Abstract
We consider the problem of traffic anomaly detection in IP networks. Traffic anomalies typically arise when there is focused overload or when a network element fails and it is desired to infer these purely from the measured traffic. We derive new general formulae for the variance of the cumulative traffic over a fixed time interval and show how the derived analytical expression simplifies for the case of voice over IP traffic, the focus of this paper. To detect load anomalies, we show it is sufficient to consider cumulative traffic over relatively long intervals such as 5 min. We also propose simple anomaly detection tests including detection of over/underload. This approach substantially extends the current practice in IP network management where only the first-order statistics and fixed thresholds are used to identify abnormal behavior. We conclude with the application of the scheme to field data from an operational network.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 1019-1026 |
| Number of pages | 8 |
| Journal | IEEE Transactions on Neural Networks |
| Volume | 16 |
| Issue number | 5 |
| DOIs | |
| State | Published - Sep 2005 |
| Externally published | Yes |
Keywords
- Anomaly detection
- Heavy-tailed holding times
- Load characterization
- Network management
- Second-order statistic
- Traffic measurements
- Voice-over IP
ASJC Scopus subject areas
- Software
- Computer Science Applications
- Computer Networks and Communications
- Artificial Intelligence