiesthatmanifestonlyoverlongtime. 4.2PriorArtandChallengesMostpreviousworkfocusesontracsketchesofonemeasurementperiod.Todealwithalargenumberofows,aseriesofsketchesweredevelopedtoreducemassiverawdatatoasummaryofper-owcardinalitiesduringonlinemeasurement.ThesesolutionsincludePCSA[ 50 ],Multi-ResolutionBitmap[ 29 ],LogLog[ 51 ],andHyperLogLog(HLL)[ 36 52 ].Theprincipleistoallocateaseparatedatastructure,containingacertainnumberofbitmaps,registersorotherelementarydatastructures,toeachowforrecordingitselements.Overthepastdecades,amajorresearchthrustistoreducethesketches'memoryfootprint.Butithas 61

PAGE 62

beenadicultundertakingwithslowprogress.Forinstance,per-owmemoryrequirementforcardinalitymeasurementwasreducedfromthousandsofbitstohundredsofbitsbyHLL[ 52 ],whichensuresalargemeasurementrangewithgoodaccuracy.However,astheInternetentersthebig-dataera,hundredsofbitsperowcanstillbetoomuchwhentherearetoomanyows.Anexampleismodernhigh-speedrouters,whichforwardpacketsfromincomingportstooutgoingportsviaswitchingfabricattheextraordinaryspeeds.Tosustainhighthroughput,onlinemodulesforpacketscheduling,accesscontrol,qualityofserviceandtracmeasurementareoftenimplementedonnetworkprocessors,bypassingmainmemoryandCPUalmostentirely.Theon-diememory(suchasSRAM)inanetworkprocessorisfastbutsmall,andmayhavetobesharedbymultiplefunctions.Therefore,itishighlydesirabletoimplementthesefunctionsascompactaspossible.Asthisworkfocusesonpersistentcardinalitymeasurement,wewanttopushitsmemoryusagetoanunprecedentedlowlevel,inordertosavespaceforotherfunctionsonthesamechip.Inanotherexample,supposeaweb-searchanalystwantstoprole,foreachkeyword(phrase,questionorsentence),thenumberofdistinctusersthathavesearchedthekeyword.Thisinformationisusefulinonlinesocial/economical/opiniontrendstudiesoroptimizingsearchperformance[ 65 ].Aswehavediscussedearlier,persistentspreadmeasurementcanbeusedtodetectfakedpopularity.However,sincethenumberofows(oneowperkeyword,phrase,questionorsentence)canbeinmanybillions,itpresentsachallengeincomputationalresources,andmemoryinparticular.Insteadofusinganexpensiveandpowerfulserver,ifwecandrasticallyreducetheresourcerequirement,wemaybeabletorunsuchanalysisonacheapcommoditycomputer,whichisawelcomeresultwhenhigh-endmachinesarenotreadilyavailable.Tosumup,therearepracticalscenarioswithgreatdisparitybetweenmemorydemandandavailability,whichrequiresonlinecardinalitymeasurementtobeimplementedascompactaspossible.Moreover,thedesignofameasurementfunctionshouldalsoensurereasonable 62

PAGE 63

accuracywithalargemeasurementrangethatsupports\elephant"owswithveryhighpersistentcardinalities.Tothebestofourknowledge,littleresearchworkonpersistentspreadmeasurementexistsinliterature.Chenetal.[ 66 ]proposeacontinuousvariantofFlajolet-Martinsketchesadaptedfrom[ 50 ],whichhowevercannotgiveaccurateresultswhentheavailablememoryspaceistight[ 54 ].Xiaoetal.[ 54 ]designabitsharingarchitecturecalledmulti-virtualbitmaps,whichstoreaow'sinformationinavirtualbitmapduringeachmeasurementperiodandanalyzesthebitmapsfrommultipleperiodstondpersistentcardinality.Themajordrawbackisthatthemeasurementrangeofbitmapsisverysmallandnomorethanafewthousandsforatypicalimplementation. 4.3ProblemStatementConsiderthepacketstreamarrivingatarouter(orrewall)insideahigh-speednetworkortheapplicationrecordsproducedbyaserver(e.g.,websearch)atthenetworkedge.Wemodelbothtypesofnetworkdataasasequenceofhowlabel,elementipairsinourabstraction.Basedontheowlabels,thesequenceofpairsareclassiedintodierentows.Forthepacketstreamasexample,ifwewanttomeasurethenumberofdistinctsourcesthathavecontactedeachdestination,weabstracteverypacketasapairofdestinationaddressandsourceaddress,whichcanbothbeextractedfromthepacketheader.Allpairs(i.e.,packets)withthesamedestinationaddress(i.e.,owlabel)constituteaow.Intheexampleofwebsearch,eachsearchrecordisabstractedasapairofkeywordandsourceaddress(fromwhichthesearchrequestisreceived).Allpairswiththesamekeywordaretreatedasaow.Weareinterestedinmeasuringelementsthatkeepshowingupovertimeineachow.Theissueishowtoquantitativelydenethepersistencyof\keepshowingupovertime".Considerthetraditionaldenitionofowcardinality(orspread)measurement[ 29 50 { 52 ],whichistondthenumberofdistinctelementsineachowduringacertaintimeframe[0,T].Thisdenitiondoesnotcapturethepropertyofpersistency.Weillustrateitthroughanexampleofmeasuringthenumberofdistinctsourcesthathavecontactedeach 63

PAGE 64

destination,whereallpacketstothesamedestinationformaper-destinationow.Supposeonemilliondierentsourcescontactedadestinationduringaday.Thecardinalityofthisper-destinationowisonemillion.Butifallthesourcescontactedthedestinationintherst10minutesandnocontactwasmadefortherestoftheday,wecannotsaythesesources\keptcontacting"thedestinationfortheday.Thepersistentspreadiszerointhiscase.Toformulatingpersistency,onewayistodividethedayintomeasurementperiodsof10minuteseach.Ifwendthat1000sourcesoutofthemillionwerepresentineachperiod,theywerethepersistentelementsthatwewanttomeasure.Theremainingelementsthatshoweduponlyintherstperiodwerenotpersistent.Sothepersistentspreadis1000.Ingeneral,wespecifypersistencybydividingtimeintomeasurementperiodsandmeasurethoseelementsthatarepresentpersistentlyinapre-setnumbertofconsecutiveperiodsunderconsideration.Wegiveamoreformaldenitionasfollows:Consideranarbitraryowandtconsecutivemeasurementperiods.LetSjbethesetofdistinctelementsintheowobservedduringthejthmeasurementperiod,1jt.LetSbethesubsetofcommonelementsobservedinalltperiods,i.e.,S=S1\S2\...\St.TheproblemofpersistentspreadmeasurementistondthesizeofS,denotedasn=jSj,whichiscalledthepersistentspreadoftheow.TheelementsinSarecalledpersistentelements.TheelementsinSj)]TJ /F3 11.955 Tf 11.18 0 Td[(S,1jt,arecalledtransientelements.Theproposedarchitectureforestimatingtheows'persistentspreadsisintendedtobegeneric,whileitsparametersshouldbesetbysystemadminsbasedontheirapplicationneeds.Inparticular,thelengthofeachperiodandthenumbertofperiodsusedareapplication-dependent.Asananalogy,asystemadminwillcongurethethresholdforscandetection(i.e.,thetriggeringnumberofdierentdestinationsthatasourcecontactsoveraperiod)tobemorethanthemeasurednumbersofmostnormalsources,whichmayvaryfromnetworktonetwork.Similarly,theparametersofpersistentspreadmeasurementshouldalsobesetbasedonapplication-specicandsystem-specicnormaltracstatistics.ConsidertheexampleinthepracticalimportanceondetectingstealthyDDoSattacksbymeasuring 64

PAGE 65

Figure4-2. Persistentspreadofapacketowtodestination97.208.145.236,withrespecttodierentperiodlengthsinthetwoplotsanddierentnumberstofperiodsonthehorizontalaxis. persistentspreadsofper-destination(server)ows.Ifwesetthemeasurementperiodtobeaday,wemayndsignicantpersistentspreadsforserversinnormaltrac,becauselegitimateusersmayregularlyaccesstheiremail,webandotherservicesonadailybasis.Ifwesetthemeasurementperiodtobeafewseconds,wemaystillndsignicantpersistentspreadsinnormaltracbecauseanysingleconnectiontoaservicemaylastformanyconsecutiveperiods.However,ifwechooseaperiodlengthin-betweenanduseasucientnumberofperiods,itbecomesunlikelyformanynormaluserstoexhibitthesamepersistencyinaccessingtheserversastheattackinghosts[ 54 ].TheaboveanalysisisconrmedbyourexperimentsusingarealnetworktractracefromCAIDA,containing39,456per-destinationowsinanhour.Wevarythelengthofmeasurementperiodandthenumbertofperiodswhenmeasuringthepersistentspreadsoftheows.Themeasurementresultsfortworandomly-selectedlargeowsareshowninFig. 4-2 4-3 ,andthestatisticsofallowsareshowninFig. 4-4 .ConsidertheowinFig. 4-2 .Bothplotsshowthatitspersistentspreaddropsquicklywhenweincreasethenumberofperiods.However,intheleftplotwheretheperiodisshort(10seconds),ifthenumbertofperiodsusedistoosmall(e.g.,2or3),thepersistentspreadofthisnormaltraccanbesignicant.Forexample,whent=2,thepersistentspreadis668,whichis36%ofthespread 65

PAGE 66

Figure4-3. Persistentspreadofapacketowtodestination220.221.80.140,withrespecttodierentperiodlengthsinthetwoplotsanddierentnumberstofperiodsonthehorizontalaxis. whent=1,i.e.,thenumberofactivesourcesinoneperiod.SimilarobservationcanbemadeinFig. 4-3 .Ontheotherhand,asweincreasetheperiodlengthto10minutesintherightplot,whent=2,thepersistentspreadisjust3.8%ofthespreadwhent=1.Beawarethataperiodof10minuteshasmanymorepackets(thuselements)thanaperiodof10seconds;therefore,therelativepercentage(36%v.s.3.8%)isabetterindicatorfortheimpactofperiodlengthonpersistentspread.Bychoosingaperiodlengthof10minutesandlettingt=6,weobservejust13persistentelements(sources)intheowduringanhour.Incontrast,whentheperiodlengthis10secondsandt=6,weobserve198persistentelementsinanhour.Fig. 4-4 presentstheowdistributionwithrespecttothespread(orcardinality)valuewhent=1,2,3and6inthefourplots,respectively.Weputowsinbinswithspreadrangesof[0,10],(10,50],(50,100],...Thelengthofeachperiodis10minutes.Thegureshowsthatmostowsinthisnormaltractracehavesmallspreads.Whenweincreasethenumberofperiods,thenumberofowsinbinsoflargespreadsdecreasesquickly,suggestingthatthepersistentspreadsofthoseowsarereducedtosmallvalues.Thispropertyhelpsinanomalydetection:Whenweseethepersistentspreadofaper-destinationowsuddenlyjumpsfromausuallysmallvaluetoalargeone,itsignalsapossibleDDoSattackasweexplainearlierinthepracticalimportance. 66

PAGE 67

Figure4-4. Flowdistributionwithrespecttopersistentspreadunderdierenttvalues. Theobjectiveofthisworkistodesignapersistentspreadestimationarchitecturethatconsistsofanonlinecomponentandanoinecomponent,wheretheformerrecordsallelementsfromallowsinrealtimeusinghighly-compactdatastructures|whichkeeponlysketchesoftherawtracdataandareooadedtoaserveraftereachmeasurementperiod,andthelatterperformspersistentspreadestimationbasedonthesketchesfrommultipleperiods.Wewillevaluatetheperformanceofourdesignbasedonthefollowingtwometrics.Memoryoverhead:Thedisparityinmemorydemandandsupplyforpracticaltracmeasurementscenariosexplainedintheintroductionmotivatesustomaketheonlinecomponentofpersistentspreadmeasurementascompactaspossible.Estimationaccuracy:Let^nbetheestimationresultoftheactualpersistentspreadnofaow.Theestimationaccuracyisevaluatedbasedontherelativebias,Bias(^n n),andthe 67

PAGE 68

relativestandarderror,StdErr(^n n),whicharedenedbelow. Bias)]TJ /F6 11.955 Tf 6.78 -1.6 Td[(^n n=E)]TJ /F6 11.955 Tf 6.78 -1.6 Td[(^n n)]TJ /F6 11.955 Tf 11.95 0 Td[(1,StdErr)]TJ /F6 11.955 Tf 6.78 -1.59 Td[(^n n=r Var)]TJ /F6 11.955 Tf 6.77 -1.59 Td[(^n n=p Var(^n) n.(4{1)Clearly,smallervaluesofrelativebiasandrelativestandarderrormeanmoreaccuratemeasurementresults.Givenacertainavailablememoryspace,wewanttomakepersistent-spreadestimationsasaccurateaspossible.Wemaketwoassumptions,whichareneededbyourstatisticalanalysis.Therstassumptionisthattherearealargenumberofowsineachperiodandthenumberofdistinctelements/persistentelementsinanyowisnegligiblysmallwhencomparingwiththetotalnumberofdistinctelements/persistentelementsinallows.Thesecondassumptionisthattransientelementscanbeapproximatelytreatedasbeingindependentamongdierentperiods.Thesameassumptionsareneededin[ 54 ],whichprovidesnetworktracanalysistosupporttheassumptions.Theobservationisthatwhenthelengthofeachperiodissucientlylong,mosttransientelementswillstayinoneperiodbecausemostuserconnectionsdonottakethatlong.Forexample,whentheperiodissetto7minuteswithagapof3minutesbetweenconsecutiveperiods,tracanalysisin[ 54 ]showsthatlessthan5%ofallHTTPconnectionsoverlapwithmorethanoneperiod.Thepercentagewillbeloweriftheperiodissetlonger. 4.4PreliminariesInthissection,werstintroducetheHyperLogLog(HLL)algorithm[ 52 ],andthenpresentastraightforwardregister-unionapproachforpersistentspreadestimationbasedonHLL,whichfurthermotivatesamoreaccurateregister-intersectionapproach. 4.4.1HyperLogLog(HLL)AlgorithmTheHLLalgorithmhasmadeimpactonITindustry[ 24 ].Itisdesignedtoestimatethenumberofdistinctelementsinasinglestream(ow)duringasinglemeasurementperiod.HLLensuresalargeestimationrangeandagoodestimationaccuracy.Anincomingstreamismodeledasamulti-setS,whoseelementsareinthedomainD.AnHLLsketchMofs 68

PAGE 69

registersareallocatedtostorethecardinalityinformation.Withoutlossofgenerality,lets=2b,b2N.TheithregisterinMisdenotedbyM[i],i2[0,s).Thesizeofregistersissetbasedonthemaximumrangeofthecardinalitiestobeestimated.Specically,aregisterwith5bitscanmeasurecardinalitiesupto2254109.Algorithm 4.1 summarizeshowtogenerateanHLLsketchforstreamS.First,weinitializeallM[i]tozeros,i2[0,s).Leth:[D]![0,1]f0,1gLbeasuitablehashfunctionthatmapsanelementindomainDuniformlyatrandomtothebinaryrangeofLbitslong.Let(q)bethepositionoftheleftmost1forabinarystringq2f0,1gL,i.e.,itequalsoneplusthelengthofleadingzerosinq.Forexample,ifq=h0001...i,then(q)=4.ForanincomingelementeinstreamS,letxbethebinaryrepresentationofhashvalueh(e),wherepistheleadingbbitsinx,andqistheremainingbits.ThentheelementeismappedtoM[p],andM[p]isupdatedby M[p]:=max(M[p],(q)).(4{2)Inotherwords,thestreamSissplitintossubstreams,eachofwhichisencodedinaregisterbasedontherstbbitsofhashedvalueh(e).Eachregisterissettothemaximumvalueof(q)amongallelementseinthecorrespondingsubstream.Ifnoelementisencodedbyaregister,theregisterremainszero. Algorithm4.1. HLLSketchforastreamS 1: InitializearegisterarrayMofsizes=2bwithallzeros; 2: fore2Sdo 3: x:=h(e);p:=hx1x2...xbi;q:=hxb+1xb+2...i; 4: M[p]:=max(M[p],(q)); 5: endfor 6: returnMattheendofameasurementperiod 69

PAGE 70

Attheendofaperiod,HLLestimatesthenumberofdistinctelementsencodedbyitssketchM=fM[0],M[1],...,M[s)]TJ /F6 11.955 Tf 11.96 0 Td[(1]gthroughnormalizedharmonicmean[ 52 ]: ^nS=ss2s)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xi=02)]TJ /F5 7.97 Tf 6.59 0 Td[(M[i])]TJ /F9 7.97 Tf 6.58 0 Td[(1,(4{3)wheresisthebiascorrectionconstantthatis s=sZ10log22+u 1+usdu)]TJ /F9 7.97 Tf 6.59 0 Td[(1.(4{4)Pre-computedvaluesofsmaybeusedinpractice:16=0.673,32=0.697,64=0.709,ands=0.7213=(1+1.079=s)fors128.Accordingto[ 52 ],theestimationstandarderroris StdErr^nS nS=O1 p s.(4{5)Ithasbeenshownthatestimationby( 4{3 )isseverelybiasedwhenthecardinalityissmallerthan2.5s.Hence,whentheestimatedcardinalityfrom( 4{3 )issmallerthan2.5s,wetreatMasabitmapofsbits,witheachregisterM[i]convertedtoonebit,whosevalueisonewhenM[i]>0orzerootherwise.Theestimationformulaforsmallcardinalityis ^nS=)]TJ /F3 11.955 Tf 9.3 0 Td[(slnV,(4{6)whereVisthefractionofbitsinthebitmapwhosevaluesremainzeros. 4.4.2HLL-BasedPersistentSpreadEstimationTheHLLsketchescanbeadoptedforpersistentspreadestimation.Tomaketechnicaldiscussionmoreconcrete,weconsiderper-destinationowspassingarouterandmeasurethenumberofdistinctsourceaddressesineachow.Foranarbitraryow,weallocateanHLLsketchMofsregisterstorecordtheow'ssourceaddressesineachperiod.DenotetheHLLsketchofthejthperiodbyMj.Atthebeginningofthejthperiod,allregistersofHLLsketchMjareinitializedtozeros.Whentherouterreceivesapacket,itextractstheowlabel(i.e.,destinationaddressdst)from 70

PAGE 71

thepacketheader,andrecordstheelement(i.e.,sourceaddresssrc)inMjbyAlgorithm 4.1 .Bytheendoftheperiod,therouterhasrecordedthesetSjofelementsinMj.ItooadsMjtoaserverforlong-termstorageandoinequery.Aftertconsecutiveperiods,wehaveasequenceofHLLsketchesM1,M2,...,Mt.TheproblemishowtousetheseHLLsketchestoestimatethepersistentspreadn=jSj=jS1\S2\...\Stj,whichisthenumberofdistinctelementsthatarepresentpersistentlythroughthetperiods.Weproposetwoapproaches,registerunionandregisterintersection,tosolvethisproblem. 4.4.2.1Register-unionapproachAccordingtotheinclusion-exclusionrule,thecardinalityofanarbitrarysetintersection,includingn,canbeexpressedassums/dierencesofthecardinalitiesofsetunions.ThecardinalityofanysetunioncanbeestimatedusingtheHLLestimator( 4{3 )afterperformingregister-wiseuniononthecorrespondingsketches.Forexample,thecardinalityofsetintersectionS1\S2is jS1\S2j=jS1j+jS2j)-223(jS1[S2j.(4{7)Namely,jS1\S2jisrepresentedasthesum/dierenceofthreecardinalities,jS1j,jS2jandjS1[S2j,wherejS1jandjS2jcanbeestimatedfromM1andM2usingtheHLLestimator,respectively.Moreover,giventhesketchesM1andM2forS1andS2,theHLLsketchforthesetunionS1[S2issimplyregister-wiseunionM[=M1_M2,whereoperator_isdenedtobeM[[i]=max(M1[i],M2[i]),0i2)isstraightforward.Despiteitsmathematicalsimplicity,register-unionestimateisveryinaccuratesinceitdoesnotfullyexplorethecorrelationamongthetHLLsketches.Letn[bethecardinalityofsetunionS1[S2[...[St,nbethecardinalityofsetintersectionS,and^nbeitsestimate 71

PAGE 72

usingtheregister-unionapproach.Accordingto[ 22 66 ],theestimationstandarderrorofnis StdErr^n n=On[ p sn.(4{8)Clearly,theestimationaccuracydependsonn[ n,andStdErr)]TJ /F9 7.97 Tf 6.74 -4.97 Td[(^n nincreasesasn[ nbecomeslarger.Whentissetlarge,n[maybecomelargeduetoadditionofmoretransientelements,whereasnmaystaymoreorlessthesameifthesetofpersistentelementsdoesnotchangemuch,whichdrivesupn[ nandthusinaccuracyinestimation.Theaccuracylossastgrowscanprohibitanetworkadminfromconguringalargevaluefort. 4.4.2.2Register-intersectionapproachBycontrast,theregister-intersectionapproachcalculatestheintersectionofHLLsketches,M\=M1^M2^...^Mt,whereoperator^ontwoarbitraryHLLsketchesisdenedas(Mj1^Mj2)[i]=min(Mj1[i],Mj2[i]),0i
PAGE 73

overtime.Hence,wehave M\=M1^M2^...^Mt=(M_T1)^(M_T2)^...^(M_Tt)=M_(T1^T2^...^Tt).(4{10)ThevalueoftheithregisterinM\is,for0i
PAGE 74

max(M[i],Tj[i]),0ik)=2)]TJ /F5 7.97 Tf 6.59 0 Td[(k,k0,>0.Thus,thecumulativedistributionfunctionofM[i]undertheconditionn[i]=,>0isP(M[i]kjn[i]=,>0)=(1)]TJ /F9 7.97 Tf 15.4 4.71 Td[(1 2k).Since00=1andP(M[i]kjn[i]=,=0)=1,theaboveconditionalcumulativedistributionfunctionisalsosatisedif=0.Combiningthesetwocases,wehaveP(M[i]kjn[i]=)=)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F6 11.955 Tf 15.81 8.09 Td[(1 2k,0,k0.( 4{14) 74

PAGE 75

Therefore,by( 4{13 )and( 4{14 ),thecumulativedistributionfunctionFM[i](k)ofM[i]isFM[i](k)=P(M[i]k)=nX=0P(M[i]kjn[i]=) P(n[i]=)=nX=0 n )]TJ /F6 11.955 Tf 6.67 -1.59 Td[(1 s)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F6 11.955 Tf 13.15 8.09 Td[(1 sn)]TJ /F13 7.97 Tf 6.59 0 Td[()]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F6 11.955 Tf 15.81 8.09 Td[(1 2k.( 4{15)Inmostsituations,thepersistentspreadnisatleast20and1=sissmallerthanorequalto0.05(s20).Hence,Poissondistributioncanbeusedtoapproximatethebinomialdistributionforecientcalculation,Bino(n,1=s)Pois(=n s).Thereby,wehaveFM[i](k)nX=0e)]TJ /F13 7.97 Tf 6.59 0 Td[( !)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F6 11.955 Tf 15.82 8.09 Td[(1 2k=e)]TJ /F13 7.97 Tf 6.59 0 Td[(nX=0)]TJ /F8 11.955 Tf 5.48 -9.68 Td[((1)]TJ /F9 7.97 Tf 15.21 4.71 Td[(1 2k) !e)]TJ /F13 7.97 Tf 6.59 0 Td[(e(1)]TJ /F9 5.978 Tf 9.84 3.26 Td[(1 2k)=e)]TJ /F17 5.978 Tf 9.3 3.26 Td[( 2k=e)]TJ /F5 5.978 Tf 9.16 3.26 Td[(n s2k.( 4{16)Similarly,wecalculatethecumulativedistributionfunctionFTj[i](k) FTj[i](k)=n0jX=0 n0j )]TJ /F6 11.955 Tf 6.68 -1.6 Td[(1 s)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F6 11.955 Tf 13.15 8.09 Td[(1 sn0j)]TJ /F13 7.97 Tf 6.58 0 Td[()]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F6 11.955 Tf 15.81 8.09 Td[(1 2ke)]TJ /F5 5.978 Tf 9.97 6.33 Td[(n0j s2k=e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k.(4{17)Asweassumethattransientelementsindierentperiodsareapproximatelyindependent,thecumulativedistributionfunctionFT[i](k)ofT[i]isFT[i](k)=P(T[i]k)=1)]TJ /F14 11.955 Tf 11.95 0 Td[(P(T[i]>k)( 4{18)=1)]TJ /F14 11.955 Tf 11.96 0 Td[(P)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(minTj[i]j2[1,t]>k1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1P(Tj[i]>k)=1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F14 11.955 Tf 11.95 0 Td[(P(Tj[i]k)=1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(FTj[i](k). 75

PAGE 76

Therefore,theprobabilityP0ioftherstcaseforM\[i]=kis P0i=P(M[i]=k)P(T[i]k)=8>><>>:FM[i](k)FT[i](k)k=0,FM[i](k))]TJ /F3 11.955 Tf 11.96 0 Td[(FM[i](k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)FT[i](k)k1.TheprobabilityP00iofthesecondcaseforM\[i]=kis P00i=P(M[i]><>>:0k=0,FM[i](k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)FT[i](k))]TJ /F3 11.955 Tf 11.95 0 Td[(FT[i](k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)k1.Tosumup,theprobabilityforM\[i]=kisP(M\[i]=k)=P0i+P00i( 4{19)=8>><>>:FM[i](k)FT[i](k)k=0,FM[i](k)FT[i](k))]TJ /F3 11.955 Tf 11.96 0 Td[(FM[i](k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)FT[i](k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)k1.LetagenerationfunctionGs(n1,n2,...,nt,n,k)representtheexpressionFM[i](k)FT[i](k).Combining( 4{16 ),( 4{17 )and( 4{18 ),then Gs(n1,n2,...,nt,n,k)=FM[i](k)FT[i](k)e)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2k1)]TJ /F5 7.97 Tf 17.69 14.94 Td[(tYj=11)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k.(4{20)Notethatthen1,n2,...,ntcanbeestimatedusingtheHLLalgorithmonHLLsketchM1,M2,...,Mt,respectively.Thus,theycanbetreatedasconstantinthegenerationfunctionG,sowecansimplifyGs(n1,n2,...,nt,n,k)toGs(n,k).WepositionsasthesubscriptoffunctionG,ratherthanitsinputparameter,becausethenumberofregistersineachperiodisundertheconstraintofavailablememoryandistypicallyaxedvalue.Therefore,the 76

PAGE 77

probabilityfortheithregisterintheintersectionsketchM\tohavethevaluekis P(M\[i]=k)=8>><>>:Gs(n,k)k=0,Gs(n,k))]TJ /F3 11.955 Tf 11.96 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)k1.(4{21)Inpractice,aregistercannotrecordanarbitrarilylargevaluekduetothelimitedmemorysize(e.g.,5bitsperregister).Hence,itcanonlycarryavalueinaspecicrange.LetHbethethreshold,whichisthemaximumvalue(upperbound)thataregister'scapacitycanrecord.Forinstance,ifthesizeofaregisteris5bits,itsrecordingrangeisfrom0to25=32(exclusive)sothatthethresholdHis31.Lethbethesizeofaregister,thenH=2h)]TJ /F6 11.955 Tf 11.96 0 Td[(1.Consideringthelimitedregistersize,weneedtomodifyprobabilityforM\H.AssumetheregisterisassignedtoHwhenitsvalueisoutofbound.Hence,wehave P(M\[i]=H)=1)]TJ /F5 7.97 Tf 11.96 14.95 Td[(H)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xk=0P(M[i]=k)=1)]TJ /F3 11.955 Tf 11.96 0 Td[(Gs(n,H)]TJ /F6 11.955 Tf 11.95 0 Td[(1).(4{22)Therefore,theprobabilitydistributionfunctionforM\[i]tocarryavaluekin( 4{21 )becomesP(M\[i]=k)=8>>>>>>>>>><>>>>>>>>>>:Gs(n,k)k=0,Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)0H.( 4{23) 4.5.2I-HLLEstimatorWeprovidetheI-HLLestimatorforpersistentspreadnbasedonMLE.Toestablishthelikelihoodfunction,werstmeasurethenumberofregistersamongthesregistersinM\thatcarrythevaluek,whichisdenotedbyNk.ThereasonwhyweuseNkinsteadofkastheobservingfactoristhattheobservingspacesizeofNkisequaltoH,whichisfarlessthank'sobservingspacesizes.TheprobabilityforobservingNkregistersinM\carryingthevaluekis 77

PAGE 78

P(M\[i]=k)Nk,assumingtheseregistersareapproximatelyindependent.Hence,thecombinedprobabilityforobservingN0,N1,...,NHundertheconditionthattherearenelementsinthepersistentsetis P(N0,N1,...,NHjn)=HYk=0P(M\[i]=k)Nk,(4{24)whereisaconstantthatequalss! N0!N1!...NH!.ThelikelihoodfunctionforobservingN0,N1,...,NHwithrespecttonis L(njN0,N1,...,NH)=HYk=0P(M\[i]=k)Nk.(4{25)Takingthelogarithmonthelikelihoodfunction,weobtainthelogbasedlikelihoodfunctionasfollows: lnL=ln+HXk=0NklnP(M\[i]=k).(4{26)Takingthepartialderivativeonlogbasedlikelihoodfunctionwithrespectton,weobtain @lnL @n=@ @nln+HXk=0NklnP(M\[i]=k)=HXk=0Nk@lnP(M\[i]=k) @n=HXk=0Nk@ @nP(M\[i]=k) P(M\[i]=k).(4{27)ThederivativeofP(M\[i]=k)withrespecttonforanarbitraryvaluek2[0,H]isgivenasfollows, @P(M\[i]=k) @n=8>>>>>><>>>>>>:@ @nGs(n,k)k=0,@ @n)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)0
PAGE 79

wherethepartialderivativeofGs(n,k)overnis@ @nGs(n,k)1 s2ke)]TJ /F5 5.978 Tf 9.16 3.26 Td[(n s2k1+tXj=1)]TJ /F3 14.346 Tf 5.48 -9.69 Td[(enj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)]TJ /F9 7.97 Tf 6.59 0 Td[(1tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 14.346 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1.( 4{29)Thecalculationof@ @nGs(n,k)isgivenintheAppendix A .Themaximumlikelihoodestimationistondanestimatedpersistentspread^n,whichmaximizestheloglikelihoodfunctionlnL.Therefore,weobtainanestimatorfornasfollows, ^n=argmaxnlnL=nj@ @nlnL=0.(4{30)Itisinfactviabletosolvethefunctionabovesymbolicallytondtheestimatorofn.However,ithashighcomplexityandlowexibility.Weproposetwomethodstosolve( 4{30 )eciently.NotethatagoodinitialguessofthepersistentspreadcanbegeneratedbytheHLLestimatorn\ontheintersectionsketchM\,whichislargerthann.Soonewaytosolve( 4{30 )istousebinarysearchtondavaluefrom0ton\thatmaximizesthelogbasedlikelihoodfunctionL.Anotherwayistouseiterativenumericalsolutionbasedongradientascent, ^n(i+1)=^n(i)+@lnL(njN0,N1,...,NH) @n,(4{31)whereistheoptimizationstepsize.Moreover,agoodinitialguessn\canbeutilizedtoimprovetheconvergencespeed.Generally,theabovefunctioncanbesolvedinabouttenrounds.Asasummary,wedeneauniedfunctionfttogiveaformalI-HLLestimator^ntomeasurethepersistentspreadnoveranarbitrarynumbertoftimeperiods,whichisequivalentto( 4{30 ). 79

PAGE 80

Denition1(I-HLLPersistentSpreadEstimator). Givenanarbitrarynumberofperiodst(t2),auniedestimatorfunctiontoestimatethepersistentspreadis ^n=ft)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(s,M\,fMjgj2[1,t],(4{32)wheresisthenumberofregistersineachHLLsketch,MjistheHLLsketchinthejthperiod(j2[1,t]),andM\istheintersectionHLLsketchthatequalsM1^M2^^Mt. 4.5.3AccuracyAnalysisWeanalyzetherelativebiasandrelativestandarderrorofI-HLLestimator.WedenotethevalueintheithregisterofM\byarandomvariableXi,therebyPXi(k)=P(M\[i]=k).Thentheexpectedvalueandvarianceof@lnPXi(k) @nare=E)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(k) @n=HXk=0)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(k) @nPXi(k),( 4{33)2=Var)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(k) @n=HXk=0)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(k) @n2PXi(k))]TJ /F8 11.955 Tf 11.95 0 Td[(2.Moreover,thenewlikelihoodfunctionforpreservingX0=k0,X1=k1,,Xs)]TJ /F9 7.97 Tf 6.59 0 Td[(1=ks)]TJ /F9 7.97 Tf 6.58 0 Td[(1canbewrittenas L(njk1,k2,,ks)]TJ /F9 7.97 Tf 6.59 0 Td[(1)=s)]TJ /F9 7.97 Tf 6.59 0 Td[(1Yi=0PXi(k).(4{34)Notethattheabovelikelihoodfunctionisonlytheoriginallikelihoodfunctionmultipliedbyaconstantvalue.Hence,wecanstillusethenotationLwithoutconfusion.Takingthelogarithmofthelikelihoodfunctionandthederivativewithrespectton,wehave 1 sE)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnL @n2=1 sE)]TJ /F5 7.97 Tf 8.57 5.26 Td[(s)]TJ /F9 7.97 Tf 6.58 0 Td[(1Xi=0@lnPXi(ki) @n2.(4{35) 80

PAGE 81

SinceX0,X1,,Xs)]TJ /F9 7.97 Tf 6.59 0 Td[(1areroughlyindependent,assuming 2=(n)2 s,thenwehave 1 sE)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnL @n21 ss)]TJ /F9 7.97 Tf 6.58 0 Td[(1Xi=0E)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(ki) @n2+1 sXi,j2[0,s)i6=jE)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(ki) @nE)]TJ /F8 11.955 Tf 6.68 -0.83 Td[(@lnPXj(kj) @n=E)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(ki) @n2+(s)]TJ /F6 11.955 Tf 11.96 0 Td[(1)E)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(ki) @nE)]TJ /F8 11.955 Tf 6.68 -0.83 Td[(@lnPXj(kj) @n=2+2+(s)]TJ /F6 11.955 Tf 11.95 0 Td[(1)2=s2+2=s2+s( n)2,where=0and 2is 2=(n)2 s3Gs(n,0)+(n)2G2s(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1) s322(H)]TJ /F9 7.97 Tf 6.58 0 Td[(1)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1))+H)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xk=1(n)2)]TJ /F3 11.955 Tf 5.47 -9.68 Td[(Gs(n,k))]TJ /F6 11.955 Tf 11.96 0 Td[(2Gs(n,k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)2 s322k(Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1))Thecalculationofand 2canbefoundintheAppendix B .Hence,thesherinformation[ 67 ]I(^n)=1 sE)]TJ /F6 11.955 Tf 5.48 -9.68 Td[((@lnL @n)2=s( n)2.Accordingtotheasymptoticpropertiesofmaximumlikelihoodestimation,ourestimatorisasymptoticallyunbiasedandecient,anditachievestheCramer-Raolowerbound: ^nd)777(!Normal(n,1 I(^n))=Normal(n,(n)2 s 2).(4{36)Therefore,therelativestandarderroris StdErr)]TJ /F6 11.955 Tf 6.78 -1.59 Td[(^n n1 p s ,(4{37)andthe1)]TJ /F8 11.955 Tf 11.95 0 Td[(condenceintervalfornis ^nZ 2n p s .(4{38) 81

PAGE 82

APer-sourceow BPer-destinationowFigure4-5. Flowcardinalitydistributionsfordierentows 4.6VirtualI-HLLArchitecture 4.6.1MotivationInthedesignofourpreviousI-HLLestimator,allowsareallocatedwithseparatedandequal-sizedHLLsketchestorecordtheirelementsineachmeasurementperiod,whichbesttswhentheowcardinalityisuniformlydistributed.However,manystudiesobserveacommonfactthatthedistributionofowcardinalitiesisextremelyunbalancedinrealnetworks,andsmallpercentageoflargeowsaccountforamajorityoftheInternettrac(alsoknownastheheavy-taileddistribution).Withoutlossofgenerality,weusetherealnetworktracecapturedbythemaingatewayofouruniversityasanexample.Thedistributionsofper-sourceowandper-destinationowareillustratedinFigure 4-5A andFigure 4-5B ,respectively.Clearly,thevastmajorityofowshavesmallcardinalities,whileonlyasmallnumberofowshavelargecardinalities.ThesametrendisobservedinthetractracesfromCAIDA[ 63 ].Underthiscommonobservationofunbalanceddistributioninnetworktracdata,maintainingoneHLLsketchforeachowisnotapplicableduetothelimitedsizeofon-chipSRAM.Thereasonisthat,whenwedon'tknowwhichowsareelephantowsinadvance,thesizesofallHLLsketchesforI-HLLestimatorshouldbeconguredaccordingtothelargestowcardinalitiesinordertoachievereasonablyaccuratemeasurement.Therefore,wehavetoallocateallHLLsketcheswiththesamesizethatarelargeenoughtoaccommodatethe 82

PAGE 83

Figure4-6. RegistersharingandvirtualHLLsketch. elephantows.Hence,forthemajorityofowswithsmallcardinalities,thehigh-orderbitsintheirregistersareactuallyunder-utilizedasmanyorevenmostofthemremainzeros,whichcausesasignicantwasteofmemory.Toreducethememorywastecausedbytheunevenowcardinalitydistribution,registersharingshouldbeenabledamongtheowstoutilizetheseunusedbits. 4.6.2RegisterSharingandVirtualHLLSketchOurideaistoenableregistersharingamongHLLsketchesofallows.AnexampleisillustratedinFigure 4-6 ,whereeachcellrepresentsaregister.TheHLLsketchesofallowsarenolongerseparated.Instead,theyshareregistersfromacommonregisterpool,calledphysicalregisterarrayA.Eachowpseudo-randomlypicksanumberofregistersfromthephysicalregisterarrayAtoformitslogicaldatastructurecalledvirtualHLLsketch.SincevirtualHLLsketchesofallowssharethesameregisterpoolA,elephantowscan`borrow'memoryfromsmallowstoutilizetheunusedspace.Fromabove,wedesignanovelpersistentspreadestimationarchitecturebasedonvirtualHLLsketchesontopofregistersharing,calledVirtualIntersectionHyperLogLogestimator(VI-HLL),whereeachowisallocatedwithavirtualHLLsketchofmultipleregistersineachmeasurementperiod.SupposethetotalmemorysizeofAisMbits,andthesizeofeachregisterishbits.SothenumberofregistersinAism=M h.EachvirtualHLLsketchisconguredauniedsizesthatislargeenoughtoaccommodateallows.Foreachowdst, 83

PAGE 84

Table4-1. Notations NotationMeaning AaphysicalarrayofregistersAjaphysicalregisterarrayofperiodjmnumberofregistersinphysicalregisterarrayAdstvirtualHLLsketchofowdstsnumberofregistersusedbyvirtualHLLsketchHi(dst)hashfunctionthatmapstheithregisterofAdsttoAnnumberofpersistentelementsofowdst^nanestimationofnnsnumberofpersistentelementsinAdst^nsanestimationofnsnunumberofpersistentelementsinA^nuanestimationofnu werandomlyselectsregistersfromAtoformitsvirtualHLLsketchAdst.TheithregisterinAdst,denotedbyAdst[i],canbeselectedfromAasfollows, Adst[i]=A[Hi(dst)],0i
PAGE 85

4.6.3RecordFlowElementsinAIneachtimeperiod,aregisterarrayAofmregistersisusedtorecordelementsinformationofallows.Atthebeginningofeachperiod,allregistersofAareinitializedtozeros.Intechnicaldiscussionbelow,weagainconsiderper-destinationowsthrougharouterthatmeasuresthedistinctnumberofsourceaddressesineachow.Whenapacketarrives,therouterextractsitsowlabeldstandtreatsthesourceaddresssrcasanelementofowdst.Therouterrecordstheelementintheow'svirtualHLLsketchAdst.Todoso,itrstperformsahashH(src),whosebinaryrepresentationisdenotedasx.Letpistheleadingb(b=log2s)bitsinx,andqistheremainingbits: p=hx1x2...xbi,q=hxb+1xb+2...i.Usingthevalueofp,theroutermapstheelementsrcofowdstpseudorandomlytoaregisterofitsvirtualHLLsketchAdst[p],andupdatesthevalueAdst[p]ifitscurrentvalueissmallerthan(q), Adst[p]=max)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(Adst[p],(q).(4{41)Applying( 4{39 )and( 4{40 ),wehave A[H(dstR[p])]=max)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(A[H(dstR[p])],(q).(4{42)TheonlinerecordingmoduleforonetimeperiodissummarizedinAlgorithm 4.2 .Attheendofeachmeasurementperiod,thephysicalregisterarrayAwillbeooadedfromon-chipSRAMtomainmemoryofaserverforlong-termstorageandoinequery.Assumewehavemeasuredtconsecutivetimeperiods,therebywehavetphysicalregisterarrays,whicharedenotedbyA1,A2,...,At. Algorithm4.2. Onlinerecordingmoduleforonetimeperiod 85

PAGE 86

1: InitializearegisterarrayAofsizemwithallzeros; 2: forpackagehsrc,dstido 3: x:=H(src);p:=hx1x2...xbi;q:=hxb+1xb+2...i; 4: i:=H(dstR[p]);A[i]=max)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(A[i],(q); 5: endfor 6: returnAattheendofthemeasurementperiod 4.6.4VI-HLLEstimatorWedescribeourVI-HLLestimator,whichusesthesequenceofphysicalregisterarraysA1,A2,...,At,toestimatethepersistentspreadforanarbitraryow.Consideraowdstunderquery,wereconstructitsvirtualHLLsketchMfromanarbitraryphysicalregisterarrayA,wheretheithregisterinvirtualHLLsketchhasbeenmappedtotheregisterA[Hi(dst)]inA,M[i]=Adst[i]=A[Hi(dst)],0i
PAGE 87

SomemaythinkthattransientelementsfromotherowsincreasethetotalnumberofelementsineachvirtualHLLsketchandaggravatetheoverestimationproblem.However,whenweuseI-HLLestimatorbasedonMLEtoestimatethenumberofpersistentelementsinthevirtualHLLsketchesoftperiods,theestimationresultalreadyltersalltransientelementscomingfromowdstandotherows.Hence,therewon'tbeanyoverestimationcomingfromtransientelements,andthemajorsourceofoverestimatingowdst'spersistentspreadisthepersistentelementsfromotherows.OurVI-HLLestimatoristoremovethenoisethatcomesfromotherows,andgivesunbiasedpersistentspreadestimation.Letnbethenumberofpersistentelementsofowdst,nsbethenumberofpersistentelementsrecordedinvirtualintersectionHLLsketchM\ofowdst,andnubethenumberofpersistentelementsinphysicalintersectionregisterarrayA\=A1^A2^^At.Duetoregistersharing,weknowthatnsisthepersistentspreadnofowdstplusthenoise(persistentspreads)introducedbyotherows.LetYbearandomvariableforthenumberofnoisepersistentspreadsrecordedbythevirtualintersectionHLLsketchM\,thenwehave Y=ns)]TJ /F3 11.955 Tf 11.95 0 Td[(n.(4{43)TorecovernfromvirtualHLLsketchesofowdst,weremovesuchnoiseasfollows.Thetotalnumberofpersistentelementscomingfromotherowsisnu)]TJ /F3 11.955 Tf 12.16 0 Td[(n.Fromtheviewoftheowdst,theseelementarenoise.Asweassumethattherearemanyowsandnnu,eachnoiseelementfromotherowshasapproximatelythesameprobabilitytomapintoM\.Thisprobabilityisequaltos mduetotherandomselectionofsregistersbythevirtualHLLsketchfromA(mregisters).Hence,Yfollowsabinomialdistribution,YsBino(ns)]TJ /F3 11.955 Tf 12.27 0 Td[(n,s m).TheexpectednumberofnoisemappedtoM\isE(Y)=s(nu)]TJ /F5 7.97 Tf 6.59 0 Td[(n) m.Therefore,wehave E(ns)]TJ /F3 11.955 Tf 11.96 0 Td[(n)=E(Y)=s(nu)]TJ /F3 11.955 Tf 11.96 0 Td[(n) m.(4{44) 87

PAGE 88

Bythelawoflargenumbersinprobabilitytheory,ifthenumberofsislarge,therelativevarianceVar(ns)]TJ /F5 7.97 Tf 6.59 0 Td[(n E(ns)]TJ /F5 7.97 Tf 6.59 0 Td[(n))approachestozero.Inthiscase,theexpectedvalueE(ns)]TJ /F3 11.955 Tf 12.03 0 Td[(n)canbeapproximatedbyaninstancevalue,ns)]TJ /F3 11.955 Tf 11.96 0 Td[(n.Hence,wehave ns)]TJ /F3 11.955 Tf 11.96 0 Td[(ns(nu)]TJ /F3 11.955 Tf 11.95 0 Td[(n) m)nms m)]TJ /F3 11.955 Tf 11.95 0 Td[(s)]TJ /F3 11.955 Tf 6.68 -1.6 Td[(ns s)]TJ /F3 11.955 Tf 13.15 8.09 Td[(nu m.(4{45)ByapplyingDenition 1 ,wecanobtainaccurateestimation^nsand^nuoverM\andA\,respectively. ^ns=ft)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(s,M\,fMjgj2[1,t],^nu=ft)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(m,A\,fAjgj2[1,t].Therefore,weobtaintheestimationforpersistentspreadn: ^n=ms m)]TJ /F3 11.955 Tf 11.96 0 Td[(s)]TJ /F6 11.955 Tf 6.77 -1.6 Td[(^ns s)]TJ /F6 11.955 Tf 13.25 8.09 Td[(^nu m.(4{46)TheVI-HLLestimatorforowdstissummarizedinAlgorithm 4.3 Algorithm4.3. VI-HLLpersistentspreadestimatorforowdst 1: Input:s,m,fMjgj2[1,t]andfAjgj2[1,t]. 2: Step1:ObtainthevirtualintersectionHLLsketchofowdst: 3: M\ M1^M2^^Mt. 4: EstimatensinM\byDenition 1 : 5: ^ns:=ft)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(s,M\,fMjgj2[1,t] 6: Step2:ObtaintheintersectionHLLsketchofallows: 7: A\ A1^A2^^At. 8: EstimatenuinA\byDenition 1 : 9: ^nu:=ft)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(m,A\,fAjgj2[1,t]. 10: Step3:Removenoiseandobtainestimationofnby( 4{46 ): 11: ^n:=ms m)]TJ /F5 7.97 Tf 6.58 0 Td[(s)]TJ /F9 7.97 Tf 6.74 -3.99 Td[(^ns s)]TJ /F9 7.97 Tf 13.22 5.69 Td[(^nu m 12: returntheestimatedpersistentspread^n. 4.6.5AccuracyAnalysisWenowanalyzetherelativebiasandrelativestandarderrorofourVI-HLLestimator.AccordingtoanalysisofI-HLLestimatorinSection 4.5.3 ,wehavethefollowingtheorem. 88

PAGE 89

Theorem4.1. LetnsbethenumberofpersistentelementsthataremappedtothevirtualHLLsketch.Supposethenumbersofregistersislargeenough.Then, E(^ns)nsVar(^ns)(ns)2 s 2sStdErr)]TJ /F6 11.955 Tf 6.78 -1.6 Td[(^ns ns1 p s swhere sisavariancerelatedtosandns. 4.6.5.1RelativebiasAccordingto( 4{43 ),weknowns=n+Y,andYfollowsabinomialdistributionofBinom(nu)]TJ /F3 11.955 Tf 12.02 0 Td[(n,s m).CombingTheorem 4.1 ,undertheconditionofY=l,l2[0,nu)]TJ /F3 11.955 Tf 12.03 0 Td[(n],wehave E(^nsjY=l)ns=n+l,(4{47)and P(Y=l)= nu)]TJ /F3 11.955 Tf 11.95 0 Td[(nl )]TJ /F3 11.955 Tf 8.76 -1.6 Td[(s ml)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 15.23 8.08 Td[(s mnu)]TJ /F5 7.97 Tf 6.58 0 Td[(n)]TJ /F5 7.97 Tf 6.58 0 Td[(l.(4{48)By( 4{47 )and( 4{48 ),wecancalculateE(^ns)=nu)]TJ /F5 7.97 Tf 6.59 0 Td[(nXl=0E(^nsjY=l)P(Y=l)nu)]TJ /F5 7.97 Tf 6.59 0 Td[(nXl=0(n+l) nu)]TJ /F3 11.955 Tf 11.96 0 Td[(nl )]TJ /F3 11.955 Tf 8.76 -1.6 Td[(s ml)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 15.24 8.09 Td[(s mnu)]TJ /F5 7.97 Tf 6.59 0 Td[(n)]TJ /F5 7.97 Tf 6.59 0 Td[(l=n+E(Y)=n+s(nu)]TJ /F3 11.955 Tf 11.96 0 Td[(n) m.( 4{49) 89

PAGE 90

Thevalueof^nuisestimatedbasedonthephysicalregisterarrayA.Therefore,E(^nu)nu.Fromthedenitionin( 4{1 )andestimationformula( 4{46 ),therelativebiasof^nisBias)]TJ /F6 11.955 Tf 6.78 -1.6 Td[(^n n=E)]TJ /F6 11.955 Tf 6.78 -1.6 Td[(^n n)]TJ /F6 11.955 Tf 11.95 0 Td[(1=ms m)]TJ /F3 11.955 Tf 11.95 0 Td[(sE(^ns) sn)]TJ /F3 11.955 Tf 13.15 8.09 Td[(E(^nu) mn)]TJ /F6 11.955 Tf 11.95 0 Td[(1ms m)]TJ /F3 11.955 Tf 11.96 0 Td[(sn+s(nu)]TJ /F5 7.97 Tf 6.59 0 Td[(n) m sn)]TJ /F6 11.955 Tf 17.97 8.09 Td[(^nu mn)]TJ /F6 11.955 Tf 11.95 0 Td[(1=0.( 4{50)Hence,theVI-HLLestimator^nisapproximatelyunbiasedforn. 4.6.5.2RelativestandarderrorNextwederivetherelativestandarderrorof^n.UndertheconditionofY=l,byTheorem 4.1 ,wehave Var(^nsjY=l)(n+l)2 s 2s(4{51)Similarly,wehave Var(^nu)(nu)2 m 2m,(4{52)wheremisthenumberofregistersinA.ByTheorem 4.1 and( 4{47 ), E)]TJ /F6 11.955 Tf 5.48 -9.68 Td[((^ns)2jY=l=Var(^nsjY=l)+E)]TJ /F6 11.955 Tf 5.59 -9.68 Td[(^nsjY=l2(n+l)2 s 2s+(n+l)2=)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1+1 s 2s(n+l)2.(4{53)Combine( 4{48 )andaboveequation,wehaveE)]TJ /F6 11.955 Tf 5.48 -9.68 Td[((^ns)2=nu)]TJ /F5 7.97 Tf 6.59 0 Td[(nXl=0E)]TJ /F6 11.955 Tf 5.48 -9.68 Td[((^ns)2jY=lP(Y=l)( 4{54)nu)]TJ /F5 7.97 Tf 6.58 0 Td[(nXl=0(1+1 s 2s)(n+l)2 nu)]TJ /F3 11.955 Tf 11.96 0 Td[(nl (s m)l(1)]TJ /F3 11.955 Tf 15.24 8.09 Td[(s m)nu)]TJ /F5 7.97 Tf 6.59 0 Td[(n)]TJ /F5 7.97 Tf 6.59 0 Td[(l=(1+1 s 2s))]TJ /F6 11.955 Tf 5.48 -9.69 Td[((n+s(nu)]TJ /F3 11.955 Tf 11.95 0 Td[(n) m)2+s(nu)]TJ /F3 11.955 Tf 11.96 0 Td[(n) m(1)]TJ /F3 11.955 Tf 15.24 8.09 Td[(s m). 90

PAGE 91

Hence,thevarianceoftheestimationnisVar(^n)=)]TJ /F5 7.97 Tf 10.07 -4.98 Td[(ms m)]TJ /F5 7.97 Tf 6.58 0 Td[(s2Var(^ns) s2)]TJ /F5 7.97 Tf 13.15 5.7 Td[(Var(^nu) m2( 4{55))]TJ /F5 7.97 Tf 12 -4.97 Td[(m m)]TJ /F5 7.97 Tf 6.58 0 Td[(s21 s 2s)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(n+s(nu)]TJ /F5 7.97 Tf 6.58 0 Td[(n) m2+)]TJ /F9 7.97 Tf 11.31 -4.97 Td[(1 s 2s+1s(nu)]TJ /F5 7.97 Tf 6.59 0 Td[(n) m(1)]TJ /F5 7.97 Tf 14.64 4.71 Td[(s m))]TJ /F11 11.955 Tf 11.96 9.68 Td[()]TJ /F5 7.97 Tf 8.16 -4.97 Td[(s m2(nu)2 m 2m.TherelativestandarderrorofnisStdErr(^n)=p Var(^n) nm (m)]TJ /F3 11.955 Tf 11.96 0 Td[(s)n ( 4{56)s 1 s 2s)]TJ /F3 11.955 Tf 5.48 -9.68 Td[(n+s(nu)]TJ /F3 11.955 Tf 11.95 0 Td[(n) m2+)]TJ /F6 11.955 Tf 12.92 -1.59 Td[(1 s 2s+1s(nu)]TJ /F3 11.955 Tf 11.96 0 Td[(n) m(1)]TJ /F3 11.955 Tf 15.24 8.09 Td[(s m))]TJ /F11 11.955 Tf 11.96 9.68 Td[()]TJ /F3 11.955 Tf 8.76 -1.59 Td[(s m2(nu)2 m 2m. 4.7SimulationsInthissection,weuseextensivesimulationstoevaluateourpersistentspreadestimatorVI-HLLbasedonregistersharing.WecompareitwiththebeststateofartV-Bitmap[ 54 ].Sinceourgoalistodesignpersistentspreadestimatorthatcanbeusedintightmemoryspacewhiledeliveringhighaccuracy,inoursimulations,weonlyconsidermemoryrequirementsthatarelessthan3bitsperow.Wealsoevaluatetheimpactofthenumberofperiodst,signal-to-noiseratioSNRj,andnumberofregisterssontheVI-HLLperformance. 4.7.1SimulationSetupWeimplementVI-HLLaswellasV-Bitmap,andcomparethemthroughextensivesimulations.Thedataweusedissimulatedfromreal-worldnetworktractraces.Notethattheowsinthesimulationscanbeper-sourceows,per-destinationows,orotheruser-denedows,whichallleadtosimilarresults.Withoutlossofgenerality,weuseper-destinationowsforpresentation.Thetracdataineachperiodcontains124,846,736distinctelementsgeneratedby11,453,043ows.Theaverageowcardinalityis10.90perow.Wesimulatetremendoususersconcurrentlyaccessingalargeserverfarm,whichisquitepracticalintoday'smaingatewayrouter.Someoftheowelementsarepersistentelements,whichexistthroughoutthetperiods,andtherestaretransientelements.Ineachperiod, 91

PAGE 92

wecontroltheratioofpersistentelementstothetransientelementsbysignal-to-noiseratioSNRj=n n0j=n nj)]TJ /F5 7.97 Tf 6.59 0 Td[(n,j2[1,t].TheperformancemetricsusedinoursimulationsincludememoryrequirementandestimationaccuracyasdiscussedinSection 4.3 .Weruntwosetsofsimulations.TherstsetisusedtoevaluatetheimpactofmemorysizeonthepersistentspreadestimationaccuracyofV-BitmapandVI-HLL.WevarythememoryspaceMfrom0.5MB,1MB,2MBto4MB,whichtranslatestoapproximately0.37bits/ow,0.75bits/ow,1.5bits/owand3bits/ow,respectively.Tomakeafaircomparison,VI-HLLandV-Bitmaparegiventhesamememorysizetoprocessthesimulatedtracdataineachcase.ForV-Bitmap,thelengthofeachvirtualbitmapisconguredas10,000toachievebetteraccuracy,oraslargeas50,000toaccommodatethelargeowstohavelargerestimationrangeasin[ 54 ].ForVI-HLL,weuseavirtualHLLsketchtorecordeachowineachperiod.ThelengthsofeachvirtualHLLsketchisconguredas512.ThesecondsetofsimulationsevaluatestheimpactofdierentparamentsontheperformanceofVI-HLL.WexthememorysizetoM=2MB,andvaryt,SNRjandswithdierentvaluestoobservetheirimpactonestimationaccuracy.Thesimulationresultsaregivenasfollows. 4.7.2VI-HLLv.s.V-BitmapWestudytheestimationaccuracyofV-BitmapandVI-HLLwiththeavailablememoryrangingfrom0.5MB,1MB,2MBto4MB.Thetotalmeasurementtimeperiodstisxedto10,andsignal-to-noiseratioSNRjis1.ThecomparisonresultsofV-BitmapandVI-HLLarepresentedinFigures 4-7 4-8 4-9 and 4-10 .TherstthreeguresshowtheestimationresultsforV-Bitmapwiths=10000,V-Bitmapwiths=50000,andVI-HLLwiths=512,eachofwhichincludesfourplotsunderdierentmemorysizesM.Eachpointineachplotrepresentsaow,wherethexcoordinateistheactualpersistentspreadcardinalitynandtheycoordinateistheestimatedcardinality^n.Theequalityline,y=x,isalsoshown.Clearly,thecloserapointistotheequalityline,themoreaccuratetheestimateis. 92

PAGE 93

Figure4-7. PersistentspreadestimationusingV-Bitmapunderdierentmemoryoverhead,witht=10,SNRj=1ands=10000. 93

PAGE 94

Figure4-8. PersistentspreadestimationusingV-Bitmapunderdierentmemoryoverhead,witht=10,SNRj=1ands=50000. 94

PAGE 95

Figure4-9. PersistentspreadestimationusingVI-HLLunderdierentmemoryoverheadM,witht=10,SNRj=1ands=512. 95

PAGE 96

Figure4-10. CompareVI-HLLandV-BitmapunderdierentmemoryoverheadM. 96

PAGE 97

InFigure 4-7 ,plot(a)andplot(b)showwhentheavailablememoryistight,e.g.,M=0.5MB(0.37bits/ow)orM=1MB(0.75bits/ow),V-Bitmap(s=10000)cannotgivereasonableestimationsformostows.ThereasonisthattheestimationaccuracyofV-Bitmapdependsonthellrate{theproportionofbitsinabitmapthataresettobeone.Thehigherthellrate,theworsetheaccuracy.Forexample,whenM=0.5MB,eachbitismappedby30elementsonaverage,soalmostallbitsaresetto1.Hence,V-Bitmapcannolongerworkinsuchtightmemory.Asthememorysizeincreasesfrom1MBto4MBasshowninplot(c)andplot(d),V-Bitmapgeneratessomepositivelybiasedresults,butstillcannotyieldestimatesforlargepersistentspreadowsduetothehighllrate.AlthoughincreasingMcanenlargetheestimationrangeofV-Bitmaptosomeextent,itstilldoesnotaddresstheproblemcausedbyhighllrate.AnalternativewaytoextendtheestimationrangeforV-Bitmapistoincreasethevirtualbitmapsizes.Figure 4-8 givesthesimulationsresultsforV-Bitmapwiths=50000.Clearly,itstillcannotworkundertightmemoryasshowninplot(a)andplot(b).Whenincreasingmemorysizeasillustratedinplot(c)andplot(d),V-BitmapgiveslargerestimationrangecomparingwiththelasttwoplotsinFigure 4-7 ,buttheresultsarestillquiteinaccuratebecausethellrateisstillveryhighandlargesizebitmapintroducesmorenoise.Therefore,V-Bitmapcannotworkundertightmemory.Figure 4-9 showsthesimulationresultsofVI-HLLwhens=512.Clearly,VI-HLLcangenerateveryaccuratepersistentspreadestimatesforbothsmallandlargeowsaspointsareclusteredtotheequalitylineforallfourplots.Thisistrueevenunderatightmemory,e.g.,M=0.5MB(0.37bit/ow)asshowninplot(a).Inaddition,throughregisterintersection,VI-HLLcaneasilyhandlewideestimationrangeswithoutmodifyingpresetparameters,whichisrequiredbyV-Bitmapinordertogeneratesoundmeasurementresultswhenfacingdierenttracsituations.VI-HLLprovidesamorerobustandexiblesolutionforreal-lifepersistentspreadmeasurement. 97

PAGE 98

TherelativebiasBias(^n n)ofV-BitmapandVI-HLLandrelativestandarderrorStdErr(^n n)ofVI-HLLaregiveninFigure 4-10 .Plot(a),plot(b)andplot(c)presenttheestimationbiasofV-Bitmapwiths=10000,V-Bitmapwiths=50000andVI-HLL,respectively.Wecanseethatundertightmemory,V-Bitmaphaslargebias,whileVI-HLLhassmallrelativebiasandrelativestandarderrors.Also,VI-HLLbecomesmoreaccuratewhenmorememoryisused.Notethatalthoughtherelativestandarderrorsforsmallowsarehigher,itdoesnotentirelydiminishtheusefulnessoftheseestimationsbecausetheabsoluteerrorsforsmallowsareinfactmuchsmallerthanthoseoflargeones.Asmallpersistentspreadowwon'tbemistakenasalargeoneduetothemodestabsoluteerror. 4.7.3ImpactofValuetonVI-HLLInoursecondsetofsimulations,werstlystudytheimpactofthenumberoftimeperiodstontheperformanceofVI-HLL.WextheM=2MB,SNRj=1ands=512,andvarytfrom10to2,4,6to8.TheresultsarepresentedinFigure 4-11 .Therstfourplotsareestimationresultsundert=2,4,6and8.Correspondingrelativestandarderrorsareillustratedinthefthplot.Clearly,whentbecomeslarger,therelativestandarderrorbecomessmaller,whichreectsaninterestingfeatureofVI-HLLthatitsestimationaccuracyimproveswhenthenumberoftimeperiodsincreases.ThisisbecauseVI-HLLdetectstheexistenceofthepersistentelementsfromtheregisterintersectiononallHLLsketchesM1,M2,...,Mt.TheprobabilityforanintersectionregisterinM\tobeupdatedhigherbytransientelements,capturedbythetermP00iin( 4{19 ),decreasesastvaluegrows.Therefore,VI-HLLpermitsnetworkadmintosetarbitrarilylargetvaluestodierentiatepersistentandtransientelements. 4.7.4ImpactofValueSNRjonVI-HLLNext,weevaluatetheimpactofthesignal-to-noiseratioSNRjontheperformanceofVI-HLL.WextheM=2MB,t=10ands=512,andvarySNRjfrom0.25,0.5,1to2.TheresultsarepresentedinFigure 4-12 .TherstfourplotsareestimationresultsunderSNRj=0.25,0.5,1and2.Correspondingrelativestandarderrorsareillustratedinthefthplot.Fromtheplots,weseethattheaccuracydegradesabitasSNRjdecreases,butVI-HLL 98

PAGE 99

Figure4-11. EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesoft,withM=2MB,SNRj=1ands=512. 99

PAGE 100

Figure4-12. EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesofSNRj,withM=2MB,t=10ands=512. 100

PAGE 101

Figure4-13. EstimationresultsandrelativeerrorsofVI-HLLunderdierentvaluesofs,withM=2MB,t=10andSNRj=1. 101

PAGE 102

stillrendersreasonablyhighaccuracy.TheabilityoftoleratingheavynoiseinVI-HLLmakesitmoreexibletouseinpractice. 4.7.5ImpactofValuesonVI-HLLFinally,weinvestigatetheimpactoftheregistersizesontheperformanceofVI-HLL.WextheM=2MB,andvarythevalueofsfrom512to128,256,1024to2048.TheresultsarerepresentedinFigure 4-13 .Therstfourplotsareestimationresultsunders=128,256,1024and2048.Correspondingrelativestandarderrorsareillustratedinthefthplot.Clearly,whensisrelativelysmall(s=128),therelativestandarderrorsarelargerthanwhens=256ors=512forlargesizeows.However,whensgetslargeenough(s=1024ors=2048),theestimationaccuracyforlargesizeowsstabilizes,buttheestimationaccuracyforsmallsizeowsbecomesnoticeablyworse.Combiningthesetwoeects,inpractice,itmaybemoreappropriatetochooseavirtualHLLsketchsizeofeither512or1024. 4.8SummaryInthiswork,weproposeahighlycompactandecientVirtualIntersectionHyperLogLog(VI-HLL)architectureforpersistentspreadmeasurement.Itcanhelptodetectlong-termstealthynetworkactivitiesinthebackgroundofshort-termactivitiesoflegitimateusers.Throughextensiveanalysisandsimulations,wedemonstratethatVI-HLLcanperformwelleveninaverytightmemoryspace(lessthan3bitsoreven0.37bitsperow)withwidemeasurementrangeandreasonablyhighaccuracy.Therefore,itcanbeimplementedinfaston-chipSRAMtokeepupwiththelinespeedofmodernrouters,orlow-costcommoditycomputerstoprocessbignetworkdata. 102

PAGE 103

CHAPTER5CONCLUSIONSInthisdissertation,werstpresentahighlycompactandfastcounterarchitectureVHCforper-owtracmeasurementinChapter 2 .VHCachievesfasterprocessingspeed(slightlymorethan1memoryaccessperpacket)andprovidesmoreaccuratemeasurementresultsthanthebestexistingwork.Moreover,VHCperformswellinatightmemoryspace(lessthan1bitperow)wherepriorworkcannolongerwork.ExtensiveexperimentsbasedonrealnetworktracedatademonstratethesuperiorperformanceofVHC.InChapter 3 ,weextendtheper-owtracmeasurementfromlandmarkwindowmodeltoslidingwindowmodel.Weproposetwoschemes,ACEandS-ACE,forper-owcountinginbignetworkdatastreamovertheslidingwindowmodel.Bothschemesleveragethecountersharingidea,andgreatlyreducethememoryoverhead.ACEhastoresetthewindowperiodicallytogivepreciseestimates,whileS-ACEcanachievepersistentlyaccurateestimatesviaanovelsegmentwindowdesign.InChapter 4 ,weproposeahighlycompactandecientVirtualIntersectionHyperLogLog(VI-HLL)architectureforpersistentspreadmeasurement.Itcanhelptodetectlong-termstealthynetworkactivitiesinthebackgroundofshort-termactivitiesoflegitimateusers.Throughextensiveanalysisandsimulations,wedemonstratethatVI-HLLcanperformwelleveninaverytightmemoryspace(lessthan3bitsoreven0.37bitsperow)withwidemeasurementrangeandreasonablyhighaccuracy.Therefore,itcanbeimplementedinfaston-chipSRAMtokeepupwiththelinespeedofmodernrouters,orlow-costcommoditycomputerstoprocessbignetworkdata. 103

PAGE 104

APPENDIXATHEPARTIALDERIVATIVEOFGS(N,K)WehaveshownthegeneratingfunctionGs(n,k)in( 4{20 ).Nowweanalyzeitspartialderivativeoverthepersistentspreadn.Firstly,weanalyzethepartialderivativesofthetwomaincomponentsofGs(n,k),i.e.,e)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2kandQtj=1)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k,@ @ne)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2k=)]TJ /F6 11.955 Tf 16.06 8.09 Td[(1 s2ke)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2k,@ @ntYj=1)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k=tXi=1)]TJ /F9 7.97 Tf 14.58 4.7 Td[(1 s2ke)]TJ /F5 5.978 Tf 7.78 4.62 Td[(ni)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k 1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 4.62 Td[(ni)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2ktYj=1)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.61 Td[(nj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k=tXj=1)]TJ /F9 7.97 Tf 14.58 4.7 Td[(1 s2k enj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.95 0 Td[(1tYj=1)]TJ /F6 11.955 Tf 5.48 -9.68 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.75 0 Td[(n s2k.Then,weapplytheaboveequationandhave@ @nGs(n,k))]TJ /F6 11.955 Tf 28.67 8.09 Td[(1 s2ke)]TJ /F5 5.978 Tf 9.16 3.26 Td[(n s2k1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k+1 s2ke)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2ktXj=1)]TJ /F3 11.955 Tf 5.47 -9.69 Td[(enj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)]TJ /F9 7.97 Tf 6.59 0 Td[(1tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.79 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k.Finally,wecansimplifytheaboveequationas@ @nGs(n,k)1 s2ke)]TJ /F5 5.978 Tf 9.16 3.26 Td[(n s2k1+tXj=1)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(enj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)]TJ /F9 7.97 Tf 6.59 0 Td[(1tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1. 104

PAGE 105

APPENDIXBANALYSISOF,2AND 2Next,weanalyzeand2basedontheirdenitionsin( 4{33 ).Applying( 4{28 ),wehave =E)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(k) @n=HXk=0)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(k) @nPXi(k)=HXk=0)]TJ /F13 7.97 Tf 8.61 6.31 Td[(@PXi(k) @n PXi(k)PXi(k)=HXk=0@PXi(k) @n=@ @nHXk=0PXi(k)=@1 @n=0,and 2=Var)]TJ /F8 11.955 Tf 6.67 -1.6 Td[(@lnPXi(k) @n=HXk=0)]TJ /F8 11.955 Tf 6.68 -1.6 Td[(@lnPXi(k) @n2PXi(k).=HXk=0)]TJ /F13 7.97 Tf 8.61 6.31 Td[(@PXi(k) @n PXi(k)2PXi(k)=HXk=0)]TJ /F13 7.97 Tf 6.67 -2.48 Td[(@PXi(k) @n2 PXi(k)=)]TJ /F13 7.97 Tf 6.67 -4.2 Td[(@Gs(n,0) @n2 Gs(n,0)+)]TJ /F13 7.97 Tf 6.67 -4.2 Td[(@Gs(n,H)]TJ /F9 7.97 Tf 6.59 0 Td[(1) @n2 1)]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1)+H)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xk=1)]TJ /F13 7.97 Tf 11.12 -4.98 Td[(@ @n(Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1))2 Gs(n,k))]TJ /F3 11.955 Tf 11.96 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.96 0 Td[(1),where Gs(n,k)e)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2k1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k@ @nGs(n,k)1 s2ke)]TJ /F5 5.978 Tf 9.16 3.25 Td[(n s2k1+tXj=1)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(enj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)]TJ /F9 7.97 Tf 6.59 0 Td[(1tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(e)]TJ /F5 5.978 Tf 7.78 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k)]TJ /F6 11.955 Tf 11.96 0 Td[(1.Assumingthatthesignalnisindependentwiththenoisenj)]TJ /F3 11.955 Tf 11.96 0 Td[(n(i.e.,@n0j @n=0),then @ @nGs(n,k))]TJ /F6 11.955 Tf 28.68 8.09 Td[(1 s2ke)]TJ /F5 5.978 Tf 9.15 3.26 Td[(n s2k1)]TJ /F5 7.97 Tf 17.69 14.95 Td[(tYj=1)]TJ /F6 11.955 Tf 5.48 -9.69 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(e)]TJ /F5 5.978 Tf 7.79 5.62 Td[(nj)]TJ /F5 5.978 Tf 5.76 0 Td[(n s2k=)]TJ /F6 11.955 Tf 16.06 8.08 Td[(1 s2kGs(n,k). 105

PAGE 106

Therefore,wecansimplifythe2as 2=1 s2Gs(n,0)+G2s(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1) s222(H)]TJ /F9 7.97 Tf 6.59 0 Td[(1)(1)]TJ /F3 11.955 Tf 11.96 0 Td[(Gs(n,H)]TJ /F6 11.955 Tf 11.95 0 Td[(1))+H)]TJ /F9 7.97 Tf 6.58 0 Td[(1Xk=1)]TJ /F3 11.955 Tf 5.48 -9.69 Td[(Gs(n,k))]TJ /F6 11.955 Tf 11.95 0 Td[(2Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)2 s222k(Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.95 0 Td[(1)).Since 2=(n)2 s,wehave 2=(n)2 s3Gs(n,0)+(n)2G2s(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1) s322(H)]TJ /F9 7.97 Tf 6.58 0 Td[(1)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,H)]TJ /F6 11.955 Tf 11.96 0 Td[(1))+H)]TJ /F9 7.97 Tf 6.59 0 Td[(1Xk=1(n)2)]TJ /F3 11.955 Tf 5.47 -9.69 Td[(Gs(n,k))]TJ /F6 11.955 Tf 11.96 0 Td[(2Gs(n,k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)2 s322k(Gs(n,k))]TJ /F3 11.955 Tf 11.95 0 Td[(Gs(n,k)]TJ /F6 11.955 Tf 11.96 0 Td[(1)). 106

PAGE 107

REFERENCES [1] Cisco,TheZettabyteEra-TrendsandAnalysis,2015,availableat http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNI Hyperconnectivity WP.html/ [2] C.Smith,BytheNumbers:100AmazingGoogleStatisticsandFact-s,February2016,availableat http://expandedramblings.com/index.php/by-the-numbers-a-gigantic-list-of-google-stats-and-facts/10/ [3] TwitterUsageStatistics,availableat http://www.internetlivestats.com/twitter-statistics/ [4] D.Moore,G.Voelker,andS.Savage,\InferringInternetDenialofServiceActivity,"Proc.ofUSENIXSecuritySymposium,August2001. [5] K.ParkandH.Lee,\OntheEectivenessofRoute-BasedPacketFilteringforDistributedDoSAttackPreventioninPower-LawInternets,"Proc.ofACMSIGCOMM,August2001. [6] S.Staniford,J.Hoagland,andJ.McAlerney,\PracticalAutomatedDetectionofStealthyPortscans,"JournalofComputerSecurity,vol.10,pp.105{136,2002. [7] G.Cormode,M.Garofalakis,S.Muthukrishnan,andR.Rastogi,\HolisticAggregatesinaNetworkedWorld:DistributedTrackingofApproximateQuantiles,"Proc.oftheACMSIGMOD,pp.25{36,2005. [8] L.GriecoandC.Barakat,\Ananalysisofpacketsamplinginthefrequencydomain,"Proc.ofACMSIGCOMMconferenceonInternetMeasurementConference,2009. [9] V.Sekar,M.Reiter,andH.Zhang,\RevisitingtheCaseforaMinimalistApproachforNetworkFlowMonitoring,"Proc.ofACMSIGCOMMconferenceonInternetMeasure-mentConference,2010. [10] M.Yu,L.Jose,andR.Miao,\SoftwareDenedTracMeasurementwithOpenSketch,"Proc.ofNSDI,pp.29{42,2013. [11] Y.Zhou,Y.Zhou,S.Chen,andO.P.K,\LimitingSelf-PropagatingMalwareBasedonConnectionFailureBehaviorthroughHyper-CompactEstimators,"arXivpreprintarXiv:1602.03153,2016. [12] S.Chen,Y.Zhou,andS.Chen,\EcientHierarchicalTracMeasurementinSoftware-DenedDatacenterNetworks,"Proc.ofIEEEInternationalConferenceonCloudComputing,pp.163{170,2017. [13] Q.Xiao,S.Chen,Y.Zhou,M.Chen,J.Luo,T.Li,andY.Ling,\CardinalityEstimationforElephantFlows:ACompactSolutionBasedonVirtualRegisterSharing,"IEEE/ACMTransactionsonNetworking,2017. [14] N.Dueld,C.Lund,andM.Thorup,\EstimatingFlowDistributionsfromSampledFlowStatistics,"Proc.ofACMSIGCOMM,October2003. 107

PAGE 108

[15] A.Kumar,M.Sung,J.Xu,andJ.Wang,\DataStreamingAlgorithmsforEcientandAccurateEstimationofFlowSizeDistribution,"Proc.ofACMSIGMETRICS,June2004. [16] G.CormodeandS.Muthukrishnan,\AnImprovedDataStreamSummary:theCount-MinSketchandItsApplications,"Proc.ofLATIN,2004. [17] N.Dueld,C.Lund,andM.Thorup,\LearnMore,SampleLess:ControlofVolumeandVarianceinNetworkMeasurement,"IEEETransactionsofInformationTheory,vol.51,no.5,pp.1756{1775,2005. [18] Q.Zhao,A.Kumar,J.Wang,andJ.Xu,\DataStreamingAlgorithmsforAccurateandEcientMeasurementofTracandFlowMatrices,"Proc.ofACMSIGMETRICS,vol.33,no.1,pp.350{361,2005. [19] X.Dimitropoulos,P.Hurley,andA.Kind,\ProbabilisticLossyCounting:AnEcientAlgorithmforFindingHeavyHitters,"Proc.ofACMSIGCOMM,2008. [20] D.M.Kane,J.Nelson,andD.P.Woodru,\AnOptimalAlgorithmfortheDistinctElementsProblem,"Proc.ofACMPODS,pp.41{52,2010. [21] P.LievenandB.Scheuermann,\High-SpeedPer-FlowTracMeasurementwithProbabilisticMultiplicityCounting,"Proc.ofACMSIGMETRICS,pp.1{9,2010. [22] X.Shi,D.-M.Chiu,andJ.C.Lui,\Anonlineframeworkforcatchingtopspreadersandscanners,"ComputerNetworks,vol.54,no.9,pp.1375{1388,2010. [23] T.Li,S.Chen,andY.Ling,\Per-owTracMeasurementthroughRandomizedCounterSharing,"IEEE/ACMTransactionsonNetworking,vol.20,no.5,pp.1622{1634,2012. [24] S.Heule,M.Nunkesser,andA.Hall,\HyperLogLoginPractice:AlgorithmicEngineeringofaStateofTheArtCardinalityEstimationAlgorithm,"Proc.ofEDBT,pp.683{692,2013. [25] M.Moshref,M.Yu,R.Govindan,andA.Vahdat,\SCREAM:SketchResourceAllocationforSoftware-denedMeasurement,"Proc.ofACMCoNEXT,2015. [26] T.Li,S.Chen,andY.Ling,\FastandCompactPer-FlowTracMeasurementthroughRandomizedCounterSharing,"Proc.ofIEEEINFOCOM,pp.1799{1807,April2011. [27] M.ChenandS.Chen,\CounterTree:AScalableCounterArchitectureforPer-FlowTracMeasurement,"Proc.ofIEEEICNP,November2015. [28] H.Wang,D.Zhang,andK.G.Shin,\SYN-dog:SningSYNFloodingSources,"Proc.ofIEEEInternationalConferenceonDistributedComputingSystems,July2002. [29] C.Estan,G.Varghese,andM.Fish,\BitmapAlgorithmsforCountingActiveFlowsonHigh-SpeedLinks,"IEEE/ACMTransactionsonNetworking,vol.14,no.5,pp.925{937,2006. 108

PAGE 109

[30] S.Venkatataman,D.Song,P.Gibbons,andA.Blum,\NewStreamingAlgorithmsforFastDetectionofSuperspreaders,"Proc.ofNDSS,Feb.2005. [31] J.Cao,Y.Jin,A.Chen,T.Bu,andZ.Zhang,\IdentifyingHighCardinalityInternetHosts,"Proc.ofIEEEINFOCOM,April2009. [32] Q.Zhao,J.Xu,andA.Kumar,\DetectionofSuperSourcesandDestinationsinHigh-SpeedNetworks:Algorithms,AnalysisandEvaluation,"IEEEJournalonSelect-edAreasinCommunications,vol.24,no.10,October2006. [33] Y.Zhou,Q.Xiao,Z.Mo,S.Chen,andY.Yin,\Privacy-PreservingPoint-to-PointTransportationTracMeasurementthroughBitArrayMaskinginIntelligentCyber-physicalRoadSystems,"IEEEInternationalConferenceonandIEEECyber,PhysicalandSocialComputing,pp.826{833,2013. [34] Y.Zhou,S.Chen,Z.Mo,andY.Yin,\PrivacyPreservingOrigin-DestinationFlowMeasurementinVehicularCyber-PhysicalSystems,"Proc.ofIEEEInternationalConfer-enceonCyber-PhysicalSystems,Networks,andApplications,pp.32{37,2013. [35] Y.Zhou,Y.Zhou,S.Chen,andY.Zhang,\Per-owCountingforBigNetworkDataStreamoverSlidingWindows,"Proc.ofIEEE/ACMInternationalSymposiumonQualityofService,pp.1{10,2017. [36] Q.Xiao,Y.Zhou,andS.Chen,\BetterwithFewerBits:ImprovingthePerformanceofCardinalityEstimationofLargeDataStreams,"Proc.ofIEEEINFOCOM,pp.1{9,2017. [37] A.Kumar,J.Xu,andJ.Wang,\Space-codeBloomFilterforEcientPer-owTracMeasurement,"IEEEJournalonSelectedAreasinCommunications,vol.24,no.12,pp.2327{2339,2006. [38] Y.Lu,A.Montanari,B.Prabhakar,S.Dharmapurikar,andA.Kabbani,\CounterBraids:ANovelCounterArchitectureforPer-FlowMeasurement,"Proc.ofACMSIGMETRICS,June2008. [39] Y.LuandB.Prabhakar,\RobustCountingViaCounterBraids:AnError-ResilientNetworkMeasurementArchitecture,"Proc.ofIEEEINFOCOM,April2009. [40] C.EstanandG.Varghese,\NewDirectionsinTracMeasurementandAccounting,"Proc.ofACMSIGCOMM,August2002. [41] M.Yoon,T.Li,S.Chen,andJ.Peir,\FitaSpreadEstimatorinSmallMemory,"Proc.ofIEEEINFOCOM,April2009. [42] Y.Zhou,S.Chen,Y.Zhou,M.Chen,andQ.Xiao,\Privacy-PreservingMulti-PointTracVolumeMeasurementThroughVehicle-to-InfrastructureCommunications,"IEEETransactionsonVehicularTechnology,vol.64,no.12,pp.5619{5630,2015. 109

PAGE 110

[43] Y.Zhou,Y.Zhou,S.Chen,andO.P.K,\LimitingSelf-propagatingMalwareBasedonConnectionFailureBehavior,"Proc.ofSeventhInternationalConferenceonNetworkandCommunicationsSecurity(NCS),2015. [44] Y.Zhou,S.Chen,Z.Mo,andQ.Xiao,\Point-to-PointTracVolumeMeasurementthroughVariable-LengthBitArrayMaskinginVehicularCyber-PhysicalSystems,"Proc.ofIEEEICDCS,pp.51{60,2015. [45] Y.Zhou,Z.Mo,Q.Xiao,S.Chen,andY.Yin,\Privacy-PreservingTransportationTracMeasurementinIntelligentCyber-physicalRoadSystems,"IEEETransactionsonVehicularTechnology,vol.65,no.5,pp.3749{3759,2016. [46] Q.Zhao,J.Xu,andZ.Liu,\DesignofaNovelStatisticsCounterArchitecturewithOptimalSpaceandTimeEciency,"ACMSIGMETRICSPerformanceEvaluationReview,vol.34,no.1,pp.323{334,2006. [47] L.Golab,D.DeHaan,E.D.Demaine,A.Lopez-Ortiz,andJ.I.Munro,\IdentifyingFrequentItemsinSlidingWindowsoverOn-LinePacketStreams,"Proc.ofACMIMC,pp.173{178,2003. [48] N.Rivetti,Y.Busnel,andA.Mostefaoui,\EcientlySummarizingDataStreamsoverSlidingWindows,"Proc.ofIEEEInternationalSymposiumonNetworkComputingandApplications,pp.151{158,2015. [49] R.Ben-Basat,G.Einziger,R.Friedman,andY.Kassner,\HeavyHittersinStreamsandSlidingWindows,"Proc.IEEEINFOCOM,2016. [50] P.FlajoletandG.N.Martin,\ProbabilisticCountingAlgorithmsforDatabaseApplications,"JournalofComputerandSystemSciences,vol.31,pp.182{209,September1985. [51] M.DurandandP.Flajolet,\LoglogCountingofLargeCardinalities,"EuropeanSymposiaonAlgorithms,pp.605{617,2003. [52] P.Flajolet,E.Fusy,O.Gandouet,andF.Meunier,\HyperLogLog:TheAnalysisofaNear-optimalCardinalityEstimationAlgorithm,"Proc.ofAOFA,pp.127{146,2007. [53] Q.Xiao,S.Chen,M.Chen,andY.Ying,\Hyper-CompactVirtualEstimatorsforBigNetworkDataBasedonRegisterSharing,"Proc.ofACMSIGMETRICS,pp.417{428,2015. [54] Q.Xiao,Y.Qiao,Z.Mo,andS.Chen,\EstimatingthePersistentSpreadsinHigh-SpeedNetworks,"Proc.ofIEEEICNP,pp.131{142,2014. [55] W.FangandL.Peterson,\Inter-AStracpatternsandtheirimplications,"GlobalTelecommunicationsConference,vol.3,pp.1859{1868,1999. [56] Y.Zhou,Y.Zhou,M.Chen,andS.Chen,\PersistentSpreadMeasurementforBigNetworkDataBasedonRegisterIntersection,"Proc.ofACMSIGMETRICS,2017. 110

PAGE 111

[57] M.Datar,A.Gionis,P.Indyk,andR.Motwani,\MaintainingStreamStatisticsoverSlidingWindows,"SIAMjournaloncomputing,vol.31,no.6,pp.1794{1813,2002. [58] Y.ZhuandD.Shasha,\StatStream:StatisticalMonitoringofThousandsofDataStreamsinRealTime,"Proc.ofVLDB,pp.358{369,2002. [59] A.ArasuandG.S.Manku,\ApproximateCountsandQuantilesoverSlidingWindows,"Proc.ofACMSIGMOD-SIGACT-SIGARTsymposiumonPrinciplesofdatabasesystems,pp.286{296,2004. [60] L.-K.LeeandH.Ting,\ASimplerandMoreEcientDeterministicSchemeforFindingFrequentItemsoverSlidingWindows,"Proc.oftheACMSIGMOD-SIGACT-SIGARTsymposiumonPrinciplesofdatabasesystems,pp.290{297,2006. [61] R.Y.Hung,L.-K.Lee,andH.-F.Ting,\FindingFrequentItemsoverSlidingWindowswithConstantUpdateTime,"InformationProcessingLetters,vol.110,no.7,pp.257{260,2010. [62] Zipf'sLaw,availableat https://en.wikipedia.org/wiki/Zipf%27s law [63] CAIDA,availableat http://www.caida.org/home/ [64] Y.Gao,Y.Zhao,R.Schweller,S.Venkataraman,Y.Chen,D.Song,andM.-Y.Kao,\DetectingStealthySpreadersUsingOnlineOutdegreeHistograms,"Proc.ofIEEEIWQoS,pp.145{153,2007. [65] GoogleTrends,availableat https://www.google.com/trends/ [66] A.Chen,J.Cao,andT.Bu,\BitmapAlgorithmsforCountingActiveFlowsonHigh-SpeedLinks,"Proc.ofVLDB,pp.171{182,2007. [67] E.LehmannandG.Casella,\TheoryofPointEstimation,"SpringerPress,1998. 111

PAGE 112

BIOGRAPHICALSKETCHYouZhoureceivedhisB.E.degreeinelectronicinformationengineeringfromtheUniversityofScienceandTechnologyofChina,Hefei,China,in2013,andPh.D.degreeincomputersciencefromtheUniversityofFlorida,Gainesville,FL,in2017.Hisresearchinterestsincludenetworkprivacyandsecurity,bignetworkdata,cyber-physicalsystemsandInternetofThings. 112