Search Icon
Register

A Robust Counting Sketch for Data Plane Intrusion Detection

Sian Kim (Ewha Womans University), Changhun Jung (Ewha Womans University), RhongHo Jang (Wayne State University), David Mohaisen (University of Central Florida), DaeHun Nyang (Ewha Womans University)

Demands are increasing to measure per-flow statistics in the data plane of high-speed switches. However, the resource constraint of the data plane is the biggest challenge. Although existing in-data plane solutions improve memory efficiency by accommodating Zipfian distribution of network traffic, they cannot adapt to various flow size distributions due to their static data structure. In other words, they cannot provide robust flow measurement under complex traffic patterns (e.g. under attacks). Recent works suggest dynamic data structure management schemes, but the high complexity is the major obstruction for the data plane deployment. In this paper, we present Count-Less sketch that enables robust and accurate network measurement under a wide variety of traffic distributions without dynamic data structure update. Count-Less applies a novel sketch update strategy, called {em minimum update}, which approximates the conservative update strategy of Count-MIN for fitting into in-network switches. Not only theoretical proof on Count-Less's estimation but also comprehensive experimental results are presented in terms of estimation accuracy and throughput of Count-Less, compared to Count-Min (baseline), Elastic sketch, and FCM sketch. More specifically, experiment results on security applications including estimation errors under various skewness parameters are provided. Count-Less is much more accurate in all measurement tasks than Count-Min and outperforms FCM sketch and Elastic sketch, state-of-the-art algorithms without the help of any special hardware like TCAM. To prove its feasibility in the data plane of a high-speed switch, Count-Less prototype on an ASIC-based programmable switch (Tofino) is implemented in P4 language and evaluated. In terms of data plane latency, Count-Less is 1.53x faster than FCM, while consuming 1.56x less resources such as hash bits, SRAM, and ALU of a programmable switch.

Paper
Slides
Video

View More Papers

coucouArray ( [post_type] => ndss-paper [post_status] => publish [posts_per_page] => 4 [orderby] => rand [tax_query] => Array ( [0] => Array ( [taxonomy] => category [field] => id [terms] => Array ( [0] => 66 ) ) ) [post__not_in] => Array ( [0] => 13161 ) )

ProbFlow : Using Probabilistic Programming in Anonymous Communication Networks

Hussein Darir (University of Illinois Urbana-Champaign), Geir Dullerud (University of Illinois Urbana-Champaign), Nikita Borisov (University of Illinois Urbana-Champaign)

Read More

RAI2: Responsible Identity Audit Governing the Artificial Intelligence

Tian Dong (Shanghai Jiao Tong University), Shaofeng Li (Shanghai Jiao Tong University), Guoxing Chen (Shanghai Jiao Tong University), Minhui Xue (CSIRO's Data61), Haojin Zhu (Shanghai Jiao Tong University), Zhen Liu (Shanghai Jiao Tong University)

Read More

Browser Permission Mechanisms Demystified

Kazuki Nomoto (Waseda University), Takuya Watanabe (NTT Social Informatics Laboratories), Eitaro Shioji (NTT Social Informatics Laboratories), Mitsuaki Akiyama (NTT Social Informatics Laboratories), Tatsuya Mori (Waseda University/NICT/RIKEN AIP)

Read More

The Vulnerabilities Less Exploited: Cyberattacks on End-of-Life Satellites

Frank Lee and Gregory Falco (Johns Hopkins University) Presenter: Frank Lee

Read More

Privacy Starts with UI: Privacy Patterns and Designer Perspectives in UI/UX Practice

Anxhela Maloku (Technical University of Munich), Alexandra Klymenko (Technical University of Munich), Stephen Meisenbacher (Technical University of Munich), Florian Matthes (Technical University of Munich)

Vision: Profiling Human Attackers: Personality and Behavioral Patterns in Deceptive Multi-Stage CTF Challenges

Khalid Alasiri (School of Computing and Augmented Intelligence Arizona State University), Rakibul Hasan (School of Computing and Augmented Intelligence Arizona State University)

From Underground to Mainstream Marketplaces: Measuring AI-Enabled NSFW Deepfakes on Fiverr

Mohamed Moustafa Dawoud (University of California, Santa Cruz), Alejandro Cuevas (Princeton University), Ram Sundara Raman (University of California, Santa Cruz)