Optimal volume anomaly detection and isolation in large-scale IP networks using coarse-grained measurements

To link to full-text access for this article, visit this link: http://dx.doi.org/10.1016/j.comnet.2010.01.013 Byline: P. Casas (a)(c), S. Vaton (a), L. Fillatre (b), I. Nikiforov (b) Keywords: Network Monitoring and Traffic Analysis; Traffic Matrix; Network Traffic Modeling; Optimal Volume Anomaly Detection and Isolation Abstract: Recent studies from major network technology vendors forecast the advent of the Exabyte era, a massive increase in network traffic driven by high-definition video and high-speed access technology penetration. One of the most formidable difficulties that this forthcoming scenario poses for the Internet is congestion problems due to traffic volume anomalies at the core network. In the light of this challenging near future, we develop in this work different network-wide anomaly detection and isolation algorithms to deal with volume anomalies in large-scale network traffic flows, using coarse-grained measurements as a practical constraint. These algorithms present well-established optimality properties in terms of false alarm and miss detection rate, or in terms of detection/isolation delay and false detection/isolation rate, a feature absent in previous works. This represents a paramount advantage with respect to current in-house methods, as it allows to generalize results independently of particular evaluations. The detection and isolation algorithms are based on a novel linear, parsimonious, and non-data-driven spatial model for a large-scale network traffic matrix. This model allows detecting and isolating anomalies in the Origin-Destination traffic flows from aggregated measurements, reducing the overhead and avoiding the challenges of direct flow measurement. Our proposals are analyzed and validated using real traffic and network topologies from three different large-scale IP backbone networks. Author Affiliation: (a) Telecom Bretagne, Brest, France (b) Universite de Technolgie de Troyes, Troyes, France (c) Universidad de la Republica, Montevideo, Uruguay Article History: Received 10 August 2009; Revised 13 January 2010; Accepted 23 January 2010 Article Note: (miscellaneous) Responsible Editor: A. Popescu