| Speaker: | Dr. Mark Crovella, Boston University |
|---|---|
| Abstract: | Anomalies are unusual and significant changes in a network's traffic levels, which can often involve multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret anomalous patterns from large amounts of high-dimensional, noisy data. Traditional anomaly detection in network traffic has been based on temporal analysis of traffic -- looking at traffic as a time series. However this method presents considerable challenges due to the non-stationarity of network traffic.
In contrast I will describe an anomaly detection method that looks at traffic spatially, rather than temporally, and show that it naturally overcomes challenges presented by non-stationarity. This method is based on a separation of the high-dimensional space occupied by a set of network traffic measurements into disjoint subspaces corresponding to normal and anomalous network conditions. This separation can be performed effectively using Principal Component Analysis. I will show examples of volume anomalies and then show that, starting from simple link measurements, the method can: (1) accurately detect when a volume anomaly is occurring; (2) correctly identify the underlying origin-destination (OD) flow which is the source of the anomaly; and (3) accurately estimate the amount of traffic involved in the anomalous OD flow. We evaluate the method's ability to diagnose (i.e., detect, identify, and quantify) both existing and synthetically injected volume anomalies in real traffic from two backbone networks. The method consistently diagnoses the largest volume anomalies, and does so with a very low false alarm rate. Joint work with Anukool Lakhina and Christophe Diot. |
| Biography: | Mark Crovella is Associate Professor of Computer Science at Boston University. He works in performance evaluation, measurement, and analysis of computer systems and networks. Recently he has focused on Internet measurement and traffic analysis. He is an editor for IEEE/ACM Transactions on Networking and Computer Communication Review, and a past editor of Computer Networks and IEEE Transactions on Computers. He was the Program Chair for the 2003 ACM SIGCOMM Internet Measurement Conference, and the General Chair of the 2005 Passive and Active Measurement Workshop. |
| Presented On: | Friday, December 16, 2005 |
| Videotape: | http://kubrick.isr.umd.edu/~av/Mark.mov |
