Distributed link anomaly detection via partial network tomography

Research output: Contribution to journalConference article

Abstract

We consider the problem of detecting link loss anomalies from end-to-end measurements using network tomography. Network tomography provides an alternative to traditional means of network monitoring by inferring link-level performance characteristics from end-to-end measurements. Existing network tomography solutions, however, insist on characterizing the performance of all the links, which introduces unnecessary delays for anomaly detection due to the need of collecting all the measurements at a central location. We address this problem by developing a distributed detection scheme that integrates detection into the measurement fusion process by testing anomalies at the level of minimal identifiable link sequences (MILSs). We develop efficient methods to configure the proposed detection scheme such that its false alarm probability satisfies a given bound. Meanwhile, we provide analytical bounds on the detection probability and the detection delay. We then extend our solution to further improve the detection performance by designing the probing and fusion process. Our evaluations on real topologies verify that the proposed scheme significantly outperforms both centralized detection based on link parameters inferred by traditional network tomography and distributed detection based on raw end-to-end measurements.

Original languageEnglish (US)
Pages (from-to)29-42
Number of pages14
JournalPerformance Evaluation Review
Volume45
Issue number3
DOIs
StatePublished - Mar 20 2018
Event35th IFIP International Symposium on Computer Performance, Modeling, Measurements and Evaluation, IFIP WG 7.3 Performance 2017 - New York, United States
Duration: Nov 13 2017Nov 17 2017

Fingerprint

Tomography
Fusion reactions
Topology
Monitoring
Testing

All Science Journal Classification (ASJC) codes

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

@article{8ad137dd471b49dcbc535afe7f24378a,
title = "Distributed link anomaly detection via partial network tomography",
abstract = "We consider the problem of detecting link loss anomalies from end-to-end measurements using network tomography. Network tomography provides an alternative to traditional means of network monitoring by inferring link-level performance characteristics from end-to-end measurements. Existing network tomography solutions, however, insist on characterizing the performance of all the links, which introduces unnecessary delays for anomaly detection due to the need of collecting all the measurements at a central location. We address this problem by developing a distributed detection scheme that integrates detection into the measurement fusion process by testing anomalies at the level of minimal identifiable link sequences (MILSs). We develop efficient methods to configure the proposed detection scheme such that its false alarm probability satisfies a given bound. Meanwhile, we provide analytical bounds on the detection probability and the detection delay. We then extend our solution to further improve the detection performance by designing the probing and fusion process. Our evaluations on real topologies verify that the proposed scheme significantly outperforms both centralized detection based on link parameters inferred by traditional network tomography and distributed detection based on raw end-to-end measurements.",
author = "Ting He",
year = "2018",
month = "3",
day = "20",
doi = "10.1145/3199524.3199532",
language = "English (US)",
volume = "45",
pages = "29--42",
journal = "Performance Evaluation Review",
issn = "0163-5999",
publisher = "Association for Computing Machinery (ACM)",
number = "3",

}

Distributed link anomaly detection via partial network tomography. / He, Ting.

In: Performance Evaluation Review, Vol. 45, No. 3, 20.03.2018, p. 29-42.

Research output: Contribution to journalConference article

TY - JOUR

T1 - Distributed link anomaly detection via partial network tomography

AU - He, Ting

PY - 2018/3/20

Y1 - 2018/3/20

N2 - We consider the problem of detecting link loss anomalies from end-to-end measurements using network tomography. Network tomography provides an alternative to traditional means of network monitoring by inferring link-level performance characteristics from end-to-end measurements. Existing network tomography solutions, however, insist on characterizing the performance of all the links, which introduces unnecessary delays for anomaly detection due to the need of collecting all the measurements at a central location. We address this problem by developing a distributed detection scheme that integrates detection into the measurement fusion process by testing anomalies at the level of minimal identifiable link sequences (MILSs). We develop efficient methods to configure the proposed detection scheme such that its false alarm probability satisfies a given bound. Meanwhile, we provide analytical bounds on the detection probability and the detection delay. We then extend our solution to further improve the detection performance by designing the probing and fusion process. Our evaluations on real topologies verify that the proposed scheme significantly outperforms both centralized detection based on link parameters inferred by traditional network tomography and distributed detection based on raw end-to-end measurements.

AB - We consider the problem of detecting link loss anomalies from end-to-end measurements using network tomography. Network tomography provides an alternative to traditional means of network monitoring by inferring link-level performance characteristics from end-to-end measurements. Existing network tomography solutions, however, insist on characterizing the performance of all the links, which introduces unnecessary delays for anomaly detection due to the need of collecting all the measurements at a central location. We address this problem by developing a distributed detection scheme that integrates detection into the measurement fusion process by testing anomalies at the level of minimal identifiable link sequences (MILSs). We develop efficient methods to configure the proposed detection scheme such that its false alarm probability satisfies a given bound. Meanwhile, we provide analytical bounds on the detection probability and the detection delay. We then extend our solution to further improve the detection performance by designing the probing and fusion process. Our evaluations on real topologies verify that the proposed scheme significantly outperforms both centralized detection based on link parameters inferred by traditional network tomography and distributed detection based on raw end-to-end measurements.

UR - http://www.scopus.com/inward/record.url?scp=85046646720&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85046646720&partnerID=8YFLogxK

U2 - 10.1145/3199524.3199532

DO - 10.1145/3199524.3199532

M3 - Conference article

AN - SCOPUS:85046646720

VL - 45

SP - 29

EP - 42

JO - Performance Evaluation Review

JF - Performance Evaluation Review

SN - 0163-5999

IS - 3

ER -