An efficient sketch-based framework to identify multiple heavy-hitters and its application in DoS detection

Nowadays, with the increasing speed of communication links and generated traffic volume, Network Intrusion Detection Systems (NIDSs) encounter new challenges. NIDSs inspect all packets to find attacks and abnormal behaviors. In addition, NIDSs keep the state of each flow to increase accuracy of detection. Performing packet inspection in today´s high-speed networks is hard, or even impossible and keeping per flow state is not scalable. Large-scale attacks such as DoS attack usually produce many flows and keeping their state requires many resources. Consequently, approaches that investigate behavior of communication patterns in flow-level - instead of packet inspection - are taken into consideration. Different algorithms and techniques have been proposed for flow-based detection of DoS attacks. Recently, approaches based on data streaming algorithms have attracted much attention. These algorithms enable the analysis and processing of large data sets by constructing a compact synopsis of input data. This synopsis can be used to answer certain queries over the original data. Sketch is one of these synopsis structures which different intrusion detection systems are proposed by using it. Most of these proposed approaches have good performance if just one flow has anomalous characteristics. But if there are several abnormal flows, sketches encounter difficulties. This paper for the first time provides a framework to avoid such problems in presence of several abnormal flows. The proposed framework rearranges hash functions in an appropriate data structures and overcomes such problems in presence of several abnormal flows.