180 likes | 388 Views
ASTUTE: Detecting a Different Class of Traffic Anomalies. ACM SIGCOMM 2010 – New Delhi, India. Presenter : Fernando Silveira Joint work with : Christophe Diot , Nina Taft, Ramesh Govindan. Problem : Traffic Anomaly Detection.
E N D
ASTUTE: Detecting a Different Class of Traffic Anomalies ACM SIGCOMM 2010 – New Delhi, India Presenter: Fernando Silveira Joint workwith: • Christophe Diot, Nina Taft, RameshGovindan
Problem : Traffic Anomaly Detection • Network management involves tracking events that impact, e.g., customer SLAs, security policies, resource availability • Anomaly detection : monitoring traffic and mining unusual behavior • build a statistical model of normal traffic • an anomaly is defined as deviation from normal • Advantage : a single method can find different types of events • and without knowing them in advance (i.e., new anomalies)
Challenges in Anomaly Detection Anomaly Is this anomalous ? Traffic measurements (e.g., packet counts) Anomaly Model baseline Time • It is hard to obtain a model of “normal” traffic • current models must be trained from (normal) traffic data • definition of an anomaly depends on the data • in practice training isn’t guaranteed to be anomaly-free
Problem statement • Can we detect anomalies without having to learn what is normal ? • Approach • a model of normal behavior based on empirical traffic properties • Advantages • no training -> computationally simple and immune to data-poisoning • accurately detects a well-defined class of traffic anomalies • theoretical guarantees on the false positive rates • Limitation • Method is sensitive to changes in traffic characteristics
Empirical Traffic Properties • Flow Independence • flows are not really independent! • but correlations are weak in practice [Hohn’02, Barakat’03] • Stationarity • only over the timescales of a typical flow duration • we study which bin sizes show stationary behavior • If flows satisfy properties above, they show equilibrium • ASTUTE – A Short-Timescale Uncorrelated Traffic Equilibrium • between two consecutive time bins, flow volume change are zero-mean i.i.d. • Intuitively: independent flows cancel each other out
ASTUTE-based Anomaly Detection A toy example : K’ = 2 i i+1 ^ ^ ^ ^ 3 flows 0 +2 -1 δ = 1/3 σ2 = 7/3 K(F) ≈ 0.378 No Alarm • Given : • A detection threshold K’ • A pair of consecutive time bins • Measure : • Set of active flows - F • Mean volume change - δ • Variance of volume changes - σ2 • Compute ASTUTE Assessment Value (AAV) • Flag an alarm if :
Choosing the Detection Threshold Evidence from a traffic trace (link from WIDE) False positives False positives probability -K’ K’ AAV • Threshold controls the false positive rate • probability of flagging an alarm when traffic is normal • CLT : for large |F|, the AAV has a standard Gaussian distribution
ASTUTE Anomalies • At least one of the model assumptions is violated • Stationarity • depends on timescale(i.e., bin sizes) • experiments with traces • long scales : daily usage bias • short scales : no bias! • We use short timescales to factor out violations of stationarity • ASTUTE anomalies are violations of flow independence • our detector catches strongly correlated flows
Traces and Alternate Methods • Flow traces from three different networks • Internet2 and GEANT2 research backbones • Technicolor corporate network • We use two previous detectors for comparison purposes • Kalman filter – [Soule’05] (single link) • Wavelets - [Barford’02] • We use each detector to extract anomalies from each trace
Main Results • Small overlap between ASTUTE and other methods • Detect anomalies with ASTUTE, Kalman and Wavelet • ASTUTE specializes in a different class of anomalies • Manually identify their flows and classify the event types • Inject different types of anomalies to measure missed alarms
Result 1: Small Detector Overlap • Each point = one anomaly • isolate anomalous flows • Quantitative difference • ASTUTE : many small flows • Kalman+Wavelet : few large flows • ASTUTE anomalies involve an order of magnitude less packets
Result 2: Types of Anomalies through Injection ROC curves : trade-off between false and true alarms
Wrapping up • ASTUTE detects anomalies without learning the normal behavior • computationally simple and immune to data-poisoning • ASTUTE specializes on a class of anomalies (strongly correlated flows) • ASTUTE cannot find anomalies involving a few large flows • but those are easy to find! • ASTUTE feeds URCA, our Unsupervised Root Cause Analysis tool [Infocom ‘10] • No need for “manual inspection” !
The End Questions fernando.silveira@technicolor.com
How Many Flows to observe Gaussianity ? Depends on the flow size distribution
Strongly Correlated Flows 81 36 9 • A large set of flows which increase/decrease throughput synchronously, i.e., in the same time bin • scanning, distributed DoS, link outages, routing changes • But how many correlated flowsdo we need to flag an alarm ? • at least K’2