New Streaming Algorithms for Fast Detection of Superspreaders

Venkataraman, Shobha; Song, Dawn; Gibbons, Phillip B.; Blum, Avrim

doi:10.21236/ada461026

Cited by 164 publications

(182 citation statements)

References 36 publications

Supporting

Mentioning

180

Contrasting

Unclassified

Order By: Relevance

“…A stream of packets can therefore be viewed as a series of edges, and this depicts a multigraph since the same pair of communicants may appear many times distributed over the edge stream. Properties of this multigraph are important for network managers: for example, nodes of high degree are those that communicate with a large number of other participants in the network; identifying such nodes (called superspreaders [210]) in an IP network can indicate unusual activity on that host, such as port scans or virus activity, even though the overall traffic volume for that host may still be low since each scan requires only a few packets. So, one has to study degrees and moments based on the number of different communicants connected to a node rather than the total volume of communications between hosts.…”

Section: Graph Theorymentioning

confidence: 99%

“…There was a gem of a paper by Munro and Paterson [174] before 1980 that specifically focused on multi-pass algorithms; it presented one pass algorithms and multi-pass lower bounds on approximately finding quantiles of a signal. Gibbons and Matias at Bell Labs synthesized the idea of Synopsis Data Structures [210] that specifically embodied the idea of a small space, approximate solution to massive data set problems. The influential paper of Alon, Matias and Szegedy [14] used limited independence for small space simulation of sophisticated, one-pass norm estimation algorithms.…”

Section: Historic Notesmentioning

confidence: 99%

See 1 more Smart Citation

Data Streams: Algorithms and Applications

Muthukrishnan

2005

FNT in Theoretical Computer Science

779

541

View full text Add to dashboard Cite

In the data stream scenario, input arrives very rapidly and there is limited memory to store the input. Algorithms have to work with one or few passes over the data, space less than linear in the input size or time significantly less than the input size. In the past few years, a new theory has emerged for reasoning about algorithms that work within these constraints on space, time, and number of passes. Some of the methods rely on metric embeddings, pseudo-random computations, sparse approximation theory and communication complexity. The applications for this scenario include IP network traffic analysis, mining text message streams and processing massive data sets in general. Researchers in Theoretical Computer Science, Databases, IP Networking and Computer Systems are working on the data stream challenges. This article is an overview and survey of data stream algorithmics and is an updated version of [175].

show abstract

Section: Graph Theorymentioning

confidence: 99%

Section: Historic Notesmentioning

confidence: 99%

Data Streams: Algorithms and Applications

Muthukrishnan

2005

FNT in Theoretical Computer Science

779

541

View full text Add to dashboard Cite

show abstract

“…Where the stream is timevarying, it is sometimes of interest to monitor only the heavy hitters within a recent time window, or with some other timedecay [24,12,35,15]. The 'distinct heavy hitters' are found over pairs of items (a, b), as those items a associated with a large number of distinct values b [36]. The notion of hierarchical heavy hitters says that when items fall in a hierarchy (or combination of hierarchies), it is interesting to find nodes in the hierarchy that are heavy from aggregating their descendants [11].…”

Section: Related Workmentioning

confidence: 99%

Conditional heavy hitters: detecting interesting correlations in data streams

et al. 2015

View full text Add to dashboard Cite

The notion of heavy hitters-items that make up a large fraction of the population-has been successfully used in a variety of applications across sensor and RFID monitoring, network data analysis, event mining, and more. Yet this notion often fails to capture the semantics we desire when we observe data in the form of correlated pairs. Here, we are interested in items that are conditionally frequent: when a particular item is frequent within the context of its parent item. In this work, we introduce and formalize the notion of Conditional Heavy Hitters to identify such items, with applications in network monitoring, and Markov chain modeling. We explore the relationship between Conditional Heavy Hitters and other related notions in the literature, and show analytically and experimentally the usefulness of our approach. We introduce several algorithm variations that allow us to efficiently find conditional heavy hitters for input data with very different characteristics, and provide analytical results for their performance. Finally, we perform experimental evaluations with several synthetic and real datasets to demonstrate the efficacy of our methods, and to study the behavior of the proposed algorithms for different types of data.

show abstract

“…Venkataraman et al propose efficient algorithms to detect superspreaders, sources that connect to a large number of distinct destinations [36]. They can detect horizontal scans and worm propagation, but may have high false positives with P2P traffic where a single host may connect to many peers for download.…”

Section: Related Work On Intrusion Detection Systemsmentioning

confidence: 99%

HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency

Gao

Chen

2010

Computer Networks

View full text Add to dashboard Cite

a b s t r a c tGlobal-scale attacks like worms and botnets are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper, leveraging data streaming techniques such as the reversible sketch, we design HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND: (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst-case traffic of 40-byte-packet streams with each packet forming a flow.

show abstract

New Streaming Algorithms for Fast Detection of Superspreaders

Cited by 164 publications

References 36 publications

Data Streams: Algorithms and Applications

Data Streams: Algorithms and Applications

Conditional heavy hitters: detecting interesting correlations in data streams

HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency

Contact Info

Product

Resources

About