This work exposes a critical security vulnerability in sketch-based small counters under sketch-oriented pollution attacks and introduces the first formal sketch-directed attack model. To enhance pollution robustness, we propose the Siamese Counter architecture, which innovatively integrates LSB-sharing encoding with dynamic delayed merging and employs a dual-counter collaborative update strategy—preserving streaming efficiency while substantially mitigating pollution propagation. Theoretical analysis establishes a tight error upper bound, and extensive streaming experiments demonstrate its effectiveness: accuracy improves by 47% over state-of-the-art methods under pollution attacks, and estimation precision increases by up to 82% in benign scenarios. This is the first systematic study to rigorously characterize the security fragility of small counters in sketches and to deliver a theoretically grounded, high-performance solution. Our approach significantly strengthens the reliability of sketches for unbiased, real-time security monitoring in high-speed networks.

With the exponentially growing Internet traffic, sketch data structure with a probabilistic algorithm has been expected to be an alternative solution for non-compromised (non-selective) security monitoring. While facilitating counting within a confined memory space, the sketch's memory efficiency and accuracy were further pushed to their limit through finer-grained and dynamic control of constrained memory space to adapt to the data stream's inherent skewness (i.e., Zipf distribution), namely small counters with extensions. In this paper, we unveil a vulnerable factor of the small counter design by introducing a new sketch-oriented attack, which threatens a stream of state-of-the-art sketches and their security applications. With the root cause analyses, we propose Siamese Counter with enhanced adversarial resiliency and verified feasibility with extensive experimental and theoretical analyses. Under a sketch pollution attack, Siamese Counter delivers 47% accurate results than a state-of-the-art scheme, and demonstrates up to 82% more accurate estimation under normal measurement scenarios.