TUPLE FILTERING IN SILK USING CUCKOO HASHES

Abstract

SiLK Tools is a suite of network ?ow tools that network analysts use to detect intru- sions, viruses, worms, and botnets, and to analyze network performance. One tool in SiLK is tuple ?ltering, where ?ows are ?ltered based on inclusion in a “multi-key” set (MKset) whose unique members are composite keys whose values are from multiple ?elds in a SiLK ?ow record. We propose and evaluate a more e?cient method of im- plementing MKset ?ltering that uses cuckoo hashes, which underlie McHugh et al.’s cuckoo bag (cubag) suite of MKset SiLK tools. Our solution improves execution time for ?ltering with an MKset of size k by a factor of O(logk), and decreases memory footprints for MKset ?ltering by 50%. The solution also saves 90% of disk space for MKset ?le storage, and adds functionality for transformations such as subnet masking on ?ow records during MKset ?ltering.