With the exponentially growing Internet traffic, sketch data structure with a probabilistic algorithm has been expected to be an alternative solution for non-compromised (non-selective) security monitoring. While facilitating counting within a confined memory space, the sketch's memory efficiency and accuracy were further pushed to their limit through finer-grained and dynamic control of constrained memory space to adapt to the data stream's inherent skewness (i.e., Zipf distribution), namely small counters with extensions. In this paper, we unveil a vulnerable factor of the small counter design by introducing a new sketch-oriented attack, which threatens a stream of state-of-the-art sketches and their security applications. With the root cause analyses, we propose Siamese Counter with enhanced adversarial resiliency and verified feasibility with extensive experimental and theoretical analyses. Under a sketch pollution attack, Siamese Counter delivers 47% accurate results than a state-of-the-art scheme, and demonstrates up to 82% more accurate estimation under normal measurement scenarios.

翻译：随着互联网流量的指数级增长，采用概率算法的草图数据结构已被视为无损（非选择性）安全监控的替代解决方案。在有限内存空间内实现高效计数的同时，通过更细粒度和动态的受限内存空间控制来适应数据流固有的偏斜分布（即Zipf分布），草图的内存效率和准确性被进一步推向极限，即采用扩展的小型计数器设计。本文通过提出一种新型面向草图的攻击，揭示了小型计数器设计的脆弱性，该攻击威胁到一系列先进草图及其安全应用。基于根本原因分析，我们提出具有增强对抗鲁棒性的孪生计数器，并通过大量实验和理论分析验证了其可行性。在草图污染攻击下，孪生计数器比现有先进方案提供准确度提升47%的检测结果，在正常测量场景下实现最高82%的估计精度提升。