130 likes | 148 Views
A system to detect and classify traffic anomalies at carrier networks using network-wide flow data.
E N D
Mining Anomalies in Network-Wide Flow Data Anukool Lakhina with Mark Crovella and Christophe Diot NANOG35, Oct 23-25, 2005
My Talk in One Slide • Goal: A general system to detect & classify traffic anomalies at carrier networks • Network-wide flow data (eg, via NetFlow) exposes a wide range of anomalies • Both operational & malicious events • I am here to seek yourfeedback
Network-Wide Traffic Analysis • Simultaneously analyze traffic flows across the network; e.g., using the traffic matrix • Network-Wide data we use: Traffic matrix views for Abilene and Géant at 10 min bins
NYC LA ATLA HSTN Power of Network-Wide Analysis Peak rate: 300Mbps; Attack rate ~ 19Mbps/flow IPLS Distributed Attacks easier to detect at the ingress
But, This is Difficult! How do we extract anomalies and normal behaviorfrom noisy, high-dimensional data in a systematic manner?
The Subspace Method[LCD:SIGCOMM ‘04] • An approach to separate normal & anomalous network-wide traffic • Designate temporal patterns most common to all the OD flows as the normal patterns • Remaining temporal patterns form the anomalous patterns • Detect anomalies by statistical thresholds on anomalous patterns
One Src-Dst Pair Dominates: 32% of B, 20% of P traffic Cause:Bandwidth Measurement using iperf by SLAC An example user anomaly
Multihomed customer CALREN reroutes around outage at LOSA An example operational anomaly
Summary of Anomaly Types Found[LCD:IMC04] False Alarms Unknown Traffic ShiftOutageWormPoint-Multipoint Alpha FlashEvents DOS Scans
Automatically Classifying Anomalies[LCD:SIGCOMM05] • Goal: Classify anomalies without restricting yourself to a predefined set of anomalies • Approach: Leverage 4-tuple header fields: SrcIP, SrcPort, DstIP, DstPort • In particular, measure dispersion in fields • Then, apply off-the-shelf clustering methods
(SrcIP) Example of Anomaly Clusters Dispersed Legend Code Red Scanning Single source DOS attack Multi source DOS attack (DstIP) (SrcIP) Dispersed Concentrated Summary: Correctly classified 292 of 296 injected anomalies
Summary • Network-Wide Detection: • Broad range of anomalies with low false alarms • In papers: Highly sensitive detection, even when anomaly is 1% of background traffic • Anomaly Classification: • Feature clusters automatically classify anomalies • In papers: clusters expose new anomalies • Network-wide data and header analysis are promising for general anomaly diagnosis
More information • Ongoing Work: implementing algorithms in a prototype system • For more information, see papers & slides at: http://cs-people.bu.edu/anukool/pubs.html • Your feedback much needed & appreciated!