Using End-to-End Bandwidth Estimates for Anomaly Detection beyond Enterprise Boundaries. Conference: Contributed to IEEE INFOCOM 2009: 28th Conference on Computer Communications, Rio de Janeiro, Brazil, 19-25 Apr 2009.

摘要

Many algorithms have been proposed in the last decade to detect traffic anomalies in enterprise networks. However, most of these algorithms cannot detect anomalies that occur beyond enterprise boundaries. Performance monitoring and anomaly detection on end-to-end Internet paths, although important for network operations, is challenging due to lack of access and control over intermediate network devices. In this paper, we propose an algorithm that detects anomalies or significant events on an end-to-end Internet path by monitoring the path’s available bandwidth. We first evaluate existing algorithms on a comprehensive dataset of more than a million bandwidth measurements spanning three years. We show that incorporating the typical behaviour of a path in the process of anomaly detection improves accuracy. We therefore propose to filter noisy bandwidth measurements to extract the typical behaviour or baseline statistical distribution of a path’s bandwidth. This baseline model is in turn leveraged in a generic decision-theoretic framework to provide timely detection of significant path events. We show that the proposed detector provides high accuracy and surpasses the accuracy of existing techniques.