Volumetric Hierarchical Heavy Hitters

Hierarchical heavy hitters (HHH) identification is useful for various network utilities such as anomaly detection, DDoS mitigation, and traffic analysis. The increasing support for jumbo frames enables an attacker to launch an attack while sending fewer large packets. Hence, existing packet counting techniques cannot detect such attacks, highlighting the need for volumetric measurements. This paper suggests an efficient algorithm for detecting HHH based on their traffic volume that asymptotically improves the runtime of previous works. We implement our algorithm in Open vSwitch (OVS) and incur a 6% overhead compared to a 42% throughput reduction experienced by the state-of-the-art.