A novel algorithm for detecting superpoints based on reversible virtual bitmaps

A superpoint is a host, which makes a large number of connections to distinct nodes within a short time. The emergence of superpoint is often a sign of network attacks, such as DDoS attacks and port scanning. Timely detecting superpoints plays a crucial role in defending against network attacks. In this paper, we present an algorithm for detecting superpoints based on reversible virtual bitmaps. The proposed algorithm assigns four virtual bitmaps to each source for storing its related information. Moreover, six hash functions are designed carefully and skillfully, three of which may generate uniform outputs, the other three hash functions take a combination of some special substrings from the input as their outputs. Although the algorithm does not explicitly preserve any host address, it can reconstruct IP addresses by combining some specific substrings of function values. Furthermore, we make a validation on reconstructed IP addresses to filter out non-existing IP addresses and make some bit-AND operations on virtual bitmaps of each IP address to filter out the noise, improving the accuracy of our algorithm. Experimental results demonstrate our algorithm can achieve the same accuracy as or higher accuracy than other algorithms while reducing 50% of memory consumption compared with CSE (Compact Spread Estimator) and reducing 80% of memory consumption compared with VBF (Vector Bloom Filter).