Abstract:
SiLK Tools is a suite of network flow tools that network analysts use to detect intru-
sions, viruses, worms, and botnets, and to analyze network performance. One tool in
SiLK is tuple filtering, where flows are filtered based on inclusion in a “multi-key” set
(MKset) whose unique members are composite keys whose values are from multiple
fields in a SiLK flow record. We propose and evaluate a more efficient method of im-
plementing MKset filtering that uses cuckoo hashes, which underlie McHugh et al.’s
cuckoo bag (cubag) suite of MKset SiLK tools. Our solution improves execution time
for filtering with an MKset of size k by a factor of O(logk), and decreases memory
footprints for MKset filtering by 50%. The solution also saves 90% of disk space for
MKset file storage, and adds functionality for transformations such as subnet masking
on flow records during MKset filtering.
