hierarchical bloom filters accelerating flow queries and
play

Hierarchical Bloom Filters: Accelerating Flow Queries and Analysis - PowerPoint PPT Presentation

Aug 19, 2023 •302 likes •626 views

Lawrence Livermore National Laboratory Hierarchical Bloom Filters: Accelerating Flow Queries and Analysis January 8, 2008 FloCon 2008 Chris Roblee DOE Computer Incident Advisory Capability (CIAC) Lawrence Livermore National Laboratory, P. O.

  1. Lawrence Livermore National Laboratory Hierarchical Bloom Filters: Accelerating Flow Queries and Analysis January 8, 2008 FloCon 2008 Chris Roblee DOE Computer Incident Advisory Capability (CIAC) Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by UCRL-PRES-236738 Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344

  2. Overview  Introduction to Bloom Filters  Overview of CIAC’s Bloom Filter-Based indexing System  Approach's Applicability for CIAC & other CERTs  Performance on Actual Flow Data  Applications of Approach in Conjunction With Analytical Tools • Facilitating incident detection and analysis with flow visualization tools. Lawrence Livermore National Laboratory 2 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  3. A Very Brief Introduction to Bloom Filters Lawrence Livermore National Laboratory 3 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  4. Introduction to Bloom Filters  High-level Functionality – trivial Create bloom filter of create() Bloom fruit types, name: Filter “fruit” “fruit” Add: insert() “apple” Add: insert() “lychee” Contains element: Answer: query() “lychee”? “Yes” Answer: Contains element: query() “No” “broccoli”? http://www.eecs.harvard.edu/~michaelm/NEWWORK/postscripts/BloomFilterSurvey.pdf http://en.wikipedia.org/wiki/Bloom_filter Lawrence Livermore National Laboratory 4 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  5. Introduction to Bloom Filters  The Concept • Efficient, probabilistic data structure, providing extremely light- weight string lookups, or “approximate membership queries”. • Invented by Burton Bloom in 1970 to optimize spellchecking. • Trade-off small probability of false positives for massive gains in space and time efficiency . • Popular for various large-scale network applications (e.g., web caches, query routing). References: http://www.eecs.harvard.edu/~michaelm/NEWWORK/postscripts/BloomFilterSurvey.pdf http://en.wikipedia.org/wiki/Bloom_filter Lawrence Livermore National Laboratory 5 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  6. How Bloom Filters Work 1. Empty bloom filter is a bit array of m ‘0’- bits. … k 2. Introduce k different hash functions, each maps m bits key value to one of m array positions. ELEMENT 1 3. Insert element by feeding it to each hash function, … k to obtain k array positions. Set these bits to ‘1’. ELEMENT 1 4. Query element (check its existence) by re-feeding into … each hash function, and checking corresponding bit k positions. If all bits are ‘1’, then element is either in the filter or it’s a false positive. ELEMENT 2 5. If bit positions of hashes of an element contain a ‘0’, … then that element is definitely not in filter (no false k negatives). Lawrence Livermore National Laboratory 6 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  7. Introduction to Bloom Filters  False Positives Probability of false positive for a populated bloom filter is: • p(FP ) Probability of False Positive 0.015 0.014 0.013 0.012 Probability of False Positive 0.011 0.01 0.009 k=8 0.008 k=6 0.007 k=4 0.006 k=2 0.005 0.004 0.003 0.002 0.001 0 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 m/n (filter bits/element)  k - number of hash functions used  n – number of elements inserted  m – size of bloom filter (bit array) Lawrence Livermore National Laboratory 7 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  8. Bloom Filters - Summary • Quick test of element membership: • Significant space and time advantages over many standard, 0 likelihood of false negatives • deterministic indexing structures: • Tunable false positive rates • Self-balancing trees • Tries • Probability of collisions proportional to the number of elements in set & Hash-Tables • inversely proportional to filter size. Arrays, Linked Lists • • Enforce maximum false positive • Query time is O(k), independent of number threshold by tuning filter size: of items in set. Often require as little as one byte per • • Many open source implementations element available. Functionality Practicality Inexpensive, easy to deploy and maintain Lawrence Livermore National Laboratory 8 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  9. Bloom Filters: Operational Viability for CIAC and the CERT Community Lawrence Livermore National Laboratory 9 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  10. CIAC’s Flow Collection Review  CIAC collects massive volumes of biflow data from 29 sensors across the DOE complex: 300-500 million biflows daily (~4600/s) • ~14GB/94GB compressed/uncompressed daily • A pproximate daily averages by sensor 50,000,000.00 45,000,000.00 40,000,000.00 35,000,000.00 30,000,000.00 Average # records per day Recordss 25,000,000.00 M in # records per day M ax # records per day 20,000,000.00 15,000,000.00 10,000,000.00 5,000,000.00 0.00 Sensor Lawrence Livermore National Laboratory 10 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  11. CIAC’s Flow Collection Review  biflow feed: • Session summary • Fields: − Date/Time & Duration − Source/Destination IP and Port − Protocol Information − Bidirectional Byte and Packet Counts − Bidirectional Protocol Options − Subset of TCP/ICMP flags Example Biflow Record 1171066191.997532,20070210000951.997532,site3,flo30,6,192168081021,192,168,81,21,IT,010000001008,10,0,1,8,US,53,1024,0,0,0.0000,0,0,54,0,1,0,0,0,0,0,0,60,0,60,0,,,14,00,+14,0,0,0,0 Lawrence Livermore National Laboratory 11 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  12. CIAC Analysis - Legacy Search Methodologies  File grep • Search sensors and hours for range of interest (e.g., “site3, site12, site21 from 10/1/06 through 12/31/06”). • Requires reading/decompressing and combing through GBs of data (from disk) for every day searched.  RDBMS - Oracle • SQL+ • Perl/JDBC Biflow DB • Typically limited* to past ~25 days of bi-directional sessions (~15%)  AWARE web portal • High-level charting and statistics (session counts, etc.) Many mission-critical searches can take several hours or days to complete Lawrence Livermore National Laboratory 12 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  13. Current CIAC Analysis Data Flow Lawrence Livermore National Laboratory 13 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  14. Watch and Warn Query Needs and Issues  Rapidly search all flow data over long periods of time: Analysts typically search on IP address: • Watch list (suspicious, known-bad, etc.) − Nodes of interest − Compromised internal nodes − Various time (hours, days, months) and space (single site, all sites) • scales. Require quick turnaround (minutes) to respond to site requests: • e.g. “Have you seen these IPs at my site in the past 3 weeks?” − IP-based searches often yield relatively small result sets:  “Interesting” IP might only have been seen in 30 site-hours, whereas 21,600 • hours (~1 DOE-month) might have been searched.  99.9% wasted duty cycle! Need to reduce the search space (raw flow files) through better cataloging of • data as it arrives. Lawrence Livermore National Laboratory 14 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  15. Bloomdex : CIAC’s Bloom Filter-based Indexing System for Network Flow Analysis Lawrence Livermore National Laboratory 15 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  16. Solution: Bloomdex  Bloomdex • A hybrid hierarchy/file-based Bloom filter system to index CIAC’s biflow records. • Currently indexed by s ource or destination IP. • Index partitioned by: − Site-month (e.g., “SITE8 11/2006”) − Site-day (e.g., “SITE8 11/5/2006”) − Site-hour (e.g., “SITE8 11/5/2006 13:00”) • Uses intuitive directory tree structures and multi-scale bloom filters to accelerate IP-based searches. • max(FP rate) ≈ 2x10 -4  3 bytes of storage per unique IP Lawrence Livermore National Laboratory 16 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

  17. Blooomdex - CIAC Analysis Data Flow Lawrence Livermore National Laboratory 17 UCRL-PRES-236738 DOE Computer Incident Advisory Capability (CIAC)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bloom Filters Queries False-Positives Analysis Summary Anil Maheshwari anil@scs.carleton.ca

Bloom Filters Queries False-Positives Analysis Summary Anil Maheshwari anil@scs.carleton.ca

Bloom Filters Anil Maheshwari Bloom Filter Data Structure Bloom Filters Queries False-Positives Analysis Summary Anil Maheshwari anil@scs.carleton.ca School of Computer Science Carleton University Canada Outline Bloom Filters Anil

556 views • 13 slides
Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

An Optimal Bloom Filter Replacement a Rasmus Pagh, IT University of Copenhagen Joint work with Anna Pagh, IT University of Copenhagen S. Srinivasa Rao, University of Waterloo a To appear in SODA 2005 1 Outline Bloom filters

405 views • 18 slides
Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh Shanmugasundaram, Herve Bronnimann, Nasir Memon 600.624 - Advanced Network Security version 3 Overview Questions Collaborative Intrusion Detection

1.29k views • 58 slides
Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets.

Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets.

Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets. Therefore, a filter must support: Insertions: insert(key) Queries: lookup(key) Filters may also support other operations: Deletion:

510 views • 24 slides
An Examination of Bloom Filters and their Applications Jacob Honoroff March 16, 2006 Outline

An Examination of Bloom Filters and their Applications Jacob Honoroff March 16, 2006 Outline

An Examination of Bloom Filters and their Applications Jacob Honoroff March 16, 2006 Outline Bloom Filter Overview Traditional Applications Hierarchical Bloom Filters Paper Less Traditional Applications & Extensions 1

1.45k views • 113 slides
Bloom Filters Anna Karlin Most slides by Shreya Jayaraman, Luxi Wang, Alex Tsun Bloom Filters:

Bloom Filters Anna Karlin Most slides by Shreya Jayaraman, Luxi Wang, Alex Tsun Bloom Filters:

Bloom Filters Anna Karlin Most slides by Shreya Jayaraman, Luxi Wang, Alex Tsun Bloom Filters: Motivation Large universe of possible data items. Hash table is stored on disk or in network, so any lookup is expensive. Many (if

1.29k views • 43 slides
Vectorized Bloom Filters for Advanced SIMD Processors Orestis Polychroniou Kenneth A. Ross

Vectorized Bloom Filters for Advanced SIMD Processors Orestis Polychroniou Kenneth A. Ross

Vectorized Bloom Filters for Advanced SIMD Processors Orestis Polychroniou Kenneth A. Ross Bloom filters Introduction Original version [Bloom 1970] Represents a set of items Answers: Does item X belong to

446 views • 29 slides
Lecture #2: Advanced hashing and concentration bounds o Bloom filters o Cuckoo hashing o Load

Lecture #2: Advanced hashing and concentration bounds o Bloom filters o Cuckoo hashing o Load

outline Lecture #2: Advanced hashing and concentration bounds o Bloom filters o Cuckoo hashing o Load balancing o Tail bounds Bloom filters Idea: For the sake of efficiency, sometime we allow our data structure to make mistakes Bloom filter:

712 views • 68 slides
Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta

Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta

Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta Bedathur 2 , Maya Ramanath 1 1 IIT Delhi 2 IBM India Research Lab Bloom Filters Compact storage m bits, k hash functions Set Membership

348 views • 19 slides
Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

2/16/2017 Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A. Broder and M. Mitzenmacher, Network applications of Bloom filters: A survey, Internet Mathematics , vol. 1 no. 4, pp. 485-509, 2004. Li

532 views • 22 slides
Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission from -- Shengquan Wang. CPSC 662 Introduction Membership Query Given a set S={x 1 , x 2 , , x n } on a universe U , want to answer the query

304 views • 12 slides
Quotient Filters: Approximate Membership Queries on the GPU Afton Geil University of California,

Quotient Filters: Approximate Membership Queries on the GPU Afton Geil University of California,

Quotient Filters: Approximate Membership Queries on the GPU Afton Geil University of California, Davis GTC 2016 Outline What are approximate membership queries and how are they used? Background on quotient filters Quotient filter

477 views • 30 slides
Scalable DDS Discovery Protocols Based on Bloom Filters Javier Sanchez-Monedero, Javier

Scalable DDS Discovery Protocols Based on Bloom Filters Javier Sanchez-Monedero, Javier

OMG Real-time & Embedded Systems Workshop 11th July, 2007 - Arlington, VA USA Scalable DDS Discovery Protocols Based on Bloom Filters Javier Sanchez-Monedero, Javier Povedano-Molina & Juan M. Lopez-Soler University of Granada

552 views • 43 slides
PEER-TO-PEER NUMERIC COMPUTING WITH JAVASCRIPT Athan Reines @kgryte / BLOOM FILTERS

PEER-TO-PEER NUMERIC COMPUTING WITH JAVASCRIPT Athan Reines @kgryte / BLOOM FILTERS

PEER-TO-PEER NUMERIC COMPUTING WITH JAVASCRIPT Athan Reines @kgryte / BLOOM FILTERS DBSCAN 2D CLASSIFICATION FOURIER SERIES NEURAL NETWORKS WHY JAVASCRIPT? UBIQUITY PERFORMANCE IN-BROWSER ANALYSIS DATA PIPELINES STREAMS

1.03k views • 73 slides
Exercise Sheet 1: Hashing and Bloom filters COMS31900 Advanced Algorithms 2019/2020 Please feel

Exercise Sheet 1: Hashing and Bloom filters COMS31900 Advanced Algorithms 2019/2020 Please feel

Exercise Sheet 1: Hashing and Bloom filters COMS31900 Advanced Algorithms 2019/2020 Please feel free to discuss these problems on the unit discussion board. If you would like to have your answers marked, please either hand them in in person at

361 views • 5 slides
On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan apkun ETH Zurich, NEC Research ACSAC 2014 Bitcoin Bitcoin Peer-to-peer decentralized currency

1.06k views • 74 slides
Results presentation unaudited interim results for the six months ended 31 December 2018 Agenda

Results presentation unaudited interim results for the six months ended 31 December 2018 Agenda

Results presentation unaudited interim results for the six months ended 31 December 2018 Agenda Unbundling and Listing Overview Context Strategic update Business segment overview Financial overview People and Sustainability IT and

543 views • 28 slides
Vi Virginia Fres esh M h Match ch VAHSA Health & Family Institute Wednesday, November 13,

Vi Virginia Fres esh M h Match ch VAHSA Health & Family Institute Wednesday, November 13,

Vi Virginia Fres esh M h Match ch VAHSA Health & Family Institute Wednesday, November 13, 2019 Annalise Adams, Shalom Farms Maureen McNamara Best, Local Environmental Agriculture Project (LEAP) 1 i 2 Agenda Virginia Fresh Match

617 views • 18 slides
Professor Mingde Cao E-mail: mingde-cao@vip.163.com China University of Political Science and

Professor Mingde Cao E-mail: mingde-cao@vip.163.com China University of Political Science and

LOGO Professor Mingde Cao E-mail: mingde-cao@vip.163.com China University of Political Science and Law Content I. Chinas Law and Policy Responding to Climate Change II. Chinas Current Measures to Deal with Climate Change III.

364 views • 23 slides
Equity Raising Investor Presentation 1 June 2020 Not for release to US wire services or

Equity Raising Investor Presentation 1 June 2020 Not for release to US wire services or

Equity Raising Investor Presentation 1 June 2020 Not for release to US wire services or distribution in the United States Vicinity Centres | Equity Raising Investor Presentation | 1 June 2020 Chadstone, VIC Important notice and disclaimer Not

512 views • 30 slides
Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO International Occupational Safety and Health Conference 2017 OSH in Global Supply chains Dusseldorf, 19 October 2017 Lou Tessier - ILO - LABADMIN/OSH

122 views • 8 slides
1Q15 Analyst Briefing Berli Jucker Public Company Limited 21 May 2015 1 Notes on Forward

1Q15 Analyst Briefing Berli Jucker Public Company Limited 21 May 2015 1 Notes on Forward

1Q15 Analyst Briefing Berli Jucker Public Company Limited 21 May 2015 1 Notes on Forward Looking The following presentation may contain forward looking statements by the management of Berli Jucker Public Company Limited (BJC), relating to

761 views • 19 slides
Immortal Wines QUINTESSENTIAL IMPORTER | MARKETER | DISTRIBUTOR www.quintessentialwines.com

Immortal Wines QUINTESSENTIAL IMPORTER | MARKETER | DISTRIBUTOR www.quintessentialwines.com

Immortal Wines QUINTESSENTIAL IMPORTER | MARKETER | DISTRIBUTOR www.quintessentialwines.com VINO DEI FRATELLI Immortal Wines Our label shows an ancient Roman coin struck in 46 BC depicting two of the most famous Fratelli brothers in the

400 views • 10 slides
Oppor Opportunity tunity Day Day 2018 2018 :Oper :Operating ting Results esults 26.3.2019 1

Oppor Opportunity tunity Day Day 2018 2018 :Oper :Operating ting Results esults 26.3.2019 1

Oppor Opportunity tunity Day Day 2018 2018 :Oper :Operating ting Results esults 26.3.2019 1 Major Shareholders Major Major Shar hareholder eholder #S #Shar hares es % % Shar hares es 1. Mr.Chatchawe Vatanasuk 180,459,643 29.68 2.

379 views • 33 slides

More recommend