URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

URCA: Pulling out Anomalies by their Root Causes

Fernando Silveira and Christophe Diot



Presenter: Fernando Silveira

UPMC and Technicolor

Joint work with Christophe Diot

Presented at INFOCOM 2010 – San Diego, USA


Time

Pack

et

cou

nts

Traffic Anomaly Detection

3 Friday, February 19, 2010

TrafficData

AlarmAnomalyDetector

AnomalyAnomaloustraffic


Obtaining information about an anomaly’s cause.

Automating root cause analysis is important… Manual analysis is tedious and error prone Study from Arbor Networks with 67 ISPs

Average ISP observes ~ 19 anomalies/day

… but it is also a hard problem. Most detectors do not provide any information beyond an alarm

Root Cause Analysis of Traffic Anomalies



Anomaly detection methods with properties that facilitate root cause analysis tasks

Anomaly classification Lakhina et al. - SIGCOMM’05 Based on clustering entropy residuals Limited to anomalies found in entropy

Anomalous flow identification Schweller et al. - IMC’04, Li et al. - IMC’06 Based on reversible sketches Complexity of choosing and computing sketches Limited to anomalies found in sketches

Related Work



Our Contribution


URCA (Unsupervised Root Cause Analysis) a tool that finds an anomaly’s root cause can be used with different anomaly detectors

It provides accurate and fast results: anomalies are analyzed as fast as they are detected (1-5

minutes)


Outline


Algorithmsfor URCA

PerformanceEvaluation


8

Source IP Destination IP

Source Port Destination Port

Source AS Destination AS

Previous Hop AS Next Hop AS

Incoming Router Interface

Outgoing Router Interface

Our Approach

Friday, February 19, 2010

URCA has two steps: anomalous flow identification root cause classification

Our methods rely on flow features


Step 1: Anomalous Flow Identification


TrafficData

AlarmAnomalyDetector

Filter

80/TCP

443/TCP

1614/TCP

22/TCP

53/UDP

25/TCP

…

Candidate Anomalous

Flows

Destination Port


Flow Identification - Example


Time

Pack

et

cou

nts

Output Interface (2 values)Destination AS (3 values)

eth0

eth1

AS 3354

AS 1277

AS 2108Candidate

flows

Normalflows

Anomalousflows

Normalflows

Anomaly


11

Visualizing Root Cause Flows


Network scan

Routing change


Step 2: Root Cause Classification


a a a a b b c cb c

We compute metrics from each anomaly number of source IP’s, ASN’s, flow sizes, packet sizes, etc.

Hierarchical Clustering known anomalies + 1 unknown

Bootstrapping labels helped by visualization

?


Outline


Algorithmsfor URCA

PerformanceEvaluation


Traces from links in GEANT2

Anomalies obtained with the ASTUTE anomaly detector

Experimental Methodology


Trace Duration Anomalies Ground Truth

A 1 month 93 Manual labeling

B

3 months

519

AnomalyInjection

C 329

D 386

E 1099

F 680


Identification Accuracy - Trace A



Identification Accuracy - Traces B-F


* 90-percentile averaged across traces

Anomaly type Missed * Extra *

Distributed DoS attack 10.3% 4.1%

Network scan 4.9% 0%

Port scan 0% 0%

Link failure 0% 0%

Upstream Routing Change 14.7% 0%

Downstream Routing Change

2.9% 0%


Classification Accuracy - Trace A


80%Correct

15%Misclass.

15% Misclassified =

5% first occurrences of an event type+10% routing changes mistaken for link failures

5% requirevisualization


What you’ll find in the paper:

Algorithms for both identification and classification Experimental evaluation with 6 traces URCA can be applied to other anomaly detectors

Ongoing and Future Work:

URCA with an EWMA-based detector Using other sources of data (e.g., routing data)

Wrapping Up



Special thanks to:

DANTE / GEANT2 - http://www.geant2.net/ Ricardo Oliveira @ UCLA - http://irl.cs.ucla.edu/~rveloso/

More information at:

http://www.thlab.net/~fernando/papers/urca.pdf http://www.thlab.net/~fernando/papers/astute.pdf

The End



Backup Slides



21

Classification results for ASTUTE



22

Classifying the Unknown ASTUTE Anomalies



23

Results with EWMA


URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

Documents

Transcript of URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.