Network-Wide Traffic Analysis: Methods and Applications
To attack this problem we adopt the general strategy of seeking low-dimensional approximations that preserve important traffic properties. Our starting point, and the first contribution of this dissertation, is to demonstrate that accurate low-dimensional approximations of network traffic often exis...
Lưu vào:
| Tác giả chính: | |
|---|---|
| Định dạng: | Luận án |
| Ngôn ngữ: | en_US |
| Thông tin xuất bản: |
Boston University
2007
|
| Chủ đề: | |
| Truy cập trực tuyến: | http://ir.vnulib.edu.vn/handle/123456789/1499 |
| Từ khóa: |
Thêm từ khóa bạn đọc
Không có từ khóa, Hãy là người đầu tiên gắn từ khóa cho biểu ghi này!
|
| Tóm tắt: | To attack this problem we adopt the general strategy of seeking low-dimensional approximations that preserve important traffic properties. Our starting point, and the first contribution of this dissertation, is to demonstrate that accurate low-dimensional approximations of network traffic often exist. We show that network-wide traffic measurements that exhibit as many as hundreds of dimensions can be approximated well using a much smaller set of dimensions (for example, less than ten). This observation of low effective dimensionality is key, and provides leverage on a number of problems related to network operations.
In particular, low effective dimensionality leads us to make use of subspace methods. These methods systematically exploit the low dimensionality of multi-feature traffic flows, to capture network-wide normal behavior, and to expose anomalous events that span a network. We consider two basic kinds of anomalies: volume anomalies, and general anomalies. Volume anomalies are unusual and significant changes in a network's traffic levels that can often involve multiple links, while general anomalies include a range of unusual events that do not necessarily disturb traffic volume, such as port scans, network scans, user experiments and high-rate flows. Our second contribution is to show that in the case of volume anomalies, applying subspace methods to simple traffic measurements from all links one can: (1) accurately detect when a volume anomaly is occurring; (2) correctly identify the underlying origin-destination (OD) traffic flow which is the source of the anomaly; and (3) accurately estimate the amount of traffic involved in the anomalous OD flow.
In the case of general anomalies, we show that the distributions of packet features (IP ad-dresses and ports) observed in network-wide flow traces reveals both the presence and the nature of a wide range of anomalies. Our third contribution is to show that by using entropy as a summarization tool, network-wide analysis of feature distributions leads to significant advances on two fronts: (1) it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods, and (2) it enables automatic classification of anomalies via
unsupervised learning. We show that using feature distributions, anomalies naturally fall into distinct and meaningful clusters, which can be used to automatically classify anomalies and to uncover new anomaly types.
Finally, our fourth contribution concerns methods for estimating traffic matrices from readily available link traffic. We show that in settings where partial flow measurements are possible, the low dimensionality of traffic flows can be exploited to transform the ill-posed matrix estimation problem into a problem that is amenable to direct solution methods. We conclude that multivariate traffic analysis methods show considerable promise as tools for a wide range of current challenges in network analysis. |
|---|