1 / 18

ASTUTE: Detecting a Different Class of Traffic Anomalies

ASTUTE: Detecting a Different Class of Traffic Anomalies. ACM SIGCOMM 2010 – New Delhi, India. Presenter : Fernando Silveira Joint work with : Christophe Diot , Nina Taft, Ramesh Govindan. Problem : Traffic Anomaly Detection.

ratana
Download Presentation

ASTUTE: Detecting a Different Class of Traffic Anomalies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASTUTE: Detecting a Different Class of Traffic Anomalies ACM SIGCOMM 2010 – New Delhi, India Presenter: Fernando Silveira Joint workwith: • Christophe Diot, Nina Taft, RameshGovindan

  2. Problem : Traffic Anomaly Detection • Network management involves tracking events that impact, e.g., customer SLAs, security policies, resource availability • Anomaly detection : monitoring traffic and mining unusual behavior • build a statistical model of normal traffic • an anomaly is defined as deviation from normal • Advantage : a single method can find different types of events • and without knowing them in advance (i.e., new anomalies)

  3. Challenges in Anomaly Detection Anomaly Is this anomalous ? Traffic measurements (e.g., packet counts) Anomaly Model baseline Time • It is hard to obtain a model of “normal” traffic • current models must be trained from (normal) traffic data • definition of an anomaly depends on the data • in practice training isn’t guaranteed to be anomaly-free

  4. Problem statement • Can we detect anomalies without having to learn what is normal ? • Approach • a model of normal behavior based on empirical traffic properties • Advantages • no training -> computationally simple and immune to data-poisoning • accurately detects a well-defined class of traffic anomalies • theoretical guarantees on the false positive rates • Limitation • Method is sensitive to changes in traffic characteristics

  5. Empirical Traffic Properties • Flow Independence • flows are not really independent! • but correlations are weak in practice [Hohn’02, Barakat’03] • Stationarity • only over the timescales of a typical flow duration • we study which bin sizes show stationary behavior • If flows satisfy properties above, they show equilibrium • ASTUTE – A Short-Timescale Uncorrelated Traffic Equilibrium • between two consecutive time bins, flow volume change are zero-mean i.i.d. • Intuitively: independent flows cancel each other out

  6. ASTUTE-based Anomaly Detection A toy example : K’ = 2 i i+1 ^ ^ ^ ^ 3 flows 0 +2 -1 δ = 1/3 σ2 = 7/3 K(F) ≈ 0.378 No Alarm • Given : • A detection threshold K’ • A pair of consecutive time bins • Measure : • Set of active flows - F • Mean volume change - δ • Variance of volume changes - σ2 • Compute ASTUTE Assessment Value (AAV) • Flag an alarm if :

  7. Choosing the Detection Threshold Evidence from a traffic trace (link from WIDE) False positives False positives probability -K’ K’ AAV • Threshold controls the false positive rate • probability of flagging an alarm when traffic is normal • CLT : for large |F|, the AAV has a standard Gaussian distribution

  8. ASTUTE Anomalies • At least one of the model assumptions is violated • Stationarity • depends on timescale(i.e., bin sizes) • experiments with traces • long scales : daily usage bias • short scales : no bias! • We use short timescales to factor out violations of stationarity • ASTUTE anomalies are violations of flow independence • our detector catches strongly correlated flows

  9. Traces and Alternate Methods • Flow traces from three different networks • Internet2 and GEANT2 research backbones • Technicolor corporate network • We use two previous detectors for comparison purposes • Kalman filter – [Soule’05] (single link) • Wavelets - [Barford’02] • We use each detector to extract anomalies from each trace

  10. Main Results • Small overlap between ASTUTE and other methods • Detect anomalies with ASTUTE, Kalman and Wavelet • ASTUTE specializes in a different class of anomalies • Manually identify their flows and classify the event types • Inject different types of anomalies to measure missed alarms

  11. Result 1: Small Detector Overlap • Each point = one anomaly • isolate anomalous flows • Quantitative difference • ASTUTE : many small flows • Kalman+Wavelet : few large flows • ASTUTE anomalies involve an order of magnitude less packets

  12. Result 2: Types of Anomalies

  13. Result 2: Types of Anomalies through Injection ROC curves : trade-off between false and true alarms

  14. Wrapping up • ASTUTE detects anomalies without learning the normal behavior • computationally simple and immune to data-poisoning • ASTUTE specializes on a class of anomalies (strongly correlated flows) • ASTUTE cannot find anomalies involving a few large flows • but those are easy to find! • ASTUTE feeds URCA, our Unsupervised Root Cause Analysis tool [Infocom ‘10] • No need for “manual inspection” !

  15. The End Questions fernando.silveira@technicolor.com

  16. Backup Slides

  17. How Many Flows to observe Gaussianity ? Depends on the flow size distribution

  18. Strongly Correlated Flows 81 36 9 • A large set of flows which increase/decrease throughput synchronously, i.e., in the same time bin • scanning, distributed DoS, link outages, routing changes • But how many correlated flowsdo we need to flag an alarm ? • at least K’2

More Related