Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anomaly detection in VoIP and Ethernet traffic under presence of daily patterns Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA),

Published byReynold Wilkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Anomaly detection in VoIP and Ethernet traffic under presence of daily patterns Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA),"— Presentation transcript:

1 Anomaly detection in VoIP and Ethernet traffic under presence of daily patterns Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA), Marco Mellia (POLITO)

2 Changepoint detection Changepoint detection: finding that current statistical description of data sample is no longer valid Problem can be formulated in language of statistical hypothesis test

3 Benefits of changepoint detection Deviation from normal system state can be detected (anomaly detection) –attack on ICT infrastructure (excessive number of TCP SYN packets) –failure (excessive/too low traffic volume) –Service Level Agreement not met (delay out of acceptable range) Human experts empowered with additional tool

4 Benefits of statistics-based approach Manual and on-line analysis of large data volumes may be infeasible Visual inspection may be insufficient due to some hidden structures in data Objective and unbiased opinion of human not always available Possibility to control false alarm ratio/detection ratio

5 Problems Changepoint detection procedures often assume independent observations Real life: dependency is present –stochastic one (mind ‘fractal’ models) –deterministic (e.g., diurnal trends) High dependency may ruin changepoint detection test

6 Possible solution Estimate and remove trend from traffic –for VoIP traffic: try to exploit possible local Poissonian behavior –exploit periodicity Only than apply changepoint detection procedure(s) to residuals –residuals should be (approx.) standard normal –anomaly: change from N(0,1) to N(m,s)

7 7 Traffic, trend, residuals (no nights)

8 Contribution We have developed changepoint detection test able to detect simultaneous change in mean and variance for Gaussian input We have numerically assessed sensitivity to deviation from independence assumption –our simple trend removal method may still leave some dependency in residuals

9 Synthetic Gaussian trace Window of 50 observation presented to detector, sequential manner, delta – relative position of changepoint True change from N(0,1) to N(3.07,1.08 2 ) from window 152 on (Erlang: it would give 0.1% blocking prob.) 500 experiments, good performance

10 Dependent input What if input to detection procedure is correlated? Verification with genarated AR(1) traces Recall: {X i } is AR(1) process if it follows AR(1) autocorrelation (linear dependency measure) function is:

11 Correlated input – results phi mean false alarm ratio detection ratio for window no. 152 false alarm ratio (regen.) 05.7%76.6%5.7% 0.210.1%77.9%5.3% 0.417.7%80.8%10.4% 0.627.2%85.9%17.9% 0.836.8%90.3%24.0% Correlation results in performance degradation Due to dependency, false alarm ratio (FA) ratio in window k influences FA prob. in window k+1 To assess this effect, FA is calculated for fully regenerated sample

12 Real data example

13 Ethernet traffic Poissonian assumption may be problematic Mean and variance to be estimated Less regularity Periodic moving average and simple moving average?

14 Ethernet traffic (NREN) Some traces show some regular patterns 1.2791.281.2811.2821.2831.2841.285 x 10 9 0 1 2 3 4 7 time (UNIX stamp) Bps (10min. avg)

15 Trends

16

17 Residuals

18 Busy hour The same model for day and night, working day and weekend may not be optimal in all cases Now we focus on busy hour (8-15), no weekends

19 Residuals

20 Residuals – 1st part

21 Residuals 2nd part

22 Summary We have extended anomaly-detection method developed for stationary VoIP traffic Diurnal trends taken into consideration Statistical framework as a basis but… …practitioner’s perspective – simplifications – also considered Other type of traffic – more challenges

Download ppt "Anomaly detection in VoIP and Ethernet traffic under presence of daily patterns Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA),"

Similar presentations

Applications of one-class classification

Applications of one-class classification
Research Directions Mark Crovella Boston University Computer Science.

Research Directions Mark Crovella Boston University Computer Science.
G. Alonso, D. Kossmann Systems Group

G. Alonso, D. Kossmann Systems Group
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang 2006-07-17.

In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
 1  Outline  Model 05-01  problem statement  detailed ARENA model  model technique  Output Analysis.

 1  Outline  Model  problem statement  detailed ARENA model  model technique  Output Analysis.
STAT 497 APPLIED TIME SERIES ANALYSIS

STAT 497 APPLIED TIME SERIES ANALYSIS
Nonstationarities in teletraffic data which may spoil your statistical tests Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA), Marco.

Nonstationarities in teletraffic data which may spoil your statistical tests Piotr Żuraniewski (UvA/TNO/AGH) Felipe Mata (UAM), Michel Mandjes (UvA), Marco.
BA 555 Practical Business Analysis

BA 555 Practical Business Analysis
Time series analysis - lecture 5

Time series analysis - lecture 5
Simulation Modeling and Analysis

Simulation Modeling and Analysis
IEEM 3201 One and Two-Sample Estimation Problems.

IEEM 3201 One and Two-Sample Estimation Problems.
Control Charts for Variables

Control Charts for Variables
Lecture 20 Simple linear regression (18.6, 18.9)

Lecture 20 Simple linear regression (18.6, 18.9)
1 Validation and Verification of Simulation Models.

1 Validation and Verification of Simulation Models.
PSYC512: Research Methods PSYC512: Research Methods Lecture 8 Brian P. Dyre University of Idaho.

PSYC512: Research Methods PSYC512: Research Methods Lecture 8 Brian P. Dyre University of Idaho.
1 4. Multiple Regression I ECON 251 Research Methods.

1 4. Multiple Regression I ECON 251 Research Methods.
Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall Statistics for Business and Economics 7 th Edition Chapter 9 Hypothesis Testing: Single.

Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall Statistics for Business and Economics 7 th Edition Chapter 9 Hypothesis Testing: Single.
Today Concepts underlying inferential statistics

Today Concepts underlying inferential statistics
1 BA 555 Practical Business Analysis Review of Statistics Confidence Interval Estimation Hypothesis Testing Linear Regression Analysis Introduction Case.

1 BA 555 Practical Business Analysis Review of Statistics Confidence Interval Estimation Hypothesis Testing Linear Regression Analysis Introduction Case.
Business Statistics - QBM117 Statistical inference for regression.

Business Statistics - QBM117 Statistical inference for regression.

Similar presentations

Ads by Google