On the use of TCP passive measurements for anomaly detection: a case study from an operational 3G network

Authors:
Peter Romirer-Maierhofer;Angelo Coluccia;Tobias Witek
Affiliations:
Forschungszentrum Telekommunikation Wien (FTW), Austria;Università del Salento, Italy;Forschungszentrum Telekommunikation Wien (FTW), Austria
Venue:
TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
Year:
2010

Citing 7
Cited 2

Variability in TCP round-trip times

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Convergence Technologies for 3G Networks: IP, UMTS,EGPRS and ATM

Convergence Technologies for 3G Networks: IP, UMTS,EGPRS and ATM
Large-Scale RTT Measurements from an Operational UMTS/GPRS Network

WICON '05 Proceedings of the First International Conference on Wireless Internet
A passive state-machine approach for accurate analysis of TCP out-of-sequence segments

ACM SIGCOMM Computer Communication Review
Diagnosis of capacity bottlenecks via passive monitoring in 3G networks: An empirical analysis

Computer Networks: The International Journal of Computer and Telecommunications Networking
Passive analysis of TCP anomalies

Computer Networks: The International Journal of Computer and Telecommunications Networking
Network-Wide Measurements of TCP RTT in 3G

TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis

An evaluation of dynamic adaptive streaming over HTTP in vehicular environments

Proceedings of the 4th Workshop on Mobile Video
Can you GET me now?: estimating the time-to-first-byte of HTTP transactions with passive measurements

Proceedings of the 2012 ACM conference on Internet measurement conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this work we discuss the use of passive measurements of TCP performance indicators in support of network operation and troubleshooting, presenting a case-study from a real 3G cellular network. From the analysis of TCP handshaking packets measured in the core network we infer Round-Trip-Times (RTT) on both the client and server sides separately for UMTS/HSPA and GPRS/EDGE sections. We also keep track of the relative share of packet pairs which did not lead to a valid RTT sample, e.g. due to loss and/or retransmission events, and use this metric as an additional performance signal. In a previous work we identified the risk of measurement bias due to early retransmission of TCP SYNACK packets by some popular servers. In order to mitigate this problem we introduce here a novel algorithm for dynamic classification and filtering of early retransmitters. We present a few illustrative cases of abrupt-change observed in the real network, based on which we derive some lessons learned about using such data for detecting anomalies in a real network. Thanks to such measurements we were able to discover a hidden congestion bottleneck in the network under study.