Towards automatic detection and diagnosis of Internet service anomalies via DNS traffic analysis

The DNS protocol has proved to be a valuable means for identifying and dissecting large-scale anomalies in omnipresent Over The Top (OTT) Internet services. In this paper, we present and evaluate a framework for detecting and diagnosing traffic anomalies via DNS traffic analysis. Detection of such anomalies is achieved by monitoring different DNS-related symptomatic features, flagging a warning as soon as one or more of them show a significant change. The investigation of the root causes for such deviations is done by looking at significant changes in a number of diagnostic features (i.e., device manufacturer and OS, requested host name, error codes, etc.), which convey information directly linked to the potential origins of the detected anomalies. For the purpose of detecting significant changes in the time-series of diagnostic features, we propose a scheme based on change point detection applied to the entropy of the considered features. The proposed solution is tested using both real and synthetic data from a nationwide mobile ISP, the latter generated from real traffic statistics to resemble the real mobile network traffic. To show the operational value of the proposed framework, we report the results of the diagnosis in two prototypical cases.

[1]  Pedro Casas,et al.  Characterizing web services provisioning via CDNs: The case of Facebook , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[2]  Peter Membrey,et al.  Practical Load Balancing: Ride the Performance Tiger , 2012 .

[3]  Peter Membrey,et al.  Practical Load Balancing , 2012, Apress.

[4]  Arian Bär,et al.  When YouTube Does not Work—Analysis of QoE-Relevant Degradation in Google CDN Traffic , 2014, IEEE Transactions on Network and Service Management.

[5]  Narseo Vallina-Rodriguez,et al.  Staying online while mobile: the hidden costs , 2013, CoNEXT.

[6]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[7]  Alessandro D'Alconzo,et al.  Device-Specific Traffic Characterization for Root Cause Analysis in Cellular Networks , 2015, TMA.

[8]  Arian Bär,et al.  On the detection of network traffic anomalies in content delivery network services , 2014, 2014 26th International Teletraffic Congress (ITC).

[9]  Matthew Roughan,et al.  The need for simulation in evaluating anomaly detectors , 2008, CCRV.

[10]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[11]  Pedro Casas,et al.  Diagnosing Device-Specific Anomalies in Cellular Networks , 2014, CoNEXT Student Workshop '14.

[12]  Angelo Coluccia,et al.  Distribution-based anomaly detection in 3G mobile networks: from theory to practice , 2010, Int. J. Netw. Manag..