[Bro-Dev] Bloom filter merging

Soumya Basu soumyabasu8 at gmail.com
Mon Jun 17 20:50:27 PDT 2013 

I'm not entirely sure how much of a concern this is, but hashing
solely based on the name would make the bloom filters vulnerable to
attack since it's more predictable what the hash values are. Ideally,
the names would be something simple and easily identifies what the
filter is counting (from how I picture the names being used).

That would put pressure on the user to choose names that are random or
salted to keep the filters secure. I do like the idea of not setting
an environment variable, but I'm not sure how much of a benefit it is.

Thanks,
Soumya Basu

On Sun, Jun 16, 2013 at 9:51 AM, Clark, Gilbert <gc355804 at ohio.edu> wrote:
> What about:
>
> seed_i = h(  ((name.length() == 0) ? initial_seed : name) || i)
>
> In my mind, it'd be cool if identical names would produce identical results (in this case) without the need to set an environment variable.  Maybe there's a reason that's a bad idea, though?
>
> --Gilbert
> ________________________________________
> From: bro-dev-bounces at bro.org [bro-dev-bounces at bro.org] On Behalf Of Matthias Vallentin [vallentin at icir.org]
> Sent: Thursday, June 13, 2013 11:45 PM
> To: bro-dev at bro.org
> Subject: Re: [Bro-Dev] Bloom filter merging
>
> I had a chat with Vern about this earlier today and the discussion
> yielded the following idea:
>
> Rather than reserving a fixed number of seeds at startup, we use a
> keyed hashing scheme that computes a seed to construct the i'th hash
> function as follows:
>
>     seed_i = h(initial_seed || name || i)
>
> One can fix "initial_seed" at startup via an environment variable. The
> new element "name" represents a parameter that the user provide
> (optionally?) as part of the BiF bloomfilter_init. The counter "i"
> allows for generating an arbitrary number of hash functions. The
> function "h" shall be a consistent hash function, e.g., H3 seeded with
> the initial seed.
>
> Feedback welcome,
>
>     Matthias
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>

More information about the bro-dev mailing list