Presentation is loading. Please wait.

Presentation is loading. Please wait.

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

Published byOlivia Dilley Modified over 10 years ago

Similar presentations

Presentation on theme: "URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot."— Presentation transcript:

1 URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot

2 URCA: Pulling out Anomalies by their Root Causes Presenter: Fernando Silveira UPMC and Technicolor Joint work with Christophe Diot Presented at INFOCOM 2010 – San Diego, USA

3 URCA: Pulling out Anomalies by their Root Causes Time Packet counts Traffic Anomaly Detection 3Friday, February 19, 2010 Traffic Data Alarm Anomaly Detector Anomaly Anomalous traffic

4 URCA: Pulling out Anomalies by their Root Causes Obtaining information about an anomaly’s cause. Automating root cause analysis is important… Manual analysis is tedious and error prone Study from Arbor Networks with 67 ISPs Average ISP observes ~ 19 anomalies/day … but it is also a hard problem. Most detectors do not provide any information beyond an alarm Root Cause Analysis of Traffic Anomalies 4Friday, February 19, 2010

5 URCA: Pulling out Anomalies by their Root Causes Anomaly detection methods with properties that facilitate root cause analysis tasks Anomaly classification Lakhina et al. - SIGCOMM’05 Based on clustering entropy residuals Limited to anomalies found in entropy Anomalous flow identification Schweller et al. - IMC’04, Li et al. - IMC’06 Based on reversible sketches Complexity of choosing and computing sketches Limited to anomalies found in sketches Related Work 5Friday, February 19, 2010

6 URCA: Pulling out Anomalies by their Root Causes Our Contribution 6Friday, February 19, 2010 URCA (Unsupervised Root Cause Analysis) a tool that finds an anomaly’s root cause can be used with different anomaly detectors It provides accurate and fast results: anomalies are analyzed as fast as they are detected (1-5 minutes)

7 URCA: Pulling out Anomalies by their Root Causes Outline 7Friday, February 19, 2010 Algorithms for URCA Performance Evaluation

8 URCA: Pulling out Anomalies by their Root Causes Source IPDestination IP Source PortDestination Port Source ASDestination AS Previous Hop ASNext Hop AS Incoming Router InterfaceOutgoing Router Interface 8 Our Approach Friday, February 19, 2010 URCA has two steps: anomalous flow identification root cause classification Our methods rely on flow features

9 URCA: Pulling out Anomalies by their Root Causes Step 1: Anomalous Flow Identification 9Friday, February 19, 2010 Traffic Data Alarm Anomaly Detector Filter 80/TCP 443/TCP 1614/TCP 22/TCP 53/UDP 25/TCP … Candidate Anomalous Flows Destination Port

10 URCA: Pulling out Anomalies by their Root Causes Flow Identification - Example 10Friday, February 19, 2010 Time Packet counts Output Interface (2 values) Destination AS (3 values) eth0 eth1 AS 3354 AS 1277 AS 2108 Candidate flows Normal flows Anomalous flows Normal flows Anomaly

11 URCA: Pulling out Anomalies by their Root Causes11 Visualizing Root Cause Flows Friday, February 19, 2010 Network scan Routing change

12 URCA: Pulling out Anomalies by their Root Causes Step 2: Root Cause Classification 12Friday, February 19, 2010 aaaabbccbc We compute metrics from each anomaly number of source IP’s, ASN’s, flow sizes, packet sizes, etc. Hierarchical Clustering known anomalies + 1 unknown Bootstrapping labels helped by visualization ?

13 URCA: Pulling out Anomalies by their Root Causes Outline 13Friday, February 19, 2010 Algorithms for URCA Performance Evaluation

14 URCA: Pulling out Anomalies by their Root Causes Traces from links in GEANT2 Anomalies obtained with the ASTUTE anomaly detector Experimental Methodology 14Friday, February 19, 2010

15 URCA: Pulling out Anomalies by their Root Causes Identification Accuracy - Trace A 15Friday, February 19, 2010

16 URCA: Pulling out Anomalies by their Root Causes Identification Accuracy - Traces B-F 16Friday, February 19, 2010 * 90-percentile averaged across traces

17 URCA: Pulling out Anomalies by their Root Causes Classification Accuracy - Trace A 17Friday, February 19, 2010 80% Correct 15% Misclass. 15% Misclassified = 5% first occurrences of an event type + 10% routing changes mistaken for link failures 5% require visualization

18 URCA: Pulling out Anomalies by their Root Causes What you’ll find in the paper: Algorithms for both identification and classification Experimental evaluation with 6 traces URCA can be applied to other anomaly detectors Ongoing and Future Work: URCA with an EWMA-based detector Using other sources of data (e.g., routing data) Wrapping Up 18Friday, February 19, 2010

19 URCA: Pulling out Anomalies by their Root Causes Special thanks to: DANTE / GEANT2 - http://www.geant2.net/ Ricardo Oliveira @ UCLA - http://irl.cs.ucla.edu/~rveloso/ More information at: http://www.thlab.net/~fernando/papers/urca.pdf http://www.thlab.net/~fernando/papers/astute.pdf The End 19Friday, February 19, 2010

20 URCA: Pulling out Anomalies by their Root Causes Backup Slides 20Friday, February 19, 2010

21 URCA: Pulling out Anomalies by their Root Causes21 Classification results for ASTUTE Friday, February 19, 2010

22 URCA: Pulling out Anomalies by their Root Causes22 Classifying the Unknown ASTUTE Anomalies Friday, February 19, 2010

23 URCA: Pulling out Anomalies by their Root Causes23 Results with EWMA Friday, February 19, 2010

Download ppt "URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot."

Similar presentations

Towards Data Mining Without Information on Knowledge Structure

Towards Data Mining Without Information on Knowledge Structure
Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,

Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,
Kapitel 21 Astronomie Autor: Bennett et al. Galaxienentwicklung Kapitel 21 Galaxienentwicklung © Pearson Studium 2010 Folie: 1.

Kapitel 21 Astronomie Autor: Bennett et al. Galaxienentwicklung Kapitel 21 Galaxienentwicklung © Pearson Studium 2010 Folie: 1.
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster

Network Operations Research Nick Feamster
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
15.082 and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem 1 24 35 10, $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $7 25 0 0 0-25.

and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem , $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $
Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.
Aditya Akella An Empirical Evaluation of Wide-Area Internet Bottlenecks Aditya Akella with Srinivasan Seshan and Anees Shaikh IMC 2003.

Aditya Akella An Empirical Evaluation of Wide-Area Internet Bottlenecks Aditya Akella with Srinivasan Seshan and Anees Shaikh IMC 2003.

Similar presentations

Ads by Google