Software-Defined Networking (SDN) is a dynamic, programmable approach that enables centralized control and has become essential in modern networking environments such as data centers, Internet Service Providers (ISPs), and emerging 5G applications. A critical challenge within SDN environments is detecting and managing “heavy hitters” high-traffic flows often associated with malicious activities like Distributed Denial of Service (DDoS) attacks or real-time data-intensive applications. Identifying these flows across multiple network switches is complex due to constraints like memory limitations and processing accuracy. This paper proposes a novel, network-wide solution for detecting Heavy Hitters (HH), moving beyond the single- switch approaches found in previous research. In contrast, the new strategy introduces two algorithms to enhance detection. The first algorithm leverages the P4 programming language to identify the local Top-k heavy flows at individual P4-enabled switches. The second algorithm employs dynamic thresholding to efficiently combine the Top-k lists from multiple switches, creating a centralized, coordinated network-wide detection system. The proposed system was rigorously tested in an SDN environment utilizing P4 switches. The results show that it achieves a high detection accuracy (95%-100%) while using only 10KB of memory per programmable switch. Furthermore, the approach outperforms existing state-of-the-art methods, providing higher accuracy and lower error rates with minimal memory usage.

[1] Alhaj A. and Dutta N., Contemporary Issues in Communication, Cloud and Big Data Analytics, Springer, 2022. https://link.springer.com/chapter/10.1007/978- 981-16-4244-9_3

[2] Alhaj A., Patel N., Singh A., Bondugula R., Dar M., and Ahamed J., “Design and Analysis of a Robust Security Layer for Software Defined Network Framework,” International Journal of Sensor Networks, vol. 46, no. 1, pp. 1-14, 2024. https://doi.org/10.1504/IJSNET.2024.141613

[3] Bale A., Yadav K., Alam M., Shrivastava A., Varma R., Solanki R., and Savadatti M., “An Intelligent 64-bit Parallel CRC for High-Speed Communication System Applications,” International Journal of Intelligent Systems and Applications in Engineering, vol. 11, no. 10s, pp. 543-551, 2023. https://www.ijisae.org/index.php/IJISAE/article/v iew/3310

[4] Basat R., Chen X., Einziger G., and Rottenstreich O., “Designing Heavy-Hitter Detection Algorithms for Programmable Switches,” IEEE/ACM Transactions on Networking, vol. 28, no. 3, pp. 1172-1185, 2020. 48 The International Arab Journal of Information Technology, Vol. 22, No. 1, January 2025 https://doi.org/10.1109/TNET.2020.2982739

[5] Benson T., Anand A., Akella A., and Zhang M., “MicroTE: Fine Grained Traffic Engineering for Data Centers,” in Proceedings of the 7th Conference on Emerging Networking Experiments and Technologies, Tokyo, pp. 1-12, 2011. https://doi.org/10.1145/2079296.2079304

[6] Bosshart P., Gibb G., Kim H., Varghese G., McKeown N., Izzard M., Mujica F., and Horowitz M., “Forwarding Metamorphosis: Fast Programmable Match-Action Processing in Hardware for SDN,” ACM SIGCOMM Computer Communication Review, vol. 43, no. 4, pp. 99-110, 2013. https://doi.org/10.1145/2534169.2486011

[7] CAIDA: The CAIDA Anonymized Internet Traces Dataset, https://data.caida.org/datasets/passive-2019, Last Visited, 2024.

[8] Chabchoub Y., Fricker C., and Mohamed H., “Analysis of a Bloom Filter Algorithm Via the Supermarket Model,” in Proceedings of the 21st International Teletraffic Congress, Paris, pp. 1-8, 2009. https://ieeexplore.ieee.org/document/5300252

[9] Cheng X., Jing X., Yan Z., Li X., Wang P., and Wu W., “Alsketch: An Adaptive Learning-Based Sketch for Accurate Network Measurement under Dynamic Traffic Distribution,” Journal of Network and Computer Applications, vol. 216, pp. 103659, 2023. https://doi.org/10.1016/j.jnca.2023.103659

[10] Claise B., “Cisco Systems Netflow Services Export Version 9,” Technical Report, 2004. https://www.rfc- editor.org/rfc/pdfrfc/rfc3954.txt.pdf

[11] Cormode G. and Hadjieleftheriou M., “Finding Frequent Items in Data Streams,” in Proceedings of the VLDB Endowment, vol. 1, no. 2, pp. 1530- 1541, 2008. https://doi.org/10.14778/1454159.1454225

[12] Cormode G. and Muthukrishnan S., “An Improved Data Stream Summary: The Count-Min Sketch and its Applications,” Journal of Algorithms, vol. 55, no. 1, pp. 58-75, 2005. https://doi.org/10.1016/j.jalgor.2003.12.001

[13] Cormode G. and Muthukrishnan S., “What’s New: Finding Significant Differences in Network Data Streams,” IEEE/ACM Transactions on Networking, vol. 13, no. 6, pp. 1219-1232, 2005. DOI:10.1109/TNET.2005.860096

[14] Ding D., Savi M., Antichi G., and Siracusa D., “An Incrementally-Deployable P4-Enabled Architecture for Network-Wide Heavy-Hitter Detection,” IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp. 75-88, 2020. DOI:10.1109/TNSM.2020.2968979

[15] Ding D., Savi M., Pederzolli F., and Siracusa D., “Design and Development of Net-Work Monitoring Strategies in P4-Enabled Programmable Switches,” in Proceedings of the NOMS IEEE/IFIP Network Operations and Management Symposium, Budapest, pp. 1-6, 2022. DOI:10.1109/NOMS54207.2022.9789848

[16] Fu Y., Li D., Shen S., Zhang Y., and Chen K., “Clustering-Preserving Net-Work Flow Sketching,” in Proceedings of the INFOCOM IEEE Conference on Computer Communications, Toronto, pp. 1309-1318, 2020. DOI:10.1109/INFOCOM41043.2020.9155388

[17] Harrison R., Cai Q., Gupta A., and Rexford J., “Network-Wide Heavy Hitter Detection with Commodity Switches,” in Proceedings of the Symposium on SDN Research, Los Angeles, pp. 1- 7, 2018. https://doi.org/10.1145/3185467.318547

[18] Hu J., Min G., Jia W., and Woodward M., “Comprehensive QoS Analysis of Enhanced Distributed Channel Access in Wireless Local Area Networks,” Information Sciences, vol. 214, pp. 20-34, 2012. https://doi.org/10.1016/j.ins.2012.05.013

[19] Huang Q., Jin X., Lee P., Li R., Tang L., Chen Y., and Zhang G., “Sketchvisor: Robust Network Measurement for Software Packet Processing,” in Proceedings of the Conference of the ACM Special Interest Group on Data Communication, Los Angeles, pp. 113-126, 2017. https://doi.org/10.1145/3098822.3098831

[20] Huang Q., Lee P., and Bao Y., “Sketchlearn: Relieving User Burdens in Approximate Measurement with Automated Statistical Inference,” in Proceedings of the Conference of the ACM Special Interest Group on Data Communication, Budapest, pp. 576-590, 2018. https://doi.org/10.1145/3230543.3230559

[21] Islam M., Al-Mukhtar M., Khan M., and Hossain M., “A Survey on SDN and SDCN Traffic Measurement: Existing Approaches and Research Challenges,” Eng, vol. 4, no. 2, pp. 1071-1115, 2023. https://doi.org/10.3390/eng4020063

[22] Jung J., Paxson V., Berger A., and Balakrishnan H., “Fast Portscan Detection Using Sequential Hypothesis Testing,” in Proceedings of the IEEE Symposium on Security and Privacy, Proceedings, Berkeley, pp. 211-225, 2004. DOI:10.1109/SECPRI.2004.1301325

[23] Kfoury E., Crichigno J., and Bou-Harb E., “An Exhaustive Survey on P4 Programmable Data Plane Switches: Taxonomy, Applications, Challenges, and Future Trends,” IEEE Access, vol. 9, pp. 87094-87155, 2021. DOI:10.1109/ACCESS.2021.3086704

[24] Kucera J., Popescu D., Wang H., Moore A., Korenek J., and Antichi G., “Enabling Event- Triggered Data Plane Monitoring,” in Proceedings of the Symposium on SDN Research, San Jose, pp. 14-26, 2020. A Novel Space-Efficient Method for Detecting Network-Wide Heavy Hitters in ... 49 https://doi.org/10.1145/3373360.3380830

[25] Lakhina A., Crovella M., and Diot C., “Diagnosing Network-Wide Traffic Anomalies,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 4, pp. 219-230, 2004. https://doi.org/10.1145/1030194.1015492

[26] Li H., Ota K., and Dong M., “LS-SDV: Virtual Network Management in Large-Scale Software- Defined IoT,” IEEE Journal on Selected Areas in Communications, vol. 37, no. 8, pp. 1783-1793, 2019. DOI:10.1109/JSAC.2019.2927099

[27] Li L., Xie K., Pei S., Wen J., Liang W., and Xie G., “CS-Sketch: Compressive Sensing Enhanced Sketch for Full Traffic Measurement,” IEEE Transactions on Network Science and Engineering, vol. 11, no. 3, pp. 2338-2352, 2024. DOI:10.1109/TNSE.2023.3305125

[28] Lin Y., Huang C., and Tsai S., “SDN Soft Computing Application for Detecting Heavy Hitters,” IEEE Transactions on Industrial Informatics, vol. 15, no. 10, pp. 5690-5699, 2019. DOI:10.1109/TII.2019.2909933

[29] Liu L., Ding T., Feng H., Yan Z., and Lu X., “Tree Sketch: An Accurate and Memory-Efficient Sketch for Network-Wide Measurement,” Computer Communications, vol. 194, pp. 148- 155, 2022. https://doi.org/10.1016/j.comcom.2022.07.009

[30] Liu Z., Manousis A., Vorsanger G., Sekar V., and Braverman V., “One Sketch to Rule them all: Rethinking Network Flow Monitoring with UnivMon,” in Proceedings of the ACM SIGCOMM Conference, Florianopolis, pp. 101- 114, 2016. https://doi.org/10.1145/2934872.2934906

[31] Metwally A., Agrawal D., and El Abbadi A., “Efficient Computation of Frequent and Top-k Elements in Data Streams,” in Proceedings of the 10th International Conference on Database Theory, Edinburgh, pp. 398-412, 2005. https://link.springer.com/chapter/10.1007/978-3- 540-30570-5_27

[32] Najm M., Patra M., and Tamarapalli V., “Cost- and-Delay Aware Dynamic Resource Allocation in Federated Vehicular Clouds,” IEEE Transactions on Vehicular Technology, vol. 70, no. 6, pp. 6159-6171, 2021. DOI:10.1109/TVT.2021.3079912

[33] Najm M., Tripathi R., Alhakeem M., and Tamarapalli V., “A Cost-Aware Management Framework for Placement of Data-Intensive Applications on Federated Cloud,” Journal of Network and Systems Management, vol. 29, pp. 1- 33, 2021. https://link.springer.com/article/10.1007/s10922- 021-09594-9

[34] P4 Language Consortium: P4 Switch Behavioral Model, https://github.com/p4lang/behavioral- model, Last Visited, 2024.

[35] P4lang Consortium: P4C, https://github.com/p4lang/p4c, Last Visited, 2024.

[36] Phaal P. and Panchen S., Packet Sampling Basics, https://sflow.org/, Last Visited, 2024.

[37] Prabakaran S. and Ramar R., “Software Defined Network: Load Balancing Algorithm Design and Analysis,” The International Arab Journal of Information Technology, vol. 18, no. 3, pp. 312- 318, 2021. https://doi.org/10.34028/iajit/18/3/7

[38] Ran D., Chen X., and Song L., “ComPipe: A Novel Flow Placement and Measurement Algorithm for Programmable Composite Pipelines,” Electronics, vol. 13, no. 6, pp. 1-19, 2024. https://doi.org/10.3390/electronics13061022

[39] Roy P., Khan A., and Alonso G., “Augmented Sketch: Faster and more Accurate Stream Processing,” in Proceedings of the International Conference on Management of Data, San Francisco, pp. 1449-1463, 2016. https://doi.org/10.1145/2882903.2882948

[40] Singh A., “Machine Learning in OpenFlow Network: Comparative Analysis of DDoS Detection Techniques,” The International Arab Journal of Information Technology, vol. 18, no. 2, pp. 221-226, 2021. https://doi.org/10.34028/iajit/18/2/11

[41] Singh S., Rothenberg C., Luizelli M., Antichi G., Gomes P., and Pongracz G., “HH-IPG: Leveraging Inter-Packet Gap Metrics in P4 Hardware for Heavy Hitter Detection,” IEEE Transactions on Network and Service Management, vol. 20, no. 3, pp. 3536-3548, 2023. DOI:10.1109/TNSM.2022.3227065

[42] Sivaraman A., Subramanian S., Alizadeh M., Chole S., Chuang S., Agrawal A., Balakrishnan H., Edsall T., Katti S., and McKeown N., “Programmable Packet Scheduling at Line Rate,” in Proceedings of the ACM SIGCOMM Conference, Florianopolis, pp. 44-57, 2016. https://doi.org/10.1145/2934872.2934899

[43] Sivaraman V., Narayana S., Rottenstreich O., Muthukrishnan S., and Rexford J., “Heavy-Hitter Detection Entirely in the Data Plane,” in Proceedings of the Symposium on SDN Research, Santa Clara, pp. 164-176, 2017. https://doi.org/10.1145/3050220.3063772

[44] Song H., Dharmapurikar S., Turner J., and Lockwood J., “Fast Hash Table Lookup Using Extended Bloom Filter: An Aid to Network Processing,” ACM SIGCOMM Computer Communication Review, vol. 35, no. 4, pp. 181- 192, 2005. https://doi.org/10.1145/1090191.1080114

[45] Tang L., Huang Q., and Lee P., “A Fast and Compact Invertible Sketch for Network-Wide Heavy Flow Detection,” IEEE/ACM Transactions 50 The International Arab Journal of Information Technology, Vol. 22, No. 1, January 2025 on Networking, vol. 28, no. 5, pp. 2350-2363, 2020. DOI:10.1109/TNET.2020.3011798

[46] Tang L., Huang Q., and Lee P., “SpreadSketch: Toward Invertible and Network-Wide Detection of Superspreaders,” in Proceedings of the IEEE INFOCOM IEEE Conference on Computer Communications, Toronto, pp. 1608-1617, 2020. DOI:10.1109/INFOCOM41043.2020.9155541

[47] Wang M., Li B., and Li Z., “sFlow: Towards Resource-Efficient and Agile Service Federation in Service Overlay Networks,” in Proceedings of the 24th International Conference on Distributed Computing Systems, Proceedings, Tokyo, pp. 628-635, 2004. DOI:10.1109/ICDCS.2004.1281630

[48] Xiang Z. and Seeling P., Computing in Communication Networks, from Theory to Practice, Elsevier, 2020. https://doi.org/10.1016/B978-0-12-820488- 7.00025-6

[49] Xiao Q., Cai X., Qin Y., Tang Z., Chen S., and Liu Y., “Universal and Accurate Sketch for Estimating Heavy Hitters and Moments in Data Streams,” IEEE/ACM Transactions on Networking, vol. 31, no. 5, pp. 1919-1934, 2023. DOI:10.1109/TNET.2022.3216025

[50] Yang T., Jiang J., Liu P., Huang Q., Gong J., Zhou Y., Miao R., Li X., and Uhlig S., “Elastic Sketch: Adaptive and Fast Network-Wide Measurements,” in Proceedings of the Conference of the ACM Special Interest Group on Data Communication, Budapest, pp. 561-575, 2018. https://doi.org/10.1145/3230543.3230544

[51] Yang T., Zhang H., Li J., Gong J., Uhlig S., Chen S., and Li X., “HeavyKeeper: An Accurate Algorithm for Finding Top-k Elephant Flows,” IEEE/ACM Transactions on Networking, vol. 27, no. 5, pp. 1845-1858, 2019. https://doi.org/10.1109/TNET.2019.2933868

[52] Yu M., Jose L., and Miao R., “Software {Defined}{Traffic} Measurement with {OpenSketch},” in Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation, Lombard, pp. 29-42, 2013. https://dl.acm.org/doi/10.5555/2482626.2482631

[53] Zhang Q., Xiao Q., and Cai Y., “A Generic Sketch for Estimating Super-Spreaders and Per-Flow Cardinality Distribution in High-Speed Data Streams,” Computer Networks, vol. 237, pp. 110059, 2023. https://doi.org/10.1016/j.comnet.2023.110059

[54] Zhang X., Wang D., Ota K., Dong M., and Li H., “Exponential Stability of Mixed Time-Delay Neural Networks Based on Switching Approaches,” IEEE Transactions on Cybernetics, vol. 52, no. 2, pp. 1125-1137, 2020. DOI:10.1109/TCYB.2020.2985777

[55] Zhang Z., Lu J., Ren Q., Li Z., Hu Y., and Chen H., “An Accurate and Invertible Sketch for Super Spread Detection,” Electronics, vol. 13, no. 1, pp. 1-20, 2024. https://doi.org/10.3390/electronics13010222

[56] Zhou A. and Qian J., “An Adaptive Method for Identifying Super Nodes from Network-Wide View,” Journal of Network and Systems Management, vol. 31, pp. 1-28, 2023. https://link.springer.com/article/10.1007/s10922- 023-09745-0

[57] Zhou Y., Alipourfard O., Yu M., and Yang T., “Accelerating Network Measurement in Software,” ACM SIGCOMM Computer Communication Review, vol. 48, no. 3, pp. 2-12, 2018. https://doi.org/10.1145/3276799.327680

[58] Zhu H., Wang T., Hong Y., Ports D., Sivaraman A., and Jin X., “{NetVRM}: Virtual Register Memory for Programmable Networks,” in Proceedings of the 19th USENIX Symposium on Networked Systems Design and Implementation, Renton, pp. 155-170, 2022. https://nyuscholars.nyu.edu/en/publications/netvr m-virtual-register-memory-for-programmable- networks