Remote detection of bottleneck links using spectral and statistical methods
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Internet traffic contains a rich set of periodic patterns. Examples include regular packet transmissions along bottleneck links, periodic routing information exchange, and periodicities inside Denial-of-Service attack streams. Analyzing such periodic patterns has wide applications, including a better understanding of network traffic dynamics, diagnosis of network anomalies, and detection of Denial-of-Service attacks. However, current understanding of periodic behavior in aggregate traffic is quite limited. Many previous approaches often analyze traffic on a per-flow basis, and are not suited to analyze high speed aggregate traffic. In addition, a number of approaches only indicate that they may reveal periodic patterns, but fall short of proposing automatic detection algorithms and quantitatively evaluating their performance. This thesis explores the application of spectral and statistical methods to detect periodic patterns in Internet traffic. In our approach we first apply spectral techniques to obtain the traffic spectrum, and then use algorithms based on rigorous statistical methods to automatically detect periodic patterns from the traffic spectrum. One salient feature of our approach is that it operates at the aggregate traffic level and does not require flow separation. We first carry out controlled lab experiments to demonstrate the spectral characteristics of various periodic patterns. We then propose four non-parametric detection algorithms and evaluate their performance using real-world Internet traffic. Results show that one of them, the Top-Frequency Algorithm, is the best choice in terms of detection performance and algorithm simplicity. It can provide excellent accuracy (up to 95%) for detecting the periodic pattern caused a bottleneck link even when the traffic through the bottleneck accounts for less than 10% of the aggregate traffic observed at the monitoring point. We also investigate two extensions to our algorithms. The first one is to utilize harmonics, and the second one is to have parametric detection that considers the variation of traffic spectra according to other factors, such as traffic volume. Evaluation results show that we can get significant improvement by considering harmonics for traffic similar to the training data and marginal improvement by considering traffic volume for parametric detection.