Home


Project Overview

Our Publications


Personnel


Reference Shelf


Links


Data


Private


News

Whole-Network Anomaly Diagnosis



Project Title: Whole-Network Anomaly Diagnosis

Co-PI's Involved: Mark Crovella (Associate Prof., Computer Science Deparment, Boston University), Eric Kolaczyk (Associate Prof., Math & Statistics Department, Boston University)

Student: Anukool Lakhina
Ph.D. Candidate, Computer Science Department, Boston University

Project Description

Anomaly diagnosis (i.e., anomaly detection, identification, and quantification) in computer networks is a challenging and important problem. Anomalies can arise for many reasons: unusual end-user demands; network misuse and abuse; equipment failure; and operational misconfiguration. Our thesis is that the entire range of such problems can only accurately be diagnosed via a whole-network approach: i.e., by examining traffic throughout a network simultaneously. This is in contrast to previous work which has almost exclusively dealt only with traffic measured at single point in a network.
While the whole-network approach is powerful, it is challenging because of the need to extract meaning from noisy, high-dimensional data. To that end the project has already made three contributions. In [1] we characterized the set of traffic observable across a network and showed that, even in a network with hundreds of flows, most significant traffic variation can be capture in a small number of dimensions (less than 10). In [2] we showed how to exploit the low effective dimensionality of network traffic for anomaly detection using the subspace approach. Finally, in [3] we show that the subspace approach is remarkably powerful at detecting the entire range of network anomalies when applied to traffic flow data.
Plot (Byte) Plot (Packet) Plot (Flow)
Figure (From [3]): Anomalies Detected via the Subspace Method Applied to Network-Wide Timeseries of Byte (left), Packet (center), and Flow Traffic (left). Example Labeled Anomalies: (1) and (2) are unusually high rate flows resulting from bandwidth measurement experiments; (3) is a DOS attack on port 110; (4) is a DOS attack on port 113; (5) is a port scan. Over 90% of events detected by this method are of interest to network operators.

References

1. Anukool Lakhina, Konstantina Papagiannaki, Mark Crovella, Christophe Diot, Eric D. Kolaczyk and Nina Taft, “Structural Analysis of Network Traffic Flows,” Proceedings of ACM SIGMETRICS / Performance 2004, June 2004.
2. Anukool Lakhina, Mark Crovella and Christophe Diot, “Diagnosing Network-Wide Traffic Anomalies,” Proceedings of ACM SIGCOMM 2004, August 2004.
3. Anukool Lakhina, Mark Crovella and Christophe Diot, “Characterization of Network-Wide Anomalies in Traffic Flows,” Internet Measurement Conference, Taormina, Italy, October 2004.
4. A. Lakhina, M. Crovella, and C. Diot, "Exploring the Subspace Method for Network-Wide Anomaly Diagnosis," (Poster) in Network Troubleshooting Workshop: Research, Theory and Operations, Portland, OR, August 2004.