Chaotic Models and Anomaly Detection for Complex Data Networks

Abstract : Our main goal was to detect and describe deterministic aspects of traffic behavior in data networks, in order to provide a basis for better detection of anomalous network activity. We also sought to characterize the robustness of complex data networks to (possibly malicious) perturbations, in order to help engineer against disruptions. Throughout this project we have developed dynamical systems models for TCP network traffic on networks of increasing complexity, guided by real packet-level data and network simulation software. We also developed techniques for estimating the network state (e.g., router queue sizes and round-trip times of data flows) from packet-level data. We investigated methods for short-term prediction of normal'' network activity to use as a baseline for anomaly detection. We modeled peer-to-peer network activity and developed methods for detecting such activity. Finally, we examined the stability of TCP network dynamics and their response to perturbations that could be used as low-volume denial-of-service attacks. We found large-scale network dynamics to be robust to such perturbations, but identified mechanisms for localized disruptions.