Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing Resiliency of Sketch-based Security via LSB Sharing-based Dynamic Late Merging

Seungsam Yang, Seyed Mohammad Mehdi Mirnajafizadeh, Sian Kim, Rhongho Jang, DaeHun Nyang

TL;DR

The paper tackles the vulnerability of small-counter, sketch-based traffic measurement to sketch pollution attacks. It proposes SC_LSB, a Siamese Counter that employs Least Significant Bit sharing and late merging to extend counter capacity while preserving multiple independent counters, thereby blending static isolation with dynamic recycling. The authors provide theoretical analyses of error bounds and demonstrate through extensive experiments that SC_LSB significantly improves accuracy under pollution attacks across flow-size estimation, heavy-hitter detection, change detection, entropy estimation, and related security tasks, with only modest throughput overhead. This work offers a practical path toward more resilient sketch-based security in cloud and data-plane environments, where memory efficiency and robustness against adversarial manipulation are critical.

Abstract

With the exponentially growing Internet traffic, sketch data structure with a probabilistic algorithm has been expected to be an alternative solution for non-compromised (non-selective) security monitoring. While facilitating counting within a confined memory space, the sketch's memory efficiency and accuracy were further pushed to their limit through finer-grained and dynamic control of constrained memory space to adapt to the data stream's inherent skewness (i.e., Zipf distribution), namely small counters with extensions. In this paper, we unveil a vulnerable factor of the small counter design by introducing a new sketch-oriented attack, which threatens a stream of state-of-the-art sketches and their security applications. With the root cause analyses, we propose Siamese Counter with enhanced adversarial resiliency and verified feasibility with extensive experimental and theoretical analyses. Under a sketch pollution attack, Siamese Counter delivers 47% accurate results than a state-of-the-art scheme, and demonstrates up to 82% more accurate estimation under normal measurement scenarios.

Enhancing Resiliency of Sketch-based Security via LSB Sharing-based Dynamic Late Merging

TL;DR

The paper tackles the vulnerability of small-counter, sketch-based traffic measurement to sketch pollution attacks. It proposes SC_LSB, a Siamese Counter that employs Least Significant Bit sharing and late merging to extend counter capacity while preserving multiple independent counters, thereby blending static isolation with dynamic recycling. The authors provide theoretical analyses of error bounds and demonstrate through extensive experiments that SC_LSB significantly improves accuracy under pollution attacks across flow-size estimation, heavy-hitter detection, change detection, entropy estimation, and related security tasks, with only modest throughput overhead. This work offers a practical path toward more resilient sketch-based security in cloud and data-plane environments, where memory efficiency and robustness against adversarial manipulation are critical.

Abstract

With the exponentially growing Internet traffic, sketch data structure with a probabilistic algorithm has been expected to be an alternative solution for non-compromised (non-selective) security monitoring. While facilitating counting within a confined memory space, the sketch's memory efficiency and accuracy were further pushed to their limit through finer-grained and dynamic control of constrained memory space to adapt to the data stream's inherent skewness (i.e., Zipf distribution), namely small counters with extensions. In this paper, we unveil a vulnerable factor of the small counter design by introducing a new sketch-oriented attack, which threatens a stream of state-of-the-art sketches and their security applications. With the root cause analyses, we propose Siamese Counter with enhanced adversarial resiliency and verified feasibility with extensive experimental and theoretical analyses. Under a sketch pollution attack, Siamese Counter delivers 47% accurate results than a state-of-the-art scheme, and demonstrates up to 82% more accurate estimation under normal measurement scenarios.

Paper Structure

This paper contains 23 sections, 11 equations, 17 figures, 1 table, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Works
  3. Background
  4. Structure-Oriented Sketch Design
  5. Motivation: Adversarial Resiliency of Sketches
  6. Attack Effectiveness and Sketch Resiliency
  7. Motivating Siamese Counter ($\mathrm{SC_{LSB}}$)
  8. Siamese Counter ($\mathrm{SC_{LSB}}$)
  9. Design Intuitions
  10. Algorithm
  11. Understanding Primitive Functions
  12. Time Complexity
  13. Analysis
  14. Winner-take-all Analysis
  15. LSB Sharing vs Merging
  16. ...and 8 more sections

Figures (17)

  • Figure 1: Structure of representative static extension (FCM) and dynamic merging (SALSA).
  • Figure 2: Attack Logistic: saturating counters in the dynamic counter extension SALSA affect idle counters, while in the static counter extension FCM, they operate independently.
  • Figure 3: Adversarial attack on representative dynamic and static sketches: initially, static structure FCM demonstrates better accuracy against attack traffic, but its performance degrades as more counters are targeted. For heavy hitter detection, FCM and CountLess excel at low detection thresholds but underperform compared to dynamic structures when the pre-defined threshold becomes higher.
  • Figure 4: LSB bit sharing between counters $C_0$ and $C_1$: each counter shares 2 bits, resulting in a total of 10 bits per counter, i.e., 4 shared LSBs and the original 6-bit MSB.
  • Figure 5: Instant merging vs. late merging: instant merging reduces the number of counters and increases the collision rate, leading to high estimation error. Meanwhile, late merging maintains both the number of counters and the collision rate.
  • ...and 12 more figures