Anomaly detection remains a poorly understood area where visual inspection and manual analysis play a significant role in the effectiveness of the detection technique. We observe traffic anomalies in two adjacent networks, namely GEANT and Abilene, in order to determine what parameters impact the detectability and the characteristics of anomalies. We correlate three weeks of traffic and routing data from both networks and apply Kalman filtering to detect anomalies that transit between the two networks. We show that differences in the monitoring infrastructure, network engineering practices, and anomaly-detection parameters have a large impact on which anomaly detectability. Through a case study of three specific anomalies, we illustrate the influence of the traffic mix, IP address anonymization, detection methodology, and packet sampling on the detectability of traffic anomalies.
[1]
Mark Crovella,et al.
Diagnosing network-wide traffic anomalies
,
2004,
SIGCOMM '04.
[2]
Matthew Roughan,et al.
Traffic Matrix Reloaded: Impact of Routing Changes
,
2005,
PAM.
[3]
Martin May,et al.
Impact of packet sampling on anomaly detection metrics
,
2006,
IMC '06.
[4]
Albert G. Greenberg,et al.
Network anomography
,
2005,
IMC '05.
[5]
Kavé Salamatian,et al.
Combining filtering and statistical methods for anomaly detection
,
2005,
IMC '05.
[6]
Anukool Lakhina,et al.
The Effect of Packet Sampling on Anomaly Detection
,
2006
.
[7]
Kavé Salamatian,et al.
Traffic matrix tracking using Kalman filters
,
2005,
PERV.
[8]
Chadi Barakat,et al.
Ranking flows from sampled traffic
,
2005,
CoNEXT '05.