Leonardo de Souza Mendes

Unsupervised learning clustering and self-organized agents applied to help network management

Self-organized agents use multidimensional flow analysis to help network management.Traffic profiling and anomaly detection tasks are designed to operate autonomously.Reports are provided in real time to aid decision-making when anomalous events occur.A pattern matching technique calculates adaptive thresholds for anomaly detection.False alarm and accuracy rates are encouraging both in real and simulated traffic. Traffic monitoring and anomaly detection are essential activities for computer network management, since they provide relevant information about its current performance and contribute to network control. Although there are several studies in this area, diagnosis and resolution of anomalies are still challenging issues. From an expert system point of view, current solutions have not been sufficient to meet the requirements demanded for use in large-scale network environments, and thus a significant portion of budgets on the workforce are spent to network management. Based on this context, the focus of this paper consists of the development of a system able to proactively monitor the network and detect anomalous events, reducing manual intervention and the probability of errors in decision-making, regarding network management. The proposed approach characterizes the normal pattern of the network traffic and detects anomalous behavior, outage events and attacks by deviations from this pattern. For this purpose, an unsupervised learning methodology is used to extract features of traffic through IP flows attributes, collected from a network structure. Aiming to improve its efficiency, a modification of the Ant Colony Optimization metaheuristic is proposed, which through self-organized agents optimizes the analysis of multidimensional flows attributes and allows it to be completed in time to mitigate the impact on large-scale networks. In addition to notify the network manager about the anomalies, the system provides necessary information to identify and take action against them. The resulting detection system was tested with real and simulated data, achieving high detection rates while the false alarm rate remains low.

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment

Detecting anomalies accurately is fundamental to rapid diagnosis and repair of problems. This paper proposes a novel Anomaly detection system based on the comparison of real traffic and DSNS (Digital Signature of Network Segment), generated by BLGBA (Baseline for Automatic Backbone Management) model, within a hysteresis interval using the residual mean and on the correlation of the detected deviations. Extensive experimental results on real network servers confirmed that our system is able to detect anomalies on the monitored devices, avoiding the high false alarms rate.

Parameterized Anomaly Detection System with Automatic Configuration

This work proposes a parameterized anomaly detection system, based on the method known as profile based. The analysis of network elements is performed in two levels: (i) analysis of Simple Network Management Protocol (SNMP) objects data using a hysteresis-based algorithm to detect behavior deviations; (ii) analysis of alerts generated in the first level using a dependency graph, which represents the relationships between the SNMP objects. The proposed system is also able to configure its own parameters automatically, aiming to meet the network administrator needs. Tests were performed in a real network environment and great results were obtained.

Inference of network anomaly propagation using spatio-temporal correlation

Many solutions have been proposed for network alarm correlation. However, they mainly have focused on alarm reduction and on root cause analysis. This paper presents an automated alarm correlation system composed of three layers, which obtains raw alarms and presents to network administrator a wide view of the scenario affected by the volume anomaly. In the preprocessing layer, it is performed the alarm compression using their spatial and temporal attributes, which are reduced into a unique alarm named Device Level Alarm (DLA). The correlation layer aims to infer the anomaly propagation path and its origin and destination using DLAs and network topology information. The presentation layer provides the visualization of the path and network elements affected by the anomaly propagation. Moreover, it is presented the Anomaly Propagation View (APV), a graphic tool developed to provide a wide visualization of the network status. In order to evaluate the effectiveness of the proposed solution, it was used real traffic data from State University of Londrina.

Digital cities and open MANs: A new communications paradigm

Digital cities can be defined as a highly interactive digital communication environment built to mimic the behavior of real cities. Open access metropolitan area networks (Open MANs) are communication networks built to allow universal access of citys population to a single digital multimedia communication network. The goal of this paper is to discuss the impact in the community when delivering digital cities solutions upon the universal access scenario of the Open MANs. We also present results obtained of deployment of such solutions in some Brazilian cities and the perspectives for this project in Brazil in the coming years.

The Hurst Parameter for Digital Signature of Network Segment

This paper presents results of the Hurst parameter for digital signature of network segments. It’s also presented a model for digital signature automatic generation which aims at the characterization of traffic in network segments. The use of the digital signature allows the manager to: identify limitations and crucial points of the network; establish the real use of network resources; better control the use of resources and the establishment of thresholds for the generation of more accurate and intelligent alarms which suit the real network characteristics. The obtained results validate the experiment and show in practice significant advantages in networks management.

Deep IP flow inspection to detect beyond network anomalies

Abstract Taking into account the accelerated rate of network growth, the occurrence of anomalies becomes inevitable. A single anomaly can affect the network performance so it is crucial to detect its origin. However, when different kinds of anomalies are present at the same time, it becomes more complicated to detect their root causes. In addition, the network administrator has to deal with questions related to network health, such as bandwidth bottlenecks, and network misuse. Detecting these problems quickly is essential to take appropriate countermeasures. Although many solutions have been proposed to detect anomalies, they do not address other important questions related to network health. In this paper, a system capable of detecting and classifying the anomalies, and extracting detailed information from the network usage, is presented. A graph representation is used, allowing a deep inspection of the IP flows exchanged between the active devices in the network. The Tsallis entropy is applied to detect anomalies. Furthermore, the proposed system allows the network administrator to create metrics to monitor and acquire detailed information about the network equipment, services, and users. Tests using real and artificial datasets demonstrate the effectiveness of the proposed system to detect simultaneous anomalies, and to provide useful information for network-management tasks.

Relationships between information security metrics: an empirical study

Finding relevant metrics in information security is an important but difficult problem. In this paper, we propose to empirically investigate the relevance of different security metrics that could be derived from intrusion prevention system (IPS) alert events and computer security incident data. Based on the data provided by the University of Maryland, we show that IPS metrics are linked to security incidents, and also that different types of security incidents have different significant metrics. These results can be used for identifying possible candidates for security incident indicators, developing methods to improve incident prevention and helping organizations interpret their IPSs better in the future.

Construction of baselines for VoIP traffic management on open MANs

SUMMARY In the last century, owing to the constant evolution of technologies telecommunication networks have become increasingly robust, being able to support multiple services. These services are part of the heterogeneous network traffic that can be carried through the Internet. Many of these services, including VoIP, are latency sensitive. In other words, this means that their quality depends directly on the network quality of service. Since users tend to become more sensitive with the instability and unavailability of the network, it is important to improve traffic management. A particular type of data that could be used to improve VoIP traffic management is the Internet Protocol Detail Record (IPDR). IPDRs are tickets created by all VoIP call attempts which contain a group of information related to the call history. Because of its full range of information, IPDRs can be used to create VoIP traffic baselines. This paper presents the development of baselines based on IPDRs to support VoIP traffic management in open-access Metropolitan Area Networks (MAN). Copyright

QoS monitoring and failure detection

This paper deals with two algorithms for monitoring the QoS and based on it to detect failures in voice communication systems. These algorithms are based on the analysis of data stored in Call Detail Records (CDR). For each call one CDR or ticket is generated. These tickets contain data related to the call describing the system elements involved, such as time and duration of the call, phone types and numbers, SS7 signaling, trunks, time slots, what happen to the call, etc. The tickets are generated in PSTN switches or over VoIP gateways, for the case of Internet Protocol Detail Record (IPDRs). These tickets can be used to monitor the QoS and to detect faults focusing in different aspects related to the call, such as technical, economic, or social. Our main goal is to analyze and classify these algorithms according to their performance and use.