Machine Learning, Data Mining and Big Data Frameworks for Network Monitoring and Troubleshooting
Total Page:16
File Type:pdf, Size:1020Kb
Machine learning, data mining and Big Data frameworks for network monitoring and troubleshooting Alessandro D'Alconzoa,∗, Pere Barlet-Rosb, Kensuke Fukudac, David Choffnesd aAIT, Austrian Institute of Technology, Vienna, Austria bUPC BarcelonaTech, Barcelona, Spain, cNational Institute of Informatics, Tokyo, Japan dNortheastern University, Boston, USA 1. Introduction work traffic monitoring and analysis domain re- mains poorly understood and investigated. The scale and the complexity of the Internet has Furthermore, critical applications such as detec- dramatically increased in the last few years. At the tion of anomalies, network attacks and intrusions, same time, Internet services are becoming increas- require fast mechanisms for online analysis of thou- ingly complex with the introduction of cloud infras- sands of events per second, as well as efficient tructures, Content Delivery Networks (CDNs) and techniques for offline analysis of massive histori- mobile Internet usage. This complexity will con- cal data. Statistical modeling, data mining and tinue to grow in the future with the rise of Machine- machine learning-based techniques able to detect, to-Machine communication and ubiquitous wear- characterize, and troubleshoot network anomalies able devices. In this scenario it becomes even more and security incidents, promise to efficiently shed compelling and challenging to design scalable net- light on this enormous amount of data. Nonethe- work traffic monitoring and analysis tools able to less, the unprecedented size of the data at hand shed light on the complex interplay between net- poses new performance and scalability challenges work infrastructure and the traffic profiles gener- to traditional methods and tools. ated by a continuously growing number of applica- The purpose of this special issue is to bring to- tions. gether state-of-the-art studies proposing novel scal- The current and future network monitoring able techniques and frameworks capable of collect- frameworks cannot rely only on information gath- ing and analyzing massive datasets of network traf- ered at a single network interconnect, but must fic traces and performance measurements, along consolidate information from various vantage points with novel methodologies and techniques able to distributed across the network. Many systems for extract information from the gathered data for the the extraction of operational statistics from com- purpose of tackling typical networking problems puter network interconnects have been designed such as performance characterization, security and and implemented in the last decades. Those sys- troubleshooting. tems generate huge amounts of data in various for- Out of 40 submissions, 8 articles have been se- mats and granularity from several vantage points lected after at least two review rounds. All papers and devices, ranging from packet level data to have received at least three reviews from experts statistics about whole flows and system logs. How- in the different areas including network measure- ever, despite recent major advances of Big Data ments, traffic analysis, data mining and machine analysis frameworks, their application to the net- learning. In addition the two best papers (on top- ics related to the Special Issue) of the 8th Inter- national Workshop Traffic Monitoring and Anal- ∗Corresponding author ysis (TMA'16)1 have been accepted in their ex- Email addresses: [email protected] tended version, after peer reviewing. The Spe- (Alessandro D'Alconzo), [email protected] (Pere Barlet-Ros), [email protected] (Kensuke Fukuda), [email protected] (David Choffnes) 1tma.ifip.org/2016/ Preprint submitted to Computer Networks June 22, 2016 cial Issue consists of 10 papers organized in four ISP using CGN for part of its customers, extract groups: (I) Frameworks and methodologies, (II) Se- detailed per-flow information, derive higher level curity and troubleshooting, (III) Distributed mea- statistics, and finally look for statistically signif- surements for network characterization, and (III) icant differences in connectivity and performance Network applications characterization. figures of customers being offered public or private addresses. The first part of the special issue is devoted to frameworks and methodologies to collect, process The second part of the special issue addresses and analyze big datasets obtained from monitoring typical network management tasks such as trou- large-scale networks. In fact, when considering pas- bleshooting and security. sively collecting and then processing network traffic Growing network complexity mandates auto- traces, the need to analyze raw data at several Gbps mated tools and methodologies for troubleshoot- and to extract higher level indexes from the stream ing. In Framework, Models and Controlled Exper- of packets poses typical big data-like challenges. iments for Network Troubleshooting, F. Espinet In DBStream: A Holistic Approach to Large- et al. follow a crowd-sourcing approach and ar- Scale Network Traffic Monitoring and Analysis, A. gue for the need to deploy measurement probes at B¨aret al. present DBStream, a holistic approach the edge of the network, which can be either un- to large-scale network monitoring and analysis ap- der the control of the users (e.g., end-user devices) plications. They show how its Continuous Exe- or the ISP (e.g., home gateways), and that raises cution Language (CEL) can be used to automate an interesting tradeoff. They define a framework several data processing and analysis tasks typical for network troubleshooting, and its implementa- for monitoring operational ISP networks. The pa- tion as open source software named NetProbes. In per discusses the performance of DBStream as com- data mining terms, depending on the amount of in- pared to MapReduce processing engines and shows formation available to the probes (e.g., ISP topol- how intelligent job scheduling can increase its per- ogy), they formalize the network troubleshooting formance even further. Furthermore, the paper task as either a clustering or a classification prob- shows the versatility of DBStream by explaining lem. In networking terms, these algorithms allow how it has been integrated to import and process respectively end-users to assess the severity of the data from two passive network monitoring systems, network performance degradation, and ISPs to pre- namely METAWIN and Tstat. Finally, multiple cisely identify the faulty link. Both problems are examples of network monitoring applications are solved with an algorithm that achieves perfect clas- given, ranging from simple statistical analysis to sification under the assumption of a strategic selec- more complex traffic classification tasks applying tion of probes (e.g., assisted by an ISP), and they machine learning techniques using the Weka toolkit. assess its performance degradation under a naive In Statistical Network Monitoring: Methodology random selection. and Application to Carrier-Grade NAT, E. Boc- The increasing number of attacks against com- chi et al. engineer a methodology to extract, col- puting infrastructure, which is of critical impor- lect and process passive traffic traces. In particular, tance for enterprises, drives the need to deploy pro- they design and implement analytics that, based gressively more sophisticated defense solutions to on a filtering process and on the building of empir- protect network assets. An essential component of ical distributions, enable the comparison between the defense are Intrusion Detection Systems (IDS) two generic collections, e.g., data gathered from searching for evidence of ongoing malicious activ- two different vantage points, from different popu- ities (network attacks) in network traffic crossing lations, or at different times. The ultimate goal is the defense perimeter. Many intrusion detection to highlight statistically significant differences that systems are implemented as ensembles of relatively could be useful to flag incidents for the network simple, yet heterogeneous detectors, where some of manager. As a use-case the authors apply the pro- them can be specialized to particular types of intru- posed methodology to assess the impact of Carrier- sions, whereas others can be general anomaly detec- Grade NAT (CGN), a technology that Internet Ser- tors capable of detecting previously unseen attacks vice Providers (ISPs) deploy to limit the usage of at the expense of higher false alarm rates. M. Grill expensive public IP addresses. They process a large and T. Peˇvn´y present in Learning Combination dataset of passive measurements collected from an of Anomaly Detectors for Security Domain, a novel 2 technique of finding a convex combination of out- lies on understanding the prevalent network cov- puts of anomaly detectors maximizing the accuracy erage profiles. Correlating these coverage profiles in τ-quantile of most anomalous samples. Such an with network performance metrics is of great im- approach better reflects the needs of the security portance both for regulators and operators in order domain in which subsequent analysis of alarms is to forestall disturbances for applications running on costly and can be done only on a small number of top of MBB networks. For this purpose, they au- alarms. An extensive experimental evaluation and thors deploy custom measurement nodes on-board comparison to prior art using real network data on five Norwegian inter-city trains and collect a unique two existing intrusion detection systems shows that geo-tagged dataset along the train routes. Then the proposed