{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T13:18:49Z","timestamp":1770815929876,"version":"3.50.1"},"reference-count":67,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2019,12,17]],"date-time":"2019-12-17T00:00:00Z","timestamp":1576540800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Israeli Science Foundation grant","award":["1505\/16"],"award-info":[{"award-number":["1505\/16"]}]},{"name":"Israel Cyber Directorate"},{"name":"NSF CAREER","award":["1652257"],"award-info":[{"award-number":["1652257"]}]},{"name":"the Lynne and William Frankel Center for Computing Science at Ben-Gurion University"},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1813487, CNS-1700521"],"award-info":[{"award-number":["1813487, CNS-1700521"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"the Cyber Security Research Center"},{"DOI":"10.13039\/100007297","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-18-1-2364"],"award-info":[{"award-number":["N00014-18-1-2364"]}],"id":[{"id":"10.13039\/100007297","id-type":"DOI","asserted-by":"publisher"}]},{"name":"DARPA\/MTO","award":["Lifelong Learning Machines"],"award-info":[{"award-number":["Lifelong Learning Machines"]}]},{"name":"Zuckerman Foundation"},{"DOI":"10.13039\/501100018707","name":"Technion Hiroshi Fujiwara Cyber Security Research Center","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100018707","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2019,12,17]]},"abstract":"Modern network telemetry systems collect and analyze massive amounts of raw data in a space efficient manner. These require advanced capabilities such as drill down queries that allow iterative refinement of the search space. We present a first integral solution that (i) enables multiple measurement tasks inside the same data structure, (ii) supports specifying the time frame of interest as part of its queries, and (iii) is sketch-based and thus space efficient. Namely, our approach allows the user to define both the measurement task (e.g., heavy hitters, entropy estimation, count distinct, etc.) and the time frame of relevance (e.g., 5PM-6PM) at query time. Our approach provides accuracy guarantees and is the only space-efficient solution that offers such capabilities. Finally, we demonstrate how our system can be used for accurately pinpointing the start of a realistic DDoS attack.<\/jats:p>","DOI":"10.1145\/3366709","type":"journal-article","created":{"date-parts":[[2019,12,18]],"date-time":"2019-12-18T13:21:11Z","timestamp":1576675271000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["I Know What You Did Last Summer"],"prefix":"10.1145","volume":"3","author":[{"given":"Nikita","family":"Ivkin","sequence":"first","affiliation":[{"name":"Amazon, New York, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ran Ben","family":"Basat","sequence":"additional","affiliation":[{"name":"Harvard University, Boston, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zaoxing","family":"Liu","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gil","family":"Einziger","sequence":"additional","affiliation":[{"name":"Ben Gurion University, Beersheba, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Roy","family":"Friedman","sequence":"additional","affiliation":[{"name":"Technion, Haifa, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vladimir","family":"Braverman","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, Baltimore, MD, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2019,12,17]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"The CAIDA Anonymized Internet Trace equinix-chicago 2016-06--21 Dir. A. The CAIDA Anonymized Internet Trace equinix-chicago 2016-06--21 Dir. A."},{"key":"e_1_2_1_2_1","unstructured":"The CAIDA Anonymized Internet Trace equinix-nyc 2018-03--15 Dir. A. The CAIDA Anonymized Internet Trace equinix-nyc 2018-03--15 Dir. A."},{"key":"e_1_2_1_3_1","unstructured":"The CAIDA Anonymized Internet Trace equinix-sanjose 2014-03--20 Dir. B. The CAIDA Anonymized Internet Trace equinix-sanjose 2014-03--20 Dir. B."},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","DOI":"10.1007\/978-0-387-47534-9","volume-title":"Data Streams: Models and Algorithms","author":"Aggarwal Charu C","year":"2007"},{"key":"e_1_2_1_5_1","volume-title":"The Space Complexity of Approximating the Frequency Moments. J. Comp. and sys. sciences","author":"Alon Noga","year":"1999"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2018.8485882"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jcss.2003.11.006"},{"key":"e_1_2_1_8_1","volume-title":"ACM CoNEXT","author":"Basat Ran Ben","year":"2018"},{"key":"e_1_2_1_9_1","volume-title":"PVLDB, 2019","author":"Basat Ran Ben","year":"1804"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2016.7524364"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2017.8057215"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098822.3098832"},{"key":"e_1_2_1_13_1","volume-title":"Network Traffic Characteristics of Data Centers in the Wild. In ACM IMC","author":"Benson Theophilus","year":"2010"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2079296.2079304"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2902251.2902284"},{"key":"e_1_2_1_16_1","volume-title":"Encyc. of Algorithms","author":"Braverman V.","year":"2004"},{"key":"e_1_2_1_17_1","volume-title":"BPTree: an $L_2 $ Heavy Hitters Algorithm using Constant Memory. arXiv:1603.00759","author":"Braverman Vladimir","year":"2016"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897518.2897558"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2902251.2902282"},{"key":"e_1_2_1_20_1","volume-title":"Theoretical Computer Science","author":"Braverman Vladimir","year":"2014"},{"key":"e_1_2_1_21_1","volume-title":"Nearly Optimal Distinct Elements and Heavy Hitters on Sliding Windows. arXiv preprint arXiv:1805.00212","author":"Braverman Vladimir","year":"2018"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2007.55"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40328-6_5"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCC.2003.1214414"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.5555\/646255.684566"},{"key":"e_1_2_1_26_1","volume-title":"Ori Rottenstreich. Catching the Microburst Culprits with Snappy. In Proceedings of the Afternoon Workshop on Self-Driving Networks, SelfDN 2018","author":"Chen Xiaoqi","year":"2018"},{"key":"e_1_2_1_27_1","volume":"201","author":"Cohen Edith","journal-title":"Massive Graphs Analysis. IEEE Trans. Knowl. Data Eng."},{"key":"e_1_2_1_28_1","volume":"201","author":"Cormode Graham","journal-title":"Data Streams. J. VLDB"},{"key":"e_1_2_1_29_1","volume":"200","author":"Cormode Graham","journal-title":"Its Applications. J. Algorithms"},{"key":"e_1_2_1_30_1","volume":"200","author":"Datar Mayur","journal-title":"Sliding Windows. SIAM J. Comp."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2015.04.007"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2015.7218646"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/863955.863972"},{"key":"e_1_2_1_34_1","volume-title":"Vector packet processing","year":"2018"},{"key":"e_1_2_1_35_1","volume-title":"Mitigating DNS Random Subdomain DDoS Attacks by Distinct Heavy Hitters Sketches","author":"Feibish Shir Landau","year":"2017"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/DISCEX.2003.1194894"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972979.9"},{"key":"e_1_2_1_38_1","volume-title":"Anarchists","author":"Gabel Moshe","year":"2017"},{"key":"e_1_2_1_39_1","volume-title":"Systems and Challenges. Computers and Security","author":"Garcia-Teodoro Pedro","year":"2009"},{"key":"e_1_2_1_40_1","volume-title":"SoftNIC: A Software NIC to Augment Hardware. Technical report","author":"Han Sangjin","year":"2015"},{"key":"e_1_2_1_41_1","volume":"201","author":"Harmouch Hazar","journal-title":"An Experimental Survey. J. VLDB"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2452376.2452456"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1060590.1060621"},{"key":"e_1_2_1_44_1","volume-title":"Streaming quantiles algorithms with small space and update time. arXiv preprint arXiv:1907.00236","author":"Ivkin Nikita","year":"2019"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359989.3365433"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15766-0_18"},{"key":"e_1_2_1_47_1","volume-title":"Computational Complexity","author":"Kremer Ilan","year":"1999"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSCN.2007.350758"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.5555\/977401.978164"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3341302.3342076"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2934872.2934906"},{"key":"e_1_2_1_52_1","volume-title":"ICDT","author":"Metwally A.","year":"2005"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098822.3098824"},{"key":"e_1_2_1_54_1","volume-title":"Finding Repeated Elements. Science of computer programming","author":"Misra Jayadev","year":"1982"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619239.2626291"},{"key":"e_1_2_1_56_1","volume-title":"M\u00fcter and Naim Asaj. Entropy-based Anomaly Detection for In-vehicle Networks. In 2011 IEEE Intelligent Vehicles Symposium (IV)","author":"Michael","year":"2011"},{"key":"e_1_2_1_57_1","volume-title":"Foundations and Trends in TCS","author":"Muthukrishnan Shanmugavelayutham","year":"2005"},{"key":"e_1_2_1_58_1","volume-title":"Entropy based anomaly detection system to prevent DDoS attacks in cloud. arXiv preprint arXiv:1308.6745","author":"Navaz AS","year":"2013"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/1452520.1452539"},{"key":"e_1_2_1_60_1","volume":"201","author":"Papapetrou Odysseas","journal-title":"Data Streams. The VLDB Journal"},{"key":"e_1_2_1_61_1","volume-title":"USENIX NSDI","author":"Pfaff Ben","year":"2015"},{"key":"e_1_2_1_62_1","volume-title":"USENIX ATC","author":"Sekar Vyas","year":"2006"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2014.20"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2723372.2749443"},{"key":"e_1_2_1_65_1","volume-title":"IEEE INFOCOM","author":"Yang Li","year":"2016"},{"key":"e_1_2_1_66_1","volume-title":"ACM Meas. Anal. Comput. Syst.","author":"Yang Sen","year":"2007"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00453-011-9584-4"}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3366709","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3366709","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3366709","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:44:39Z","timestamp":1750203879000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3366709"}},"subtitle":["Network Monitoring using Interval Queries"],"short-title":[],"issued":{"date-parts":[[2019,12,17]]},"references-count":67,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,12,17]]}},"alternative-id":["10.1145\/3366709"],"URL":"https:\/\/doi.org\/10.1145\/3366709","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,12,17]]},"assertion":[{"value":"2019-12-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}