Detecting Network Anomalies in Backbone Networks

Uncovering anomalies in large ISPs and enterprise networks is challenging because of the wide variety of such anomalies. They can come from activity with malicious intentions (e.g., scanning, DDoS, prefix hijacking), or from misconfigurations and failures of network components (e.g., link failures, routing problems, outages in measurement equipment). In the literature, the problem of detecting anomalies in the network traffic has often been seen as equivalent to the problem of detecting heavy changes (HCs) in some traffic descriptors. In this context a wide variety of approaches has been proposed. Nevertheless most of them analyzes the single traffic flows, resulting to be unscalable and thus not applicable in modern backbone networks. For this reason, in this work we have decided to analyze traffic aggregates, so as to obtain a more scalable system, and in more detail we have designed our system to work on the top of probabilistic structures, namely the sketches, that allow us to obtain a scalable real-time system (that analyzes the traffic flows after having randomly aggregated them), while simultaneously improving the detection rate of “classical” systems [1]. Give this substrate, our method is based on a statistical analysis of the distribution of the Heavy Hitters (HHs) [2] in the network traffic. The idea behind this approach is that the distribution of the big flows should change between normal and attacks period, especially in the case of DoS/DDoS attacks, network scans, and so on. Hence, in this work we present a novel method for network anomaly detection, based on the idea of discovering HC in the distribution of the HHs in the network traffic. To assess the validity of the proposed method, we have performed an extensive experimental evaluation phase, during which our system performance have been compared to a more “classical” HC-based approach.