ExtendedSketch: Fusing Network Traffic for Super Host Identification With a Memory Efficient Sketch

Super host refers to the that has a high cardinality or exhibits big change in network. Facing big-volume network traffic, sketches have been widely applied identify super hosts an efficient and accurate way. However, most cannot flexibly balance memory usage accuracy estimation. Setting inappropriate counter size for sketch could either lead inaccurate estimation cause waste. In order solve this issue, we propose novel extensible reversible sketch, named ExtendedSketch, achieve identification with efficiency. The core idea of ExtendedSketch is monitor low-cardinality small-sized counters while dynamically extending when monitoring high-cardinality by applying adaptive extension strategy. Such strategy can adaptively increase according traffic status at runtime, which not only ensures but also avoids unnecessary consumption. We perform theoretical analysis conduct series experimental evaluations on based real world traffic. Experimental results show under same usage, compared state-of-the-art, achieves $1.4{ \sim }7.5$ times smaller error rate estimating notation="LaTeX">$1.9{ }26.7$ better notation="LaTeX">$95 {\sim }2^{15}$ faster speed abnormal address reconstruction. Its advance efficiency demonstrates practical significance identification.