Network anomaly estimation for TCP/AQM networks using an observer

Abstract—Network anomaly detection is an active researcharea in network community. Researchers have approached thisproblem using various techniques such as artificial intelligence,machine learning, state machine modeling, statistical approaches.The purpose of this preliminary work is to design an observerfor network anomaly estimation for TCP/AQM (TransmissionControl Protocol/Active Queue Management) networks usingtime delay system approach. Collaborating an observer with anAQM, constant anomalies considered as perturbations for thenetwork can be detected. We illustrate the effectiveness of res ultsvia SIMULINK and the NS-2 simulator.Keywords: Network anomaly detection, Observer, AQM, Timedelay system. I. M OTIVATIONS Network anomalies typically refer to circumstances whennetwork operations deviate from normal network behavior.Detecting anomalies such as malfunctioning network devices,network overload, flash crowds, worms, port scans, riskyinternal user behavior, malicious denial of service attacks(DoS), network intrusions that disrupt the normal deliveryof network services has become an important key issue forthe network community. Such anomalies can be found at anytime in the traffic and degrade Quality of Service (QoS) ofthe network: congestion at first, then non-responsive routersand even worse. Network anomalies (in sense that there is adeviation from the normal network condition) can be roughlyclassified into two categories. The first category is related tonetwork failures and performance problems (like file serverfailures, broadcast storms, etc...). The second major categoryof network anomalies is security-related problems (like DoSor DDoS detections) in detecting active security threats. Avariety of tools and techniques exists to detect anomaliesmainly based on information theory called IDS (IntrusionDetection Systems) and ADS (Anomaly Detection Systems).They both look for ”bad things” on a system or network,things that may be potential security incidents. An IDS usesa defined set of rules or filters that have been crafted to catcha specific, malicious event. IDS are based on two principaltechniques to detect the anomalies/intrusions of the traffi c:First, the use of signatures i.e. of specific formats of packa gesor particular successions of packages giving place to the attack.This technique is not well adapted to the detection of thevariations of the traffic which has not a particular signatur e(like flash crowd or of DDoS without signature). Secondly,the use of statistical profiles of the traffic can be used. Butnowadays, approaches which used the statistics are mainlylimited to first order (average and standard deviation). Thevery strong natural variability of the traffic [1] produced astrong fluctuation of these measurements, thus inducing ver yhigh level of false positives (false alarms) and false negatives(missed detections). Recent studies take into account a richerform of the statistical structure of the traffic (correlatio n,spectral density ...) [2], [3], [4], [5], [6]. An ADS, on theother hand, operates only from a baseline of normal activity.As described above, behavior that varies from this standardis noted. While an IDS looks mainly for a misuse signature,the ADS looks for a strange event which leads to unapprovednetwork changes.In this paper, we propose to design an observer in the timedelay systems framework for the anomalies detection. Themain advantage of this technique is that we avoid the problemof false positives/negatives appeared in statistical approaches.The observer synthesis is based on a linearized fluid flowmodel of the TCP/AQM behaviour. Consequently, an AQMregulating the queue size of the router buffer is required toensure the relevance of the observer. Hence, the observer mustbe associated to an AQM to perform its diagnosis. Note thattaking into account the drop probability fixed by the AQM, thedetecting mechanism is independent of the former (as long asthe AQM is able to regulate the queue size at a prescribedlevel).The paper is organized as follows. The second part presentsthe problem statement introducing the model of a network sup-porting TCP and AQM for congestion control. Then, sectionIII is dedicated to the observer design for the detection andthe estimation of anomalies. Section IV presents application ofthe exposed theory and simulation results using SIMULINKand NS-2 (see [7]). Finally, Section V concludes the paper.Notations: For two symmetric matrices, A and B, A > (≥)B means that A−B is (semi-) positive definite. A

[1]  Steven H. Low,et al.  An enhanced random early marking algorithm for Internet flow control , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[2]  Rayadurgam Srikant,et al.  Analysis and design of an adaptive virtual queue (AVQ) algorithm for active queue management , 2001, SIGCOMM.

[3]  Chunming Qiao,et al.  Advances in Active Queue Management (AQM) Based TCP Congestion Control , 2004, Telecommun. Syst..

[4]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[5]  Vishal Misra,et al.  Adaptation in TCP/AQM Networks , 2003 .

[6]  V. Jacobson,et al.  Congestion avoidance and control , 1988, CCRV.

[7]  Kevin Jeffay,et al.  The effects of active queue management on web performance , 2003, SIGCOMM '03.

[8]  Fernando Paganini,et al.  Internet congestion control , 2002 .

[9]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[10]  Vishal Misra,et al.  Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED , 2000, SIGCOMM 2000.

[11]  K. K. Ramakrishnan,et al.  A Proposal to add Explicit Congestion Notification (ECN) to IP , 1999, RFC.

[12]  Ki Baek Kim Design of feedback controls supporting TCP based on the state-space approach , 2006, IEEE Trans. Autom. Control..

[13]  R. Srikant,et al.  Analysis and design of an adaptive virtual queue (AVQ) algorithm for active queue management , 2001, SIGCOMM '01.

[14]  Donald F. Towsley,et al.  Analysis and design of controllers for AQM routers supporting TCP flows , 2002, IEEE Trans. Autom. Control..

[15]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[16]  Rayadurgam Srikant,et al.  The Mathematics of Internet Congestion Control , 2003 .

[17]  Vishal Misra,et al.  Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED , 2000, SIGCOMM.

[18]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[19]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[20]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[21]  Yann Labit,et al.  Design of Lyapunov based controllers as TCP AQM , 2007 .

[22]  Kihong Park,et al.  On the relationship between file sizes, transport protocols, and self-similar network traffic , 1996, Proceedings of 1996 International Conference on Network Protocols (ICNP-96).

[23]  Sophie Tarbouriech,et al.  Advances in Communication Control Networks , 2004 .