Title: A hash-based algorithm for measuring cardinality distribution in network traffic
Authors: Weijiang Liu; Chao Liu; Shuming Guo
Addresses: School of Information Science and Technology, Dalian Maritime University, No. 1, Linghai Road, Dalian, Liaoning, 116026, China ' School of Information Science and Technology, Dalian Maritime University, No. 1, Linghai Road, Dalian, Liaoning, 116026, China ' School of Information Science and Technology, Dalian Maritime University, No. 1, Linghai Road, Dalian, Liaoning, 116026, China
Abstract: The host cardinality, defined as the number of distinct peers that a host communicates with, is an important metric for profiling hosts. Host cardinality distribution is very useful for characterising the communication connectivity patterns between hosts inside a network. With the development of the internet, network intrusion events occur frequently, such as worm propagation, DDoS attacks, port scanning, etc. These attacks generate a lot of traffic connections in a short time, resulting in network block and even paralysis. In the case of DDoS or worm attacks, the infected host usually produces a lot of connections with other hosts in a short period of time, then the host cardinality distribution will be different from normal situations. Hence, this paper proposes a hash-based algorithm for measuring the host cardinality distribution. Combining with hash, Bloom filter, and data stream algorithm, the space and time consumption of the algorithm is very small, so it can be used to estimate the host cardinality distribution in the high-speed network.
Keywords: host cardinality distribution; IP flow; hash based algorithm; network traffic; distributed DoS; denial of service; DDoS attacks; worm attacks; Bloom filter; data stream; network security.
DOI: 10.1504/IJAACS.2016.075387
International Journal of Autonomous and Adaptive Communications Systems, 2016 Vol.9 No.1/2, pp.136 - 148
Received: 19 Sep 2013
Accepted: 31 Dec 2013
Published online: 19 Mar 2016 *