Diagnosing network-wide traffic anomalies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Diagnosing network-wide traffic anomalies

Full text

Pdf (342 KB)

Source

Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications table of contents

Portland, Oregon, USA

SESSION: Network troubleshooting table of contents

Pages: 219 - 230

Year of Publication: 2004

ISBN:1-58113-862-8

Also published in ...

Authors

Anukool Lakhina	Boston University
Mark Crovella	Boston University
Christophe Diot	Intel Research, Cambridge, UK

Sponsors

ACM: Association for Computing Machinery
SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 25, Downloads (12 Months): 228, Citation Count: 29

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1015467.1015492 What is a DOI?

ABSTRACT

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret anomalous patterns from large amounts of high-dimensional, noisy data.In this paper we propose a general method to diagnose anomalies. This method is based on a separation of the high-dimensional space occupied by a set of network traffic measurements into disjoint subspaces corresponding to normal and anomalous network conditions. We show that this separation can be performed effectively by Principal Component Analysis.Using only simple traffic measurements from links, we study volume anomalies and show that the method can: (1) accurately detect when a volume anomaly is occurring; (2) correctly identify the underlying origin-destination (OD) flow which is the source of the anomaly; and (3) accurately estimate the amount of traffic involved in the anomalous OD flow.We evaluate the method's ability to diagnose (i.e., detect, identify, and quantify) both existing and synthetically injected volume anomalies in real traffic from two backbone networks. Our method consistently diagnoses the largest volume anomalies, and does so with a very low false alarm rate.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637210]
	2	Jake D. Brutlag, Aberrant Behavior Detection in Time Series for Network Monitoring, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
	3	NetFlow. At www.cisco.com/warp/public/732/Tech/netflow/.
	4	D. Donoho and G. Flesia and N. El-Karoui and M. Elad. Inferring Sparse Causes for Extreme Network Events. In Network Modeling and Simulation Workshop at Dartmouth College, 2002.
	5	R. Dunia and S. J. Qin. Multi-dimensional Fault Diagnosis Using a Subspace Approach. In American Control Conference, 1997.
	6	R. Dunia and S. J. Qin. A subspace approach to multidimensional fault identification and reconstruction. American Institute of Chemical Engineers (AIChE) Journal, pages 1813--1831, 1998.
	7	Frank Feather , Dan Siewiorek , Roy Maxion, Fault detection in an Ethernet network using anomaly signature matching, Conference proceedings on Communications architectures, protocols and applications, p.279-288, September 13-17, 1993, San Francisco, California, United States
	8	Anja Feldmann , Albert Greenberg , Carsten Lund , Nick Reingold , Jennifer Rexford , Fred True, Deriving traffic demands for operational IP networks: methodology and experience, IEEE/ACM Transactions on Networking (TON), v.9 n.3, p.265-280, June 2001 [doi>10.1109/90.929850]
	9	G. Golub and C. F. V. Loan. Matrix Computations. The Johns Hopkins University Press.
	10	Cynthia S. Hood , Chuanyi Ji, Proactive Network Fault Detection, Proceedings of the INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution, p.1147, April 09-11, 1997
	11	J. E. Jackson and G. S. Mudholkar. Control procedures for residuals associated with Principal Component Analysis. Technometrics, pages 341--349, 1979.
	12	D. R. Jensen and H. Solomon. A Gaussian Approximation to the Distribution of a Definite Quadratic Form. J. of the American Statistical Association, pages 898--902, 1972.
	13	Irene Katzela , Mischa Schwartz, Schemes for fault identification in communication networks, IEEE/ACM Transactions on Networking (TON), v.3 n.6, p.753-764, Dec. 1995 [doi>10.1109/90.477721]
	14	Balachander Krishnamurthy , Subhabrata Sen , Yin Zhang , Yan Chen, Sketch-based change detection: methods, evaluation, and applications, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948236]
	15	A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows. Technical Report BUCS-2004-020, Boston University, 2004.
	16	Anukool Lakhina , Konstantina Papagiannaki , Mark Crovella , Christophe Diot , Eric D. Kolaczyk , Nina Taft, Structural analysis of network traffic flows, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 10-14, 2004, New York, NY, USA
	17	A. A. Lazar, W. Wang, and R. Deng. Models and algorithms for network fault detection and identification: A review. In ICC, 1992.
	18	A. Medina , N. Taft , K. Salamatian , S. Bhattacharyya , C. Diot, Traffic matrix estimation: existing techniques and new directions, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	19	M. Misra, H. H. Yue, S. J. Qin, and C. Ling. Multivariate process monitoring and fault diagnosis by multi-scale PCA. Computers and Chemical Engineering, pages 1281--1293, 2002.
	20	Marc Moonen , Paul van Dooren , Joos Vandewalle, A singular value decomposition updating algorithm for subspace tracking, SIAM Journal on Matrix Analysis and Applications, v.13 n.4, p.1015-1038, Oct. 1992 [doi>10.1137/0613061]
	21	Matthew Roughan , Tim Griffin , Morley Mao , Albert Greenberg , Brian Freeman, Combining routing and traffic data for detection of IP forwarding anomalies, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 10-14, 2004, New York, NY, USA
	22	Juniper Traffic Sampling. At www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/html/sampling-overview.html.
	23	Y. Vardi. Network Tomography: Estimating Source-Destination Traffic Intensities from Link Data. J. of the American Statistical Association, pages 365--377, 1996.
	24	N. Ye. A Markov Chain Model of Temporal Behavior for Anomaly Detection. In Workshop on Information Assurance and Security, 2000.
	25	Yin Zhang , Matthew Roughan , Carsten Lund , David Donoho, An information-theoretic approach to traffic matrix estimation, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany [doi>10.1145/863955.863990]

CITED BY 29

	Neal Patwari , Alfred O. Hero, III , Adam Pacholski, Manifold learning visualization of network traffic data, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
	Anukool Lakhina , Mark Crovella , Christophe Diot, Exploring the subspace method for network-wide anomaly diagnosis, Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, September 03-03, 2004, Portland, Oregon, USA
	Augustin Soule , Kavé Salamatian , Antonio Nucci , Nina Taft, Traffic matrix tracking using Kalman filters, ACM SIGMETRICS Performance Evaluation Review, v.33 n.3, December 2005
	Awais Ahmed Awan , Andrew Moore, Synergy: blending heterogeneous measurement elements for effective network monitoring, Proceedings of the 2006 ACM CoNEXT conference, December 04-07, 2006, Lisboa, Portugal
	Hongbo Jiang , Andrew W. Moore , Zihui Ge , Shudong Jin , Jia Wang, Lightweight application classification for network management, Proceedings of the 2007 SIGCOMM workshop on Internet network management, August 27-31, 2007, Kyoto, Japan
	Matthew Roughan, Simplifying the synthesis of internet traffic matrices, ACM SIGCOMM Computer Communication Review, v.35 n.5, October 2005
	Tarem Ahmed , Boris Oreshkin , Mark Coates, Machine learning approaches to network anomaly detection, Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques, p.1-6, April 10, 2007, Cambridge, MA
	Augustin Soule , Fernando Silveira , Haakon Ringberg , Christophe Diot, Challenging the supremacy of traffic matrices in anomaly detection, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Min Cai , Jianping Pan , Yu-Kwong Kwok , Kai Hwang, Fast and accurate traffic matrix measurement using adaptive cardinality counting, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
	Xin Li , Fang Bian , Mark Crovella , Christophe Diot , Ramesh Govindan , Gianluca Iannaccone , Anukool Lakhina, Detection and identification of network anomalies using sketch subspaces, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Vijayi Erramill , Mark Crovella , Nina Taft, An independent-connection model for traffic matrices, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Qi Zhao , Zihui Ge , Jia Wang , Jun Xu, Robust traffic matrix estimation with imperfect information: making use of multiple data sources, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	Haakon Ringberg , Augustin Soule , Jennifer Rexford, WebClass: adding rigor to manual labeling of traffic anomalies, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Haakon Ringberg , Matthew Roughan , Jennifer Rexford, The need for simulation in evaluating anomaly detectors, ACM SIGCOMM Computer Communication Review, v.38 n.1, January 2008
	Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
	Ling Huang , Minos Garofalakis , Joseph Hellerstein , Anthony Joseph , Nina Taft, Toward sophisticated detection with distributed triggers, Proceedings of the 2006 SIGCOMM workshop on Mining network data, p.311-316, September 11-15, 2006, Pisa, Italy
	Connie Logg , Les Cottrell , Jiri Navratil, Experiences in traceroute and available bandwidth change analysis, Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, September 03-03, 2004, Portland, Oregon, USA
	Daniela Brauckhoff , Bernhard Tellenbach , Arno Wagner , Martin May , Anukool Lakhina, Impact of packet sampling on anomaly detection metrics, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Haakon Ringberg , Augustin Soule , Jennifer Rexford , Christophe Diot, Sensitivity of PCA for traffic anomaly detection, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
	Guillaume Dewaele , Kensuke Fukuda , Pierre Borgnat , Patrice Abry , Kenjiro Cho, Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
	Yiyi Huang , Nick Feamster , Anukool Lakhina , Jim (Jun) Xu, Diagnosing network disruptions with network-wide analysis, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
	Anukool Lakhina , Mark Crovella , Christiphe Diot, Characterization of network-wide anomalies in traffic flows, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Ashwin Lall , Vyas Sekar , Mitsunori Ogihara , Jun Xu , Hui Zhang, Data streaming algorithms for estimating entropy of network traffic, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	Don P. Cox , Youssif Al-Nashif , Salim Hariri, Application of autonomic agents for global information grid management and security, Proceedings of the 2007 summer computer simulation conference, July 16-19, 2007, San Diego, California
	Vyas Sekar , Michael K. Reiter , Walter Willinger , Hui Zhang , Ramana Rao Kompella , David G. Andersen, CSAMP: a system for network-wide flow monitoring, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.233-246, April 16-18, 2008, San Francisco, California
	Matthew Roughan , Yin Zhang, Secure distributed data-mining and its application to large-scale network measurements, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006
	Dionysios Logothetis , Kenneth Yocum, Wide-scale data stream management, USENIX 2008 Annual Technical Conference on Annual Technical Conference, p.405-418, June 22-27, 2008, Boston, Massachusetts
	Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
	Seong Soo Kim , A. L. Narasimha Reddy, Statistical techniques for detecting traffic anomalies through packet header data, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.562-575, June 2008