Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Anomography Yin Zhang Joint work with Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement.

Published byCameron Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Anomography Yin Zhang Joint work with Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement."— Presentation transcript:

1 Network Anomography Yin Zhang yzhang@cs.utexas.edu yzhang@cs.utexas.edu Joint work with Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement Conference 2005 Berkeley, CA, USA

2 2 Network Anomaly Detection Is the network experiencing unusual conditions? –Call these conditions anomalies –Anomalies can often indicate network problems DDoS, worms, flash crowds, outages, misconfigurations … –Need rapid detection and diagnosis Want to fix the problem quickly Questions of interest –Detection Is there an unusual event? –Identification What’s the best explanation? –Quantification How serious is the problem?

3 3 Network Anomography What we want –Volume anomalies [Lakhina04] Significant changes in an Origin-Destination flow, i.e., traffic matrix element What we have –Link traffic measurements –It is difficult to measure traffic matrix directly Network Anomography –Infer volume anomalies from link traffic measurements A B C

4 4 An Illustration Courtesy: Anukool Lakhina [Lakhina04]

5 5 Anomography = Anomalies + Tomography

6 6 Mathematical Formulation Problem: Infer changes in TM elements (x t ) given link measurements (b t ) Only measure at links 1 3 2 router route 1 route 3 route 2 link 2 link 1 link 3

7 7 Mathematical Formulation b t = A t x t (t=1,…,T) Typically massively under-constrained! Only measure at links 1 3 2 router route 1 route 3 route 2 link 2 link 1 link 3

8 8 Static Network Anomography Time-invariant A t (= A), B=[b 1 …b T ], X=[x 1 …x T ] Only measure at links 1 3 2 router route 1 route 3 route 2 link 2 link 1 link 3 B = AX

9 9 Anomography Strategies Early Inverse 1.Inversion –Infer OD flows X by solving b t =Ax t 2.Anomaly extraction –Extract volume anomalies X from inferred X Drawback: errors in step 1 may contaminate step 2 Late Inverse 1.Anomaly extraction –Extract link traffic anomalies B from B 2.Inversion –Infer volume anomalies X by solving b t =Ax t Idea: defer “lossy” inference to the last step     

10 10 Extracting Link Anomalies B Temporal Anomography: B = BT –ARIMA modeling Diff: f t = b t-1 b t = b t – f t EWMA: f t = (1-  ) f t-1 +  b t-1 b t = b t – f t –Fourier / wavelet analysis Link anomalies = the high frequency components –Temporal PCA PCA = Principal Component Analysis Project columns onto principal link column vectors Spatial Anomography: B = TB –Spatial PCA [Lakhina04] Project rows onto principal link row vectors     

11 11 Extracting Link Anomalies B Temporal Anomography: B = BT –Self-consistent Tomography equation: B = AX Post-multiply by T : BT = AXT B = AX Spatial Anomography: B = TB –No longer self-consistent    

12 12 Solving b t = A x t Pseudoinverse: x t = pinv(A) b t –Shortest minimal L 2 -norm solution Minimize |x t | 2 subject to |b t – A x t | 2 is minimal Maximize sparsity (i.e. minimize |x t | 0 ) –L 0 -norm is not convex  hard to minimize –Greedy heuristic Greedily add non-zero elements to x t Minimize |b t – A x t | 2 with given |x t | 0 –L 1 -norm approximation Minimize |x t | 1 (can be solved via LP) With noise  minimize |x t | 1 +  |b t -Ax t | 1                

13 13 Dynamic Network Anomography Time-varying A t is common –Routing changes –Missing data Missing traffic measurement on a link  setting the corresponding row of A t to 0 in b t =A t x t Solution –Early inverse: Directly applicable –Late inverse: Apply ARIMA modeling L 1 -norm minimization subject to link constraints –minimize |x t | 1 subject to x t = x t – x t-1, b t =A t x t, b t-1 =A t-1 x t-1 Reduce problem size by eliminating redundancy  

14 14 Performance Evaluation: Inversion Fix one anomaly extraction method Compare “real” and “inferred” anomalies –“real” anomalies: directly from OD flow data –“inferred” anomalies: from link data Order them by size –Compare the size How many of the top N do we find –Gives detection rate: | top N ”real”  top N inferred | / N

15 15 Inference Accuracy  Tier-1 ISP (10/6/04 – 10/12/04) Diff (b t =  b t = b t – b t-1 ) Sparsity-L1 works best among all inference techniques

16 16 Inference Accuracy detection rate = | top N real  top N inferred | / N  Tier-1 ISP (10/6/04 – 10/12/04) Diff (b t =  b t = b t – b t-1 ) Sparsity-L1 works best among all inference techniques

17 17 Impact of Routing Changes Tier-1 ISP (10/6/04 – 10/12/04) Diff (b t =  b t = b t – b t-1 )  Late inverse (sparsity-L1) beats early inverse (tomogravity)

18 18 Performance Evaluation: Anomography Hard to compare performance –Lack ground-truth: what is an anomaly? So compare events from different methods –Compute top M “benchmark” anomalies Apply an anomaly extraction method directly on OD flow data –Compute top N “inferred” anomalies Apply another anomography method on link data –Report min(M,N) - | top M benchmark  top N inferred | M  N  “false negatives” # big “benchmark” anomalies not considered big by anomography M  N  “false positives” # big “inferred” anomalies not considered big by benchmark method –Choose M, N similar to numbers of anomalies a provider is willing to investigate, e.g. 30-50 per week

19 19 Anomography: “False Negatives” Top 50 Inferred “False Negatives” with Top 30 Benchmark DiffEWMAH-WARIMAFourierWaveletT-PCAS-PCA Diff 0011551712 EWMA 0011551712 Holt-Winters 1100641812 ARIMA 1100641812 Fourier 3488171918 Wavelet 0122501311 T-PCA 14 19153 S-PCA 10 13 1511113 1.Diff/EWMA/H.-W./ARIMA/Fourier/Wavelet all largely consistent 2.PCA methods not consistent (even with each other) - PCA cannot detect anomalies in the “normal” subspace - PCA insensitive to reordering of [b 1 …b T ]  cannot utilize all temporal info 3.Spatial methods (e.g. spatial PCA) are not self-consistent

20 20 Anomography: “False Positives” Top 30 Inferred “False Positives” with Top 50 Benchmark DiffEWMAH-WARIMAFourierWaveletT-PCAS-PCA Diff 33666414 EWMA 3366751315 Holt-Winters 4411831310 ARIMA 4411831310 Fourier 6676261918 Wavelet 6666811312 T-PCA 17 2013014 S-PCA 18 20141 1.Diff/EWMA/H.-W./ARIMA/Fourier/Wavelet all largely consistent 2.PCA methods not consistent (even with each other) - PCA cannot detect anomalies in the “normal” subspace - PCA insensitive to reordering of [b 1 …b T ]  cannot utilize all temporal info 3.Spatial methods (e.g. spatial PCA) are not self-consistent

21 21 Summary of Results Inversion methods –Sparsity-L1 beats Pseudoinverse and Sparsity-Greedy –Late-inverse beats early-inverse Anomography methods –Diff/EWMA/H-W/ARIMA/Fourier/Wavelet all largely consistent –PCA methods not consistent (even with each other) PCA methods cannot detect anomalies in “normal” subspace PCA methods cannot fully exploit temporal information in {x t } –Reordering of [b 1 …b T ] doesn’t change results! –Spatial methods (e.g. spatial PCA) are not self-consistent Temporal methods are The method of choice: ARIMA + Sparsity-L1 Accurate, consistent with Fourier/Wavelet Robust against measurement noise, insensitive to choice of  Works well in the presence of missing data, routing changes Supports both online and offline analysis

22 22 Conclusions Anomography = Anomalies + Tomography –Find anomalies in {x t } given b t =A t x t (t=1,…,T) Contributions 1.A general framework for anomography methods –Decouple anomaly extraction and inference components 2.A number of novel algorithms –Taking advantage of the range of choices for anomaly extraction and inference components –Choosing between spatial vs. temporal approaches 3.The first algorithm for dynamic anomography 4.Extensive evaluation on real traffic data –6-month Abilene and 1-month Tier-1 ISP The method of choice: ARIMA + Sparsity-L1

23 23 Future Work Correlate traffic with other types of data –BGP routing events –Router CPU utilization Anomaly response –Maybe with an effective response system, false positives become less important? Anomography for performance diagnosis –Inference of link performance based on end-to-end measurements can be formulated as b t =Ax t Beyond networking –Detecting anomalies in other inverse problems –Are we just reinventing the wheel?

24 24 Thank you !

Download ppt "Network Anomography Yin Zhang Joint work with Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement."

Similar presentations

Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.

Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.
A KTEC Center of Excellence 1 Pattern Analysis using Convex Optimization: Part 2 of Chapter 7 Discussion Presenter: Brian Quanz.

A KTEC Center of Excellence 1 Pattern Analysis using Convex Optimization: Part 2 of Chapter 7 Discussion Presenter: Brian Quanz.
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.

Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
Structured Sparse Principal Component Analysis Reading Group Presenter: Peng Zhang Cognitive Radio Institute Friday, October 01, 2010 Authors: Rodolphe.

Structured Sparse Principal Component Analysis Reading Group Presenter: Peng Zhang Cognitive Radio Institute Friday, October 01, 2010 Authors: Rodolphe.
The General Linear Model Or, What the Hell’s Going on During Estimation?

The General Linear Model Or, What the Hell’s Going on During Estimation?
Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA

Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA
SIGCOMM 2003 Making Intra-Domain Routing Robust to Changing and Uncertain Traffic Demands: Understanding Fundamental Tradeoffs David Applegate Edith Cohen.

SIGCOMM 2003 Making Intra-Domain Routing Robust to Changing and Uncertain Traffic Demands: Understanding Fundamental Tradeoffs David Applegate Edith Cohen.
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
1 Communication-Efficient Online Detection of Network-Wide Anomalies Ling Huang* XuanLong Nguyen* Minos Garofalakis § Joe Hellerstein* Michael Jordan*

1 Communication-Efficient Online Detection of Network-Wide Anomalies Ling Huang* XuanLong Nguyen* Minos Garofalakis § Joe Hellerstein* Michael Jordan*
Bayesian Robust Principal Component Analysis Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University January 21, 2011 Reading Group (Xinghao.

Bayesian Robust Principal Component Analysis Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University January 21, 2011 Reading Group (Xinghao.
Robust Network Compressive Sensing Lili Qiu UT Austin NSF Workshop Nov. 12, 2014.

Robust Network Compressive Sensing Lili Qiu UT Austin NSF Workshop Nov. 12, 2014.
Forwarding Redundancy in Opportunistic Mobile Networks: Investigation and Elimination Wei Gao 1, Qinghua Li 2 and Guohong Cao 3 1 The University of Tennessee,

Forwarding Redundancy in Opportunistic Mobile Networks: Investigation and Elimination Wei Gao 1, Qinghua Li 2 and Guohong Cao 3 1 The University of Tennessee,
Towards Unbiased End-to-End Network Diagnosis Name: Kwan Kai Chung Student ID:05133720 Date: 18/3/2007.

Towards Unbiased End-to-End Network Diagnosis Name: Kwan Kai Chung Student ID: Date: 18/3/2007.
Sampling algorithms for l 2 regression and applications Michael W. Mahoney Yahoo Research (Joint work with P. Drineas.

Sampling algorithms for l 2 regression and applications Michael W. Mahoney Yahoo Research (Joint work with P. Drineas.
1 In-Network PCA and Anomaly Detection Ling Huang* XuanLong Nguyen* Minos Garofalakis § Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel.

1 In-Network PCA and Anomaly Detection Ling Huang* XuanLong Nguyen* Minos Garofalakis § Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
NetQuest: A Flexible Framework for Internet Measurement Lili Qiu Joint work with Mike Dahlin, Harrick Vin, and Yin Zhang UT Austin.

NetQuest: A Flexible Framework for Internet Measurement Lili Qiu Joint work with Mike Dahlin, Harrick Vin, and Yin Zhang UT Austin.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Similar presentations

Ads by Google