2[0000−0002−5100−1519] , Hsu-Chun Hsiao 3[0000−0001−9592−6911] , Daniele E. Asoni 4[0000−0001−5699−9237] , Simon Scherrer 4[0000−0001−9557−1700] , Adrian Perrig 4[0000−0002−5280−5412] , and Yih-Chun Hu 1[0000−0002−7829−3929]Abstract. The detection of network flows that send excessive amounts of traffic is of increasing importance to enforce QoS and to counter DDoS attacks. Large-flow detection has been previously explored, but the proposed approaches can be used on high-capacity core routers only at the cost of significantly reduced accuracy, due to their otherwise too high memory and processing overhead. We propose CLEF, a new large-flow detection scheme with low memory requirements, which maintains high accuracy under the strict conditions of high-capacity core routers. We compare our scheme with previous proposals through extensive theoretical analysis, and with an evaluation based on worst-case-scenario attack traffic. We show that CLEF outperforms previously proposed systems in settings with limited memory.Keywords: Large-flow detection, damage metric, memory and computation efficiency 5 As in prior literature [15,42], the term large flow denotes a flow that sends more than its allocated bandwidth. arXiv:1807.05652v1 [cs.NI] 16 Jul 2018 (2) * c 168.6 63.75 31.92 26.56 21.96 10.68 7.59 * Time unit is second.