Measurement-Based Network Anomaly Diagnosis
Doctoral thesis
Permanent lenke
http://hdl.handle.net/11250/2360459Utgivelsesdato
2015Metadata
Vis full innførselSamlinger
Sammendrag
With the rapid and tremendous growth of Internet-centric services, diagnosing
network anomalies that disrupt service quality has become increasingly important.
A plethora of techniques have been proposed to address the problem of anomaly
diagnosis in the Internet and two general, yet complementary, approaches have been
followed: active and passive measurement-based anomaly diagnosis. The former
relies on injecting traffic while the latter captures existing traffic in the network in
order to detect anomalies and potentially identify their root-cause. While each of
the proposed approaches has advantages, they suffer from various limitations. For
example, assessing service quality through anomalies detected in active measurement
is still a poorly understood problem. In addition, anomaly diagnosis techniques
through passive measurement may suffer from scalability issues due to the curse of
dimensionality in measurement data.
This thesis addresses some of these limitations by proposing new techniques and
methods for anomaly diagnosis in telecommunication networks through active and
passive measurement:
For active measurement, packet probes are collected and transformed into performance
signals where delay measurement is aggregated and averaged over equal time
intervals. Associated with aggregate loss time-series, anomalies are detected and
mapped into various service levels where service quality may degrade. Introducing
three newly-defined metrics, namely availability, stability and fatigue, service quality
is assessed for six measured Internet paths over three-months of measurement.
Predicated on the detected quality degradation events, the set of nodes potentially
responsible for the anomalies are, additionally, identified through a low-complexity
compressed-sensing-based theory.
Regarding passive measurement, traffic histograms are analyzed and found to be
highly compressible using a lossy-compression technique called K-sparse approximation.
Motivated by traffic histograms compressibility, a new technique for anomaly
detection and root-cause analysis is proposed. Particularly, a set of K feature values of
interest are, firstly, selected among traffic histograms feature values. Then, a performance
signal per selected feature value is constructed where anomalies are detected.
Predicated on the detected anomalous time bins, anomalies root-cause is identified
using signature and machine-learning based techniques.