Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen."— Presentation transcript:

1 Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen Class Presentation, June 2004, Network Security Computer Science Department, Northwestern University

2 1 1 Overview (hidden slide) Anomaly Detection —Problem with High Speed networks Sketch Based Approaches and their problems —What is a sketch ? —How does it help ? —Its current problem: not reversible Reverse Hashing algorithms —Taking Intersections –Its problems —Modular Hashing —IP Mangling Dealing with Multiple Anomalies Evaluation Conclusions Future Work

3 2 2 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

4 3 3 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

5 4 4 Anomaly Detection Goes beyond signature detection Two popular types: —Heavy Hitter Detection —Change detection : very broad  simple change to statistical methods Online real-time  difficult —Heavy hitter: some solutions proposed —Heavy Change  ? Scalability with High speed traffic —Large Number of flows: large memory required —Performance penalty Scalable Change Detection: Sketch to the rescue !

6 5 5 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

7 6 6 What is a sketch ? Probabilistic summary of data streams —Widely used in database research to handle massive data streams SpaceAccuracy Hash tablePer-key state100% SketchCompact With probabilistic guarantees (better for larger values) Array of hash tables: T j [K] (j = 1, …, H)

8 7 7 What is a sketch ? 1 j H 01K-1 … … … hj(k)hj(k) hH(k)hH(k) h1(k)h1(k) Update (k, u): T j [ h j (k)] += u (for all j) Estimate v(S, k): sum of updates for key k

9 8 8 Using Sketch for anomaly detection Requires very little space: —E.g. 5 hash tables with 16 K buckets = 360 K —High speed memory usable —Still able to reconstruct the values with high accuracy Its main problem —To know the value of a key, must know the key. —Can know the anomalies, not the keys !

10 9 9 Using Sketch for anomaly detection Requires very little space: —E.g. 5 hash tables with 16 K buckets = 360 K —High speed memory usable —Still able to reconstruct the values with high accuracy Its main problem —To know the value of a key, must know the key. —Can know the anomalies, not the keys ! ? ?

11 10 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

12 11 Our contribution ? ? How can we figure out the keys without storing them explicitly ?

13 12 Step 1: Taking Intersections Each hash table  independent hash function Each key maps to different bucket in each table —Each bucket maps to a large set of keys Example: Key maps to b 1, b 2, b 3, b 4, b 5 Intersect A 1, A 2, A 3, A 4, A 5  really small set ! E[x] << 1 for 5 hash tables (ref. our paper )

14 13 The problem with simple intersection Why is this difficult ? —One to many mapping Each set A i can be very large ! —E.g. for IP addresses Key space is 2 32. For 2 12 buckets  2 20 keys per bucket !

15 14 Problem with Intersections How do we store these huge mappings ? How de we take intersections of these huge sets ? Modular hashing Partition the key into separate words Hash each word separately 32 bits 8 bits 10010100101010111001010110100011

16 15 Modular hashing reduces the set size 32 bits 8 bits 10010100101010111001010110100011 h 1 ()h 2 ()h 3 ()h 4 () 010110001101 010 110 001 101 Greatly reduces size of reverse mapped sets

17 16 Modular hashing Only 32 elements per partition For 8 bit to 3 bit hashing : Each bucket maps to 2 5 = 32 keys  small ! 2 8 /2 3

18 17 Modular Hashing is Efficient Very efficient in space and time: —If n is the key space, m is hash space, q is number of words, —Space = —Run time (intersections) = Set q = O(log n) logarithmic in key space poly-log in key space

19 18 An Important problem: spatial locality This hashing scheme is not uniform and biased In network streams, strong spatial locality in IP addresses E.g. many addresses fall into 120.105.56.* These would be mapped into very few buckets  large number of collisions  low sketch accuracy IP Mangling

20 19 Without IP mangling: skewed !

21 20 IP Mangling removes correlations Key idea : randomize the input data to destroy correlations Must be reversible also !

22 21 Theory of Modular Linear Equations f(x)  a·x mod n To be invertible: Must be relatively prime a is chosen randomly Can be easily reversed: replace a by a -1 ! This function is highly effective in resolving the skewed distribution

23 22 With IP mangling: uniform !

24 23 Recap Intersections of reverse mapped sets Converges to culprit key Modular Hashing Makes intersection time and space efficient IP Mangling Removes un-uniformity of modular hashing

25 24 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

26 25 Handling Multiple Intersections… A more complex problem  Illustration How do we take intersections now ? Each hash table contains two anomalies now  two culprit keys…

27 26 Handling Multiple Intersections… Multiple possibilities…. Take union of keys from each hash table, and then intersection  False positives

28 27 Handling Multiple Intersections… Multiple possibilities…. Try all possible combinations of intersections…. Expensive and inaccurate(?)

29 28 Handling Multiple Intersections… Bucket Vector Algorithm: a new algo —Efficient —Similar to all possible intersections but takes polynomial time Documented in our technical report

30 29 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

31 30 Evaluation Got traffic traces from a large ISP —Each 5 min interval  7.5 GB of traces Used the Change Detection Method described earlier

32 31 Evaluation Efficacy depends on number of heavy changers —Depends on change threshold, —Less threshold  large number of heavy changes To verify our results, used a naïve multi-pass algo  the Ground Truth

33 32 Our methods are quite effective Detection quite accurate, even upto 20 heavy changes False positives and false negatives very less

34 33 The bucket vector algorithm is important For multiple changes, the method of intersection quite important E.g. w/o bucket vector algorithm:

35 34 We can make the sketch more accurate Use 6 hash tables, instead of 5 —Makes intersections very accurate, less false negatives

36 35 Conclusions Sketches a powerful method for scalable change detection Our main contribution : can reverse them —Greatly enhances their applicability in online systems We can extract heavy changes from the sketchs, without storing any key information Methods are accurate —Low number of false positives and false negatives Methods are efficient —Runtime: Only poly-logarithmic in key space —Space: logarithmic in key space

37 36 Overview Anomaly Detection Sketch Based Approaches and their problems Reverse Hashing algorithms Dealing with Multiple Anomalies Evaluation Conclusions Future Work

38 37 Future Work: Three areas Application to Online real-time systems —Performance evaluation —Hardware design of our methods More advanced applications: —Hierarchical change detection —Output the prefix changes not just the key changes ! –E.g. 129.105.100.* shows a big change ! Advanced change detection methods: —Statistical methods

Download ppt "Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen."

Similar presentations

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.
Overcoming Limitations of Sampling for Agrregation Queries Surajit ChaudhuriMicrosoft Research Gautam DasMicrosoft Research Mayur DatarStanford University.

Overcoming Limitations of Sampling for Agrregation Queries Surajit ChaudhuriMicrosoft Research Gautam DasMicrosoft Research Mayur DatarStanford University.
Probabilistic Skyline Operator over Sliding Windows Wenjie Zhang University of New South Wales & NICTA, Australia Joint work: Xuemin Lin, Ying Zhang, Wei.

Probabilistic Skyline Operator over Sliding Windows Wenjie Zhang University of New South Wales & NICTA, Australia Joint work: Xuemin Lin, Ying Zhang, Wei.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
3/13/2012Data Streams: Lecture 161 CS 410/510 Data Streams Lecture 16: Data-Stream Sampling: Basic Techniques and Results Kristin Tufte, David Maier.

3/13/2012Data Streams: Lecture 161 CS 410/510 Data Streams Lecture 16: Data-Stream Sampling: Basic Techniques and Results Kristin Tufte, David Maier.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
File Processing - Indirect Address Translation MVNC1 Hashing Indirect Address Translation Chapter 11.

File Processing - Indirect Address Translation MVNC1 Hashing Indirect Address Translation Chapter 11.
Yoshiharu Ishikawa (Nagoya University) Yoji Machida (University of Tsukuba) Hiroyuki Kitagawa (University of Tsukuba) A Dynamic Mobility Histogram Construction.

Yoshiharu Ishikawa (Nagoya University) Yoji Machida (University of Tsukuba) Hiroyuki Kitagawa (University of Tsukuba) A Dynamic Mobility Histogram Construction.
1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.

1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.
Hashing Techniques.

Hashing Techniques.
Lock-free Cuckoo Hashing Nhan Nguyen & Philippas Tsigas ICDCS 2014 Distributed Computing and Systems Chalmers University of Technology Gothenburg, Sweden.

Lock-free Cuckoo Hashing Nhan Nguyen & Philippas Tsigas ICDCS 2014 Distributed Computing and Systems Chalmers University of Technology Gothenburg, Sweden.
Maps, Dictionaries, Hashtables

Maps, Dictionaries, Hashtables
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
1 Abstract This paper presents a novel modification to the classical Competitive Learning (CL) by adding a dynamic branching mechanism to neural networks.

1 Abstract This paper presents a novel modification to the classical Competitive Learning (CL) by adding a dynamic branching mechanism to neural networks.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
CSC 2300 Data Structures & Algorithms February 27, 2007 Chapter 5. Hashing.

CSC 2300 Data Structures & Algorithms February 27, 2007 Chapter 5. Hashing.

Similar presentations

Ads by Google