Measurement-Based Network Anomaly Diagnosis
MetadataShow full item record
With the rapid and tremendous growth of Internet-centric services, diagnosing network anomalies that disrupt service quality has become increasingly important. A plethora of techniques have been proposed to address the problem of anomaly diagnosis in the Internet and two general, yet complementary, approaches have been followed: active and passive measurement-based anomaly diagnosis. The former relies on injecting traffic while the latter captures existing traffic in the network in order to detect anomalies and potentially identify their root-cause. While each of the proposed approaches has advantages, they suffer from various limitations. For example, assessing service quality through anomalies detected in active measurement is still a poorly understood problem. In addition, anomaly diagnosis techniques through passive measurement may suffer from scalability issues due to the curse of dimensionality in measurement data. This thesis addresses some of these limitations by proposing new techniques and methods for anomaly diagnosis in telecommunication networks through active and passive measurement: For active measurement, packet probes are collected and transformed into performance signals where delay measurement is aggregated and averaged over equal time intervals. Associated with aggregate loss time-series, anomalies are detected and mapped into various service levels where service quality may degrade. Introducing three newly-defined metrics, namely availability, stability and fatigue, service quality is assessed for six measured Internet paths over three-months of measurement. Predicated on the detected quality degradation events, the set of nodes potentially responsible for the anomalies are, additionally, identified through a low-complexity compressed-sensing-based theory. Regarding passive measurement, traffic histograms are analyzed and found to be highly compressible using a lossy-compression technique called K-sparse approximation. Motivated by traffic histograms compressibility, a new technique for anomaly detection and root-cause analysis is proposed. Particularly, a set of K feature values of interest are, firstly, selected among traffic histograms feature values. Then, a performance signal per selected feature value is constructed where anomalies are detected. Predicated on the detected anomalous time bins, anomalies root-cause is identified using signature and machine-learning based techniques.