The early detection of applications associated with TCP flows is an essential step for network security and traffic engineering. The classic way to identify flows, i.e. looking at port numbers, is not effective anymore. On the other hand, state-of-the-art techniques cannot determine the application before the end of the TCP flow. In this editorial, we propose a technique that relies on the observation of the first five packets of a TCP connection to identify the application. This result opens a range of new possibilities for online traffic classification.
Detecting anomalous traffic is a crucial part of managing IP networks. In recent years, network-wide anomaly detection based on Principal Component Analysis (PCA) has emerged as a powerful method for detecting a wide variety of anomalies. We show that tuning PCA to operate effectively in practice is difficult and requires more robust techniques than have been presented thus far. We analyze a week of network-wide traffic measurements from two IP backbones (Abilene and Geant) across three different traffic aggregations (ingress routers, OD flows, and input links), and conduct a detailed inspection of the feature time series for each suspected anomaly. Our study identifies and evaluates four main challenges of using PCA to detect traffic anomalies: (i) the false positive rate is very sensitive to small differences in the number of principal components in the normal subspace, (ii) the effectiveness of PCA is sensitive to the level of aggregation of the traffic measurements, (iii) a large anomaly may inadvertently pollute the normal subspace, (iv) correctly identifying which flow triggered the anomaly detector is an inherently challenging problem.
International audienceIn this work we develop a new approach to monitoring origin-destination flows in a large network. We start by building a state space model for OD flows that is rich enough to fully capture temporal and spatial correlations. We apply a Kalman filter to our linear dynamic system that can be used for both estimation and prediction of traffic matrices. We call our system a traffic matrix tracker due to its lightweight mechanism for temporal updates that enables tracking traffic matrix dynamics at small time scales. Our Kalman filter approach allows us to go beyond traffic matrix estimation in that our single system can also carry out traffic prediction and yield confidence bounds on the estimates, the predictions and the residual error processes. We show that these elements provide key functionalities needed by monitoring systems of the future for carrying out anomaly detection. Using real data collected from a Tier-1 ISP, we validate our model, illustrate that it can achieve low errors, and that our method is adaptive on both short and long timescales
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.