TY - GEN
T1 - Constant time updates in hierarchical heavy hitters
AU - Basat, Ran Ben
AU - Einziger, Gil
AU - Friedman, Roy
AU - Luizelli, Marcelo C.
AU - Waisbard, Erez
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/8/7
Y1 - 2017/8/7
N2 - Monitoring tasks, such as anomaly and DDoS detection, require identifying frequent flow aggregates based on common IP prefixes. These are known as hierarchical heavy hitters (HHH), where the hierarchy is determined based on the type of prefixes of interest in a given application. The per packet complexity of existing HHH algorithms is proportional to the size of the hierarchy, imposing significant overheads. In this paper, we propose a randomized constant time algorithm for HHH. We prove probabilistic precision bounds backed by an empirical evaluation. Using four real Internet packet traces, we demonstrate that our algorithm indeed obtains comparable accuracy and recall as previous works, while running up to 62 times faster. Finally, we extended Open vSwitch (OVS) with our algorithm and showed it is able to handle 13.8 million packets per second. In contrast, incorporating previous works in OVS only obtained 2.5 times lower throughput.
AB - Monitoring tasks, such as anomaly and DDoS detection, require identifying frequent flow aggregates based on common IP prefixes. These are known as hierarchical heavy hitters (HHH), where the hierarchy is determined based on the type of prefixes of interest in a given application. The per packet complexity of existing HHH algorithms is proportional to the size of the hierarchy, imposing significant overheads. In this paper, we propose a randomized constant time algorithm for HHH. We prove probabilistic precision bounds backed by an empirical evaluation. Using four real Internet packet traces, we demonstrate that our algorithm indeed obtains comparable accuracy and recall as previous works, while running up to 62 times faster. Finally, we extended Open vSwitch (OVS) with our algorithm and showed it is able to handle 13.8 million packets per second. In contrast, incorporating previous works in OVS only obtained 2.5 times lower throughput.
KW - Heavy Hitters
KW - Measurement
KW - Monitoring
KW - Streaming
UR - http://www.scopus.com/inward/record.url?scp=85029426073&partnerID=8YFLogxK
U2 - 10.1145/3098822.3098832
DO - 10.1145/3098822.3098832
M3 - Conference contribution
AN - SCOPUS:85029426073
T3 - SIGCOMM 2017 - Proceedings of the 2017 Conference of the ACM Special Interest Group on Data Communication
SP - 127
EP - 140
BT - SIGCOMM 2017 - Proceedings of the 2017 Conference of the ACM Special Interest Group on Data Communication
PB - Association for Computing Machinery, Inc
T2 - 2017 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2017
Y2 - 21 August 2017 through 25 August 2017
ER -