Remote detection of bottleneck links using spectral and statistical methods

Authors:
Xinming He;Christos Papadopoulos;John Heidemann;Urbashi Mitra;Usman Riaz
Affiliations:
Cisco Systems Inc., MRBU, 725 Alder Drive, Milpitas, CA 95035, United States;Colorado State University, Computer Science Department, Fort Collins, CO 80523, United States;University of Southern California, Computer Science Department, Los Angeles, CA 90089, United States;University of Southern California, Electrical Engineering Department, Los Angeles, CA 90089, United States;University of Southern California, Electrical Engineering Department, Los Angeles, CA 90089, United States
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2009

Citing 17
Cited 2

Generating representative Web workloads for network and server performance evaluation

SIGMETRICS '98/PERFORMANCE '98 Proceedings of the 1998 ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise

Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise
Time Series Analysis: Forecasting and Control

Time Series Analysis: Forecasting and Control
Using signal processing to analyze wireless data traffic

WiSE '02 Proceedings of the 1st ACM workshop on Wireless security
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Measuring Bottleneck Link Speed in Packet-Switched Networks

Measuring Bottleneck Link Speed in Packet-Switched Networks
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
A framework for classifying denial of service attacks

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
End-to-end available bandwidth: measurement methodology, dynamics, and relation with TCP throughput

IEEE/ACM Transactions on Networking (TON)
A measurement study of available bandwidth estimation tools

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Locating internet bottlenecks: algorithms, measurements, and implications

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
CapProbe: a simple and accurate capacity estimation technique

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A wavelet-based approach to detect shared congestion

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A wavelet-based framework for proactive detection of network misconfigurations

Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting periodic patterns in internet traffic with spectral and statistical methods

Detecting periodic patterns in internet traffic with spectral and statistical methods
Evaluation and characterization of available bandwidth probing techniques

IEEE Journal on Selected Areas in Communications

Parametric methods for anomaly detection in aggregate traffic

IEEE/ACM Transactions on Networking (TON)
An optimized reconfigurable power spectral density converter for real-time shrew DDoS attacks detection

Computers and Electrical Engineering

Quantified Score

Hi-index	0.01

Visualization

Abstract

Persistently saturated links are abnormal conditions that indicate bottlenecks in Internet traffic. Network operators are interested in detecting such links for troubleshooting, to improve capacity planning and traffic estimation, and to detect denial-of-service attacks. Currently bottleneck links can be detected either locally, through SNMP information, or remotely, through active probing or passive flow-based analysis. However, local SNMP information may not be available due to administrative restrictions, and existing remote approaches are not used systematically because of their network or computation overhead. This paper proposes a new approach to remotely detect the presence of bottleneck links using spectral and statistical analysis of traffic. Our approach is passive, operates on aggregate traffic without flow separation, and supports remote detection of bottlenecks, addressing some of the major limitations of existing approaches. Our technique assumes that traffic through the bottleneck is dominated by packets with a common size (typically the maximum transfer unit, for reasons discussed in Section 5.1). With this assumption, we observe that bottlenecks imprint periodicities on packet transmissions based on the packet size and link bandwidth. Such periodicities manifest themselves as strong frequencies in the spectral representation of the aggregate traffic observed at a downstream monitoring point. We propose a detection algorithm based on rigorous statistical methods to detect the presence of bottleneck links by examining strong frequencies in aggregate traffic. We use data from live Internet traces to evaluate the performance of our algorithm under various network conditions. Results show that with proper parameters our algorithm can provide excellent accuracy (up to 95%) even if the traffic through the bottleneck link accounts for less than 10% of the aggregate traffic.