Reverse Hashing for Sketch Based Change Detection in High Speed Networks

Reverse Hashing for Sketch Based Reverse Hashing for Sketch Based

Change Detection in High Speed Change Detection in High Speed NetworksNetworks

Ashish GuptaAshish GuptaElliot ParsonsElliot Parsons

with Robert Schweller, Theory Groupwith Robert Schweller, Theory Group

Advisor: Yan ChenAdvisor: Yan ChenClass Presentation, June 2004, Network SecurityClass Presentation, June 2004, Network Security

Computer Science Department, Northwestern UniversityComputer Science Department, Northwestern University

3 3

Overview

• Anomaly Detection

• Sketch Based Approaches and their problems

• Reverse Hashing algorithms

• Dealing with Multiple Anomalies

• Evaluation

• Conclusions

• Future Work

4 4

Overview





• Evaluation

• Conclusions

• Future Work

5 5

Anomaly Detection

• Goes beyond signature detection

• Two popular types:— Heavy Hitter Detection

— Change detection : very broad simple change to statistical methods

• Online real-time difficult— Heavy hitter: some solutions proposed

— Heavy Change ?

• Scalability with High speed traffic— Large Number of flows: large memory required

— Performance penalty

• Scalable Change Detection: Sketch to the rescue !

6 6

Overview





• Evaluation

• Conclusions

• Future Work

7 7

What is a sketch ?

• Probabilistic summary of data streams—Widely used in database research to handle

massive data streams

Space Accuracy

Hash table Per-key state 100%

Sketch CompactWith probabilistic guarantees (better for larger values)

• Array of hash tables: Tj[K] (j = 1, …, H)

8 8

What is a sketch ?

1

j

H

0 1 K-1…

……

hj(k)

hH(k)

h1(k)

Update (k, u): Tj [ hj(k)] += u (for all j)

Estimate v(S, k): sum of updates for key k

K

KsumkhT jjj /11

/)]([median

9 9

Using Sketch for anomaly detection

• Requires very little space:— E.g. 5 hash tables with 16 K buckets = 360 K

— High speed memory usable

— Still able to reconstruct the values with high accuracy

• Its main problem— To know the value of a key, must know the key.

— Can know the anomalies, not the keys !

10 10

Using Sketch for anomaly detection

• Requires very little space:— E.g. 5 hash tables with 16 K buckets = 360 K

— High speed memory usable

— Still able to reconstruct the values with high accuracy

• Its main problem— To know the value of a key, must know the key.

— Can know the anomalies, not the keys !

??

11 11

Overview





• Evaluation

• Conclusions

• Future Work

12 12

Our contribution

??

How can we figure out the keys without storing them explicitly ?

13 13

Step 1: Taking Intersections

• Each hash table independent hash function

• Each key maps to different bucket in each table— Each bucket maps to a large set of keys

• Example: Key maps to b1, b2, b3, b4, b5

• Intersect A1, A2, A3, A4, A5 really small set !

• E[x] << 1 for 5 hash tables (ref. our paper )

14 14

The problem with simple intersection

• Why is this difficult ?— One to many mapping

• Each set Ai can be very large !

— E.g. for IP addresses Key space is 232. For 212 buckets 220 keys per bucket !

15 15

Problem with Intersections

• How do we store these huge mappings ?

• How de we take intersections of these huge sets ?

Modular hashing

• Partition the key into separate words

• Hash each word separately

32 bits

8 bits

10010100 10101011 10010101 10100011

16 16

Modular hashing reduces the set size

32 bits

8 bits

10010100 10101011 10010101 10100011

h1() h2() h3() h4()

010 110 001 101

010 110 001 101

Greatly reduces size of reverse mapped sets

17 17

Modular hashing

Only 32 elements per partition

• For 8 bit to 3 bit hashing : Each bucket maps to 25 = 32 keys small !

28/23

18 18

Modular Hashing is Efficient

• Very efficient in space and time:

— If n is the key space, m is hash space, q is number of words,

— Space =

— Run time (intersections) =

))((1

q

m

nqO

))(.(1

q

m

nHqO

Set q = O(log n)

logarithmic in key space

poly-log in key space

19 19

An Important problem: spatial locality

• This hashing scheme is not uniform and biased

• In network streams, strong spatial locality in IP addresses

• E.g. many addresses fall into 120.105.56.*

• These would be mapped into very few buckets large number of collisions low sketch accuracy

IP Mangling

20 20

Without IP mangling: skewed !

21 21

IP Mangling removes correlations

• Key idea : randomize the input data to destroy correlations

• Must be reversible also !

22 22

Theory of Modular Linear Equations

f(x) a·x mod n

To be invertible: Must be relatively prime

• a is chosen randomly

• Can be easily reversed: replace a by a-1 !

• This function is highly effective in resolving the skewed distribution

23 23

With IP mangling: uniform !

24 24

Recap

Intersections of reverse mapped sets Converges to culprit key

Modular Hashing Makes intersection time and space efficient

IP Mangling Removes un-uniformity of modular hashing

25 25

Overview





• Evaluation

• Conclusions

• Future Work

26 26

Handling Multiple Intersections…

• A more complex problem Illustration

How do we take intersections now ?

• Each hash table contains two anomalies now two culprit keys…

27 27


• Multiple possibilities….

• Take union of keys from each hash table, and then intersection False positives

28 28


• Multiple possibilities….

• Try all possible combinations of intersections….

• Expensive and inaccurate(?)

29 29


• Bucket Vector Algorithm: a new algo— Efficient

— Similar to all possible intersections but takes polynomial time

• Documented in our technical report

30 30

Overview





• Evaluation

• Conclusions

• Future Work

31 31

Evaluation

• Got traffic traces from a large ISP— Each 5 min interval 7.5 GB of traces

• Used the Change Detection Method described earlier

32 32

Evaluation

• Efficacy depends on number of heavy changers— Depends on change threshold,

— Less threshold large number of heavy changes

• To verify our results, used a naïve multi-pass algo the Ground Truth

33 33

Our methods are quite effective

• Detection quite accurate, even upto 20 heavy changes

• False positives and false negatives very less

34 34

The bucket vector algorithm is important

• For multiple changes, the method of intersection quite important

• E.g. w/o bucket vector algorithm:

35 35

We can make the sketch more accurate

• Use 6 hash tables , instead of 5— Makes intersections very accurate, less false negatives

36 36

Conclusions

• Sketches a powerful method for scalable change detection

• Our main contribution : can reverse them— Greatly enhances their applicability in online systems

• We can extract heavy changes from the sketchs, without storing any key information

• Methods are accurate— Low number of false positives and false negatives

• Methods are efficient— Runtime: Only poly-logarithmic in key space

— Space: logarithmic in key space

37 37

Overview





• Evaluation

• Conclusions

• Future Work

38 38

Future Work: Three areas

• Application to Online real-time systems— Performance evaluation

— Hardware design of our methods

• More advanced applications:— Hierarchical change detection

— Output the prefix changes not just the key changes !– E.g. 129.105.100.* shows a big change !

• Advanced change detection methods:— Statistical methods

Documents

Reverse Hashing for Sketch Based Change Detection in High Speed Networks