IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources



Similar documents
Network Tomography and Internet Traffic Matrices

Week 4 / Paper 1. Open issues in Interdomain Routing: a survey

Implementing MPLS VPN in Provider's IP Backbone Luyuan Fang AT&T

Question 1. [7 points] Consider the following scenario and assume host H s routing table is the one given below:

Enhancing Network Monitoring with Route Analytics

Detecting Network Anomalies. Anant Shah

SNMP Simple Network Measurements Please!

Real-Time Traffic Engineering Management With Route Analytics

G-RCA: A Generic Root Cause Analysis Platform for Service Quality Management in Large IP Networks

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud

Cisco IOS Flexible NetFlow Technology

KnowOps: Towards an Embedded Knowledge Base for Network Management and Operations

RAVEN, Network Security and Health for the Enterprise

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery

Diagnosing Network Disruptions with Network-Wide Analysis

Understanding Large Internet Service Provider Backbone Networks

A Link Load Balancing Solution for Multi-Homed Networks

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment *

Identifying functional and Performance related issues in a network based on Auto Test Packet generation

Exterior Gateway Protocols (BGP)

Service Description DDoS Mitigation Service

Table of Contents. Cisco How Does Load Balancing Work?

How To Find A Failure In A Network

CA Spectrum r Overview. agility made possible

Troubleshooting and Maintaining Cisco IP Networks Volume 1

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Fault Management In MPLS Networks

XRoads Networks, Inc.

A very short history of networking

Highlights of CAMS. Service Health Manager

PlanetSeer: Internet Path Failure Monitoring and Characterization in Wide-Area Services

Routing & Traffic Analysis for Converged Networks. Filling the Layer 3 Gap in VoIP Management

HP Networking BGP and MPLS technology training

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

Denial of Service and Anomaly Detection

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING

Introduction. The Inherent Unpredictability of IP Networks # $# #

MPLS VPN Security Best Practice Guidelines

T H E P O W E R O F B U I L D I N G A N D M A N A G I N G N E T W O R K S. Operations

Course Contents CCNP (CISco certified network professional)

Security Toolsets for ISP Defense

How To Make A Network Safer With Stealthwatch

OPERATIONAL backbone networks are intrinsically exposed

BGP Route Analysis and Management Systems

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

MPLS Path Management. Ikuo Nakagawa, Intec NetCore, Inc. Feb., 2005

Regaining MPLS VPN WAN Visibility with Route Analytics. Seeing through the MPLS VPN Cloud

Using the Border Gateway Protocol for Interdomain Routing

Virtual Routing: What s The Goal? And What s Beyond? Peter Christy, NetsEdge Research Group, August 2001

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Visualizing Traffic on Network Topology

Towards a Next- Generation Inter-domain Routing Protocol. L. Subramanian, M. Caesar, C.T. Ee, M. Handley, Z. Mao, S. Shenker, and I.

Route-Flow Fusion : Integrated NetFlow and IP Route Analysis

Private IP Overview. Feature Description Benefit to the Customer

Best Practices for Eliminating Risk from Routing Changes

Network Level Multihoming and BGP Challenges

Cisco Remote Management Services for Security

Intelligent. Data Sheet

Interdomain Routing. Project Report

Nokia Siemens Network NetAct For Juniper. Mobile Broadband Ethernet and IP Assurance

Intelligent Routing Platform White Paper

Measuring IP Network Routing Convergence. A new approach to the problem

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Link-State Routing Protocols

#41 D A N T E I N P R I N T. TEN-155 Multicast: MBGP and MSDP monitoring. Jan Novak Saverio Pangoli

Broadband Networks. Prof. Karandikar. Department of Electrical Engineering. Indian Institute of Technology, Bombay. Lecture - 26

DD2491 p Load balancing BGP. Johan Nicklasson KTHNOC/NADA

7750 SR OS System Management Guide

On Characterizing BGP Routing Table Growth Tian Bu, Lixin Gao, and Don Towsley University of Massachusetts, Amherst, MA 01003

SPRINT PCS DATA LINK - WIRELESS WAN PRODUCT ANNEX

The Quality of Internet Service: AT&T s Global IP Network Performance Measurements

FatPipe Networks

ARTICLE 3. CUSTOM INSTALATION FEES Ethernet Dedicated Internet Services PSA Ver. 1.5

Discovering High-Impact Routing Events Using Traceroutes

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Sample Configuration Using the ip nat outside source static

IBM Tivoli Network Manager software

Monitoring within an Autonomic Network: A. Framework

Datasheet: Visual Performance Manager and TruView Advanced MPLS Package with VoIPIntegrity (SKU 01923)

Network Performance + Security Monitoring

Network provider filter lab

NetFlow Performance Analysis

Network- vs. Host-based Intrusion Detection

Release Notes for PicOS 2.4

Quality Certificate for Kaspersky DDoS Prevention Software

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

COMCAST ENTERPRISE SERVICES PRODUCT- SPECIFIC ATTACHMENT ETHERNET DEDICATED INTERNET SERVICES

Performance Management Best Practices for Broadband Service Providers

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Troubleshooting an Enterprise Network

How To Manage A Network

IDS / IPS. James E. Thiel S.W.A.T.

TECHNOLOGY WHITE PAPER. Correlating SDN overlays and the physical network with Nuage Networks Virtualized Services Assurance Platform

SERVICE LEVEL AGREEMENT

Redundancy & the Netnod Internet Exchange Points

IxNetwork TM MPLS-TP Emulation

WHITE PAPER September CA Nimsoft For Network Monitoring

Cisco Advanced Services Network Management Systems Architectural Leading Practice

Transcription:

IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources Matthew Roughan (Univ. of Adelaide) Tim Griffin (Intel Research Labs) Z. Morley Mao (Univ. of Michigan) Albert Greenberg, Brian Freeman (AT&T Labs-Research)

Network Anomalies What are network anomalies? Any unexpected behavior in networks Likely indications of network problems Networks anomalies occur all the time Require better understanding Require fast and accurate detection Anomalies are not known in advance Cannot match signatures, no stable signatures Need to detect anomalous behavior Need to define what is normal and anomalous Difficult to prevent them from happening

Automated Anomaly Detection Automated techniques are rarely perfect Two types of errors Failure to detect (false negative) False alarm (false positive) Tradeoff between the two Single source Improvements must reduce both errors Quickly reach the point of diminishing returns Current approach of most researchers However, two sources can Our approach Reduce the false alarm rate dramatically Not much reduction in detection rate

Two Sources with Independent Errors Probability of detection in source i is p i =0.99 Probability of detection in both sources (AND) is p 1 x p 2 = 0.99 x 0.99 = 0.98 False alarm probability in source i is q i =0.02 False alarm probability in AND is q 1 x q 2 =0.02 x 0.02 = 0.0004 Large reduction in false alarms, slight reduction in detection accuracy.

IP Forwarding Anomalies are Important Severe disruption in forwarding High impact events Typically affecting more than one router or link Affecting end to end performance of customers Causes: Control plane failures Implementation bugs Configuration errors Typical symptoms: Packet drops, reordering, high delays Unreachable destinations Fluctuating routes Changes in traffic volume

Methodology: Detection Methodology 1. Use two data sources: routing and traffic 2. Individually process each source 3. Combining anomaly signals signal alarms when both indicate anomalies concurrently Advantages: Uncorrelated errors, correlated anomalies Low false alarm rate, high detection rate Simple and robust Scalable, automated, self-training

Traffic Analysis SNMP (Simple Network Management Protocol) Traffic volume per time interval Coarse grained Ubiquitous 1. Basic anomaly detection algorithm 1. Holt-Winters 2. Decomposition-based algorithm Decompose into 4 components: 1. Seasonal/Periodic Component: S t 2. Long term trend: T t 3. Normal stochastic component: W t 4. Anomalies, (impulse functions): I t X t : traffic at time t, t t a: peakedness parameter, m t : regular, predictable mean (m t =S t *T t ) x + = m + amtwt It

SNMP traffic data processing Link 1 output traffic (May 2001) Original SNMP traffic data Regular component Stochastic component

Routing Analysis BGP: Interdomain routing protocol Internal route monitor to all route reflectors Aggregate routes based on exit point Look for route fluctuations Appear as differences in route counts BGP data processing EWMA (Exponentially Weighted Moving Average) Exclude anomalies from moving average

BGP Data Analysis: BGP route count Number of BGP routes from a major PoP Anomalies (of interest) are short-lived, steep drops in the number of routes

Example 1 False alarms anomaly Anomaly is due to failure of a major network peer BGP false alarm Commonly due to session reset between the monitoring router and the operational router

Example 2 False alarms Anomaly due to outage of a router with many peering links False alarm due to missing data anomaly

Evaluation using Known Events List of known events over a year Notified by operations Considered important Perfect detection accuracy

Evaluation of Individual Algorithms Data set Algorithm False alarm rate Expected false alarms per day SNMP Decomposition 3.4% 78 SNMP Holt-Winters 4.3% 99 BGP EWMA 0.5% 12

Evaluation using Fault Tickets Feb to May 2003 Take all the detections Identify root cause analysis based on detailed fault tickets Root cause Edge node/link outage Simultaneous outages Unknown cause False alarms Decomposition on SNMP EWMA on BGP 67% 11% 22% 0%

Conclusions Powerful idea of combining multiple data sources for anomaly detection Significantly lower false alarms Little degradation in detection accuracy Simple and robust (e.g. missing data) Scalable, automated, self-training Applied to detecting forwarding anomalies Important to network operations Discovered SNMP and BGP features with the right properties

Future Work Multi-Dimensional Event Correlation Extension to include additional data sources (ongoing work by Ramana Kompella et. al.) OSPF, SONET PM data, Router Syslogs, Trouble Tickets, etc. Algorithm improvement Statistical techniques (e.g., Wavelets) Bayesian networks to combine different data Automated fault diagnosis and troubleshooting (root cause analysis)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information