Network anomaly confirmation, diagnosis and remediation
Allerton'09 Proceedings of the 47th annual Allerton conference on Communication, control, and computing
Parameterized anomaly detection system with automatic configuration
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Accelerating Sketch-Based Computations with GPU: A Case Study for Network Traffic Change Detection
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
| Hi-index | 0.00 |
Traffic anomaly detection using high performance measurement systems offers the possibility of improving the speed of detection and enabling detection of important, short-lived anomalies. In this paper we investigate the problem of detecting anomalies using traffic measurements with fine-grained timestamps. We develop a new detection algorithm (called S3) that utilizes a Bayes Net to efficiently consider multiple input signals and to explicitly define what is considered "anomalous''. The input signals considered by S3 are traffic volumes and correlations between ingress/egress packet and bit rates. These complementary signals enable identification of an expanded range of anomalies. Using a set of high precision traffic measurements collected at our campus border router over a 10 month period and an annotated anomaly log supplied by our network operators, we show that S3 is highly accurate, identifying 86% of the anomalies listed in the log. Compared with well known time series-based and wavelet-based detectors, this represents over a 20% improvement inaccuracy. Investigation of events identified by S3 that did not appear in the operator log indicate many are, in fact, true positives. Deployment of S3 in an operational environment supports this by showing zero false positives during initial tests.