Skip to Main Content
Internet attacks such as distributed denial-of-service (DDoS) attacks and worm attacks are increasing in severity. Identifying realtime attack and mitigation of Internet traffic is an important and challenging problem for network administrators. A compromised host doing fast scanning for worm propagation can make a very high number of connections to distinct destinations within a short time. We call such a host a superpoint, which is the source that connect to a large number of distinct destinations. Detecting superpoints can be utilized for traffic engineering and anomaly detection. We propose a novel data streaming method for detecting superpoints and prove guarantees on their accuracy and memory requirements. The core of this method is a novel data structure called Vector Bloom Filter (VBF). A VBF is a variant of standard Bloom Filter (BF). The VBF consists of 6 hash functions, 4 hash functions of which projectively select some consecutive bits from original strings as function values. We obtain the information of superpoints using the overlapping of hash bit strings of the VBF. The theoretical analysis and experiment results show that our schemes can precisely and efficiently detect superpoints.