Abstract
We consider the problem of detecting link loss anomalies from end-to-end measurements using network tomography. Network tomography provides an alternative to traditional means of network monitoring by inferring link-level performance characteristics from end-to-end measurements. Existing network tomography solutions, however, insist on characterizing the performance of all the links, which introduces unnecessary delays for anomaly detection due to the need of collecting all the measurements at a central location. We address this problem by developing a distributed detection scheme that integrates detection into the measurement fusion process by testing anomalies at the level of minimal identifiable link sequences (MILSs). We develop efficient methods to configure the proposed detection scheme such that its false alarm probability satisfies a given bound. Meanwhile, we provide analytical bounds on the detection probability and the detection delay. We then extend our solution to further improve the detection performance by designing the probing and fusion process. Our evaluations on real topologies verify that the proposed scheme significantly outperforms both centralized detection based on link parameters inferred by traditional network tomography and distributed detection based on raw end-to-end measurements.
- S. Ahuja, S. Ramasubramanian, and M. Krunz. SRLG failure localization in optical networks. IEEE/ACM Transations on Networking, 19(4):989-999, Auguest 2011. Google ScholarDigital Library
- Y. Bejerano and R. Rastogi. Robust monitoring of link delays and faults in IP networks. In IEEE INFOCOM, 2003.Google ScholarCross Ref
- G. Casella and R. L. Berger. Statistical Inference. Duxbury, 2002.Google Scholar
- R. Castro, M. Coates, G. Liang, R. Nowak, and B. Yu. Network tomography: recent developments. Statistical Science, 2004.Google ScholarCross Ref
- A. Chen, J. Cao, and T. Bu. Network tomography: Identifiability and Fourier domain estimation. In IEEE INFOCOM, 2007.Google ScholarDigital Library
- Y. Chen, D. Bindel, and R. H. Katz. An algebraic approach to practical and scalable overlay network monitoring. In ACM SIGCOMM, 2004. Google ScholarDigital Library
- G. Casella and R. L. Berger. Statistical Inference. Duxbury, 2002.Google Scholar
- M. Coates, A. O. Hero, R. Nowak, and B. Yu. Internet tomography. IEEE Signal Processing Magzine, 19:47-65, 2002.Google ScholarCross Ref
- N. Duffield. Simple network performance tomography. In ACM SIGCOMM conference on Internet measurement, 2003. Google ScholarDigital Library
- N. Duffield. Network tomography of binary network performance characteristics. IEEE Transactions on Information Theory, 52(12):5373-5388, December 2006. Google ScholarDigital Library
- J. Edmonds. Matroids and the greedy algorithm. Mathematical Programming, 1, 1971. Google ScholarDigital Library
- J. D. Esary, F. Proschan, and D. W. Walkup. Association of random variables with applications. The Annals of Mathematical Statistics, 38(5), October 1967.Google ScholarCross Ref
- G. H. Golub and C. F. Van-Loan. Matrix Computations. The Johns Hopkins University Press, Baltimore and London, 1996. Google ScholarDigital Library
- A. Gopalan and S. Ramasubramanian. On identifying additive link metrics using linearly independent cycles and paths. IEEE/ACM Transactions on Networking, 20(3), June 2012. Google ScholarDigital Library
- Y. Gu, G. Jiang, V. Singh, and Y. Zhang. Optimal probing for unicast network delay tomography. In IEEE INFOCOM, 2010. Google ScholarDigital Library
- O. Gurewitz and M. Sidi. Estimating one-way delays from cyclic-path delay measurements. In IEEE INFOCOM, 2001.Google ScholarCross Ref
- T. He, C. Liu, A. Swami, D. Towsley, T. Salonidis, A. Bejan, and P. Yu. Fisher information-based experiment design for network tomography. In ACM SIGMETRICS, 2015. Google ScholarDigital Library
- J. D. Horton and A. Lpez-Ortiz. On the number of distributed measurement points for network tomography. In ACM SIGCOMM conference on Internet measurement, 2003. Google ScholarDigital Library
- R. Kompella, J. Yates, A. G. Greenberg, and A. C. Snoeren. Detection and localization of network black holes. In IEEE INFOCOM, 2007. Google ScholarDigital Library
- L. Ma, T. He, K. K. Leung, A. Swami, and D. Towsley. Identifiability of link metrics based on end-to-end path measurements. In ACM IMC, 2013. Google ScholarDigital Library
- L. Ma, T. He, K. K. Leung, A. Swami, and D. Towsley. Inferring link metrics from end-to-end path measurements: Identifiability and monitor placement. IEEE/ACM Transactions on Networking, 22(4):1351-1368, June 2014. Google ScholarDigital Library
- L. Ma, T. He, K. K. Leung, D. Towsley, and A. Swami. Efficient identification of additive link metrics via network tomography. In IEEE ICDCS, 2013. Google ScholarDigital Library
- L. Ma, T. He, A. Swami, D. Towsley, and K. Leung. On optimal monitor placement for localizing node failures via network tomography. Elsevier Performance Evaluation, 91:16-37, September 2015. Google ScholarDigital Library
- L. Ma, T. He, A. Swami, D. Towsley, K. Leung, and J. Lowe. Node failure localization via network tomography. In ACM IMC, 2014. Google ScholarDigital Library
- A. Markopoulou, G. Iannaccone, S. Bhattacharyya, C.-N. Chuah, and C. Diot. Characterization of failures in an IP backbone. In IEEE INFOCOM, 2004.Google ScholarCross Ref
- H. X. Nguyen and P. Thiran. The boolean solution to the congested IP link location problem: Theory and practice. In IEEE INFOCOM, 2007. Google ScholarDigital Library
- V. N. Padmanabhan, L. Qiu, and H. Wang. Server-based inference of internet link lossiness. In IEEE INFOCOM, April 2003.Google ScholarCross Ref
- D. Pollard. Convergence of Stochastic Processes. Springer-Verlag, 1984.Google ScholarCross Ref
- N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP topologies with Rocketfuel. In ACM SIGCOMM, August 2002. Google ScholarDigital Library
- P. Tan and C. Drossos. Invariance properties of maximum likelihood estimators. Mathematics Magazine, 48(1), January 1975.Google ScholarCross Ref
- H. L. V. Trees. Detection, estimation, and modulation theory. JohnWiley&Sons, 2004.Google Scholar
- G. Casella and R. L. Berger. Statistical Inference. Duxbury, 2002.Google Scholar
- B. Xi, G. Michailidis, and V. Nair. Estimating network loss rates using active tomography. Journal of the American Statistical Association, 101(476):1430-1448, December 2006.Google ScholarCross Ref
- H. Zeng, P. Kazemian, G. Varghese, and N. McKeown. Automatic test packet generation. In ACM CoNEXT, 2012. Google ScholarDigital Library
- Y. Zhao, Y. Chen, and D. Bindel. Towards unbiased end-to-end network diagnosis. In ACM SIGCOMM, 2006. Google ScholarDigital Library
Index Terms
- Distributed Link Anomaly Detection via Partial Network Tomography
Recommendations
Robust Anomaly Detection and Localization via Simulated Anomalies
VRCAI '22: Proceedings of the 18th ACM SIGGRAPH International Conference on Virtual-Reality Continuum and its Applications in IndustryAnomaly detection refers to identifying abnormal images and localizing anomalous regions. Reconstruction-based anomaly detection is a commonly used method; however, traditional reconstruction-based methods perform poorly as deep models generalize ...
Two-stage anomaly detection algorithm via dynamic community evolution in temporal graph
AbstractDetecting anomalies from a massive amount of user behavioral data is often liken to finding a needle in a haystack. While tremendous efforts have been devoted to anomaly detection from temporal graphs, existing studies rarely consider community ...
Optimizing network anomaly detection scheme using instance selection mechanism
GLOBECOM'09: Proceedings of the 28th IEEE conference on Global telecommunicationsNetwork anomaly detection is a classically difficult research topic in intrusion detection. However, existing research has been solely focused on the detection algorithm. An important issue that has not been well studied so far is the selection of ...
Comments