SUMMARYIn this paper, we present the design and implementation of a new approach for anomaly detection and classification over high speed networks. The proposed approach is based first of all on a data reduction phase through flow sampling by focusing mainly on short lived flows. The second step is then a random aggregation of some descriptors such as a number of SYN packets per flow in two different data structures called Count Min Sketch and Multi-Layer Reversible Sketch. A sequential change point detection algorithm continuously monitors the sketch cell values. An alarm is raised if a significant change is identified in cell values. With an appropriate definition of the combination of IP header fields that should be used to identify one flow, we are able not only to detect the anomaly but also to classify the anomaly as DoS, DDoS or flash crowd, network scanning and port scanning. We validate our framework for anomaly detection on various real world traffic traces and demonstrate the accuracy of our approach on these real-life case studies. Our analysis results from online implementation of our algorithm over measurements gathered by a DAG sniffing card are very attractive in terms of accuracy and response time. The proposed approach is very effective in detecting and classifying anomalies, and in providing information by extracting the culprit flows with a high level of accuracy. Copyright
In this paper we perform the statistical analysis of an Internet communication channel. Our study is based on a Hidden Markov Model (HMM). The channel switches between different states; to each state corresponds the probability that a packet sent by the transmitter will be lost. The transition between the different states of the channel is governed by a Markov chain; this Markov chain is not observed directly, but the received packet flow provides some probabilistic information about the current state of the channel, as well as some information about the parameters of the model. In this paper we detail some useful algorithms for the estimation of the channel parameters, and for making inference about the state of the channel. We discuss the relevance of the Markov model of the channel; we also discuss how many states are required to pertinently model a real communication channel.
International audienceThe dynamic and distributed nature of telecommunication networks makes complex the design of model-based approaches for network fault diagnosis. Most model-based approaches assume the prior existence of the model which is reduced to a static image of the network. Such models become rapidly obsolete when the network changes. We propose in this paper a 3-layered self-reconfigurable generic model of fault diagnosis in telecommunication networks. The Layer 1 of the model is an undirected graph which models the network topology. Network behavior, also called fault propagation, is modeled in Layer 2 using a set of directed acyclic graphs interconnected via the Layer 1. We handle uncertainties of fault propagation by quantifying strengths of dependencies between Layer 2 nodes with conditional probability distributions estimated from network generated data. Layer 3 is the junction tree representation of the loopy obtained Layer 2 Bayesian networks. The junction tree is the diagnosis computational layer since exact inference algorithms fail on loopy bayesian networks. This generic model embeds intelligent self-reconfiguration capabilities in order to track some changes in network topology and network behavior. These self-reconfiguration capabilities are highlighted through some example scenarios that we describe. We apply this 3-layered generic model to carry out active self-diagnosis of the GPON-FTTH access network.We present and analyze some experimental diagnosis results carried out by running a Python implementation of the generic model
HAL is a multidisciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.