SYNERGY : Detecting and Diagnosing Correlated Network Anomalies

Network anomalies occur in operational networks and may be logged by a number of network measurement tools such as SNMP and NetFlow. However, accurate and efficient detection of these anomalies in the logged data is very challenging due to the huge data volume and complex characteristics of anomalies. The existing approaches are limite d by the nature of underlying mathematical models and might be incapable of capturing some abnormal patterns. More importantly, existing approaches do not provide insights o n the root causes or impact of the detected anomalies, which makes it hard for a network operator to troubleshoot network performance issues. In this paper, we design and prototype a novel system, SYNERGY, that can detect network anomalies with high confidence by correlating across multiple data sources. It can report the root causes/impact assoc iated with the detected anomalies, which significantly facil itates the work of network operators. In addition, SYNERGY provides a great facility for the area of anomaly detection research – it can serve as a general framework to evaluate the performance of different anomaly detection methods . We evaluate SYNERGY using data collected at a tier-1 ISP network and show that it performs very well compared to the manually identified anomalies found in the operational practice. The methodology and algorithms in SYNERGY promise to be of immense use to network operations.

[1]  Qi Zhao,et al.  Towards automated performance diagnosis in a large IPTV network , 2009, SIGCOMM '09.

[2]  Yin Zhang,et al.  Troubleshooting chronic conditions in large IP networks , 2008, CoNEXT '08.

[3]  N. Feamster,et al.  Answering “What-If” Deployment and Configuration Questions With WISE: Techniques and Deployment Experience , 2008, IEEE/ACM Transactions on Networking.

[4]  A. Greenberg,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM '07.

[5]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[6]  Nick Feamster,et al.  Diagnosing network disruptions with network-wide analysis , 2007, SIGMETRICS '07.

[7]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[8]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[9]  Albert G. Greenberg,et al.  Network anomography , 2005, IMC '05.

[10]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[11]  Srikanth Kandula,et al.  Shrink: a tool for failure diagnosis in IP networks , 2005, MineNet '05.

[12]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[13]  Jeffrey S. Chase,et al.  Correlating Instrumentation Data to System States: A Building Block for Automated Diagnosis and Control , 2004, OSDI.

[14]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[15]  Matthew Roughan,et al.  IP forwarding anomalies and improving their detection using multiple data sources , 2004, NetT '04.

[16]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[17]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[18]  Malgorzata Steinder,et al.  Increasing robustness of fault localization through analysis of lost, spurious, and positive symptoms , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[19]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[20]  Francis J. Narcowich,et al.  A First Course in Wavelets with Fourier Analysis , 2001 .