IEEE/IFIP International Workshop on Analytics for Network and Service Management

AnNet 2016

April 25, 2016 in Istanbul, Turkey

IEEE/IFIP Network Operations and Management Symposium
                   Istanbul Turkey 25-29 APRIL 2016

10:30 - 11:00 Short Paper Session 1
Online Feature Selected Semi-Supervised Decision Trees for Network Intrusion Detection
  Abstract: Network intrusion detection systems need to detect abnormal behaviour in network data as soon as possible and with as little user intervention as possible. In this paper, we describe a semi-supervised network anomaly detection system. Our system uses online clustering to summarize the available network data. Clusters are represented using extended cluster features that comprise of not only features related to the original features, but also features that describe the relationships between clusters. Each cluster is labeled by the user as anomaly or normal and then a decision tree is trained based on this information. The incoming new data is labeled according to the output of the decision tree. We show that this system achieves much better performance than an unsupervised anomaly detection system. We also show that using online feature selection on the cluster features reduces the decision tree complexity without hindering the accuracy.
Toward a Cloud-based security intelligence with big data processing
  Abstract: As the adoption of Cloud Computing is growing exponentially, a huge sheer amount of data is generated therefore needing to be processed in order to control efficiently what is going within the infrastructure, and also to respond effectively and promptly to security threats. Herein, we provide a highly scalable plugin based and comprehensive solution in order to have a real-time monitoring by reducing the impact of an attack or a particular issue in the overall distributed infrastructure. This work covers a bigger scope in infrastructure security by monitoring all devices that generate log files or generate network traffic. By applying different Big Data techniques for data analysis, we can ensure a responsive solution to any problem (security or other) within the infrastructure and acting accordingly. Keywords—Cloud Computing, Security Information and Event Management (SIEM), Security Intelligence, Big Data, Hadoop, Spark
SLA Analytics for Adaptive Service Provisioning in the Cloud
  Abstract: Service level agreements (SLAs) are considered not only a central tool for managing QoS compliance, but also a differentiating factor between service implementations. In today’s application environments with fast instrumentation deployment cycles in hybrid Cloud platforms, managing QoS compliance poses tremendous challenges, including how to deliver solutions that live up to promised QoS properties and preemptively identify provisioning risks before they lead to violations. Current approaches are usually reactive, i.e. the application infrastructure reacts to changes in QoS metrics, with a huge focus on compliance enforcement after violations have occurred. Cloud service provisioning demands a proactive approach to QoS management, with support for robust predictive scaling of service capacity based on multiple metrics, including business goals as well as infrastructure-level and QoS metrics. This paper presents an approach for adaptive service provisioning in the Cloud based on QoS analytics. A major contribution of the approach is the development of an analytics engine for predictive elasticity management of Cloud service provisioning that integrates in-depth mining of SLA compliance history with knowledge of business context, e.g. workload variability, a customer’s business goals, application performance, and service operational context. In this work-in-progress report, we describe the proposed framework and discuss possible implementation and deployment scenarios.
15:30 - 16:00 Short Paper Session 2
VEGAS: Visualizing, Exploring and Grouping Alerts
  Abstract: The large quantities of alerts generated by intrusion detection systems (IDS) make very difficult to distinguish on a network real threats from noise. To help solving this problem, we propose VEGAS, an alerts visualization and classification tool that allows first line security operators to group alerts visually based on their principal component analysis (PCA) representation. VEGAS is included in a workflow in such a way that once a set of similar alerts has been collected and diagnosed, a filter is generated that redirects forthcoming similar alerts to other security analysts that are specifically in charge of this set of alerts, in effect reducing the flow of raw undiagnosed alerts.
Clustering-based KPI Data Association Analysis Method in Cellular Networks
  Abstract: With the rapid development of cellular network systems, the operators need more experience to deal with complicated network management system and wide range of Key Performance Indicators (KPIs). There are many indicators related to each other due to the definition or communication process. But several implicit associations still exist among these KPIs. This paper proposes an approach to figure out the implicit linear relationship among indicators clearly in which a new clustering technique is used for distinguishing different relationships. Data analysis using real network data shows that the approach can well divide data into clusters, and each cluster can effectively reflect the relationship between indicators.
Improve RTT Measurement Quality via Clustering in Inter-Domain TE
  Abstract: For multi-homed networks, inter-domain traffic engineering (TE) consists in selecting the best path via available transit providers, so that the trans- mission quality is improved in front of network events, such as congestion and fail-over. In practice, this choice bases on end-to-end (e2e) measurements toward destination networks. These measurements, especially Round-Trip Time (RTT), are expected to offer an faithful view on inter-domain path properties. Hosts in destination networks with open ports are deliberately discovered for active measurement. RTT traces so obtained can be influenced by host-local factors that are not relevant to inter-domain routing and eventually mislead route decisions. We data-mined the RTT time-series between two ASes with unsupervised learning method – clustering, on a set of statistic features. Achieved results showed that our method was capable of improving data quality, by excluding less reliable traces. Moreover, we consid- ered traceroute measurements. Early results suggested that most variations of e2e delay actually occured in access networks. We thus believe that the proposed scheme can improve the accuracy and stability of the route selection for multi-homed networks.
A classification approach for adaptive mitigation of SYN flood attacks
  Abstract: SYN flood is a commonly used Distributed Denial of Service (DDoS) attack. SYN flood DDoS attacks consume considerable amount of resources in the target machine. Even with straightforward mitigation solutions, any attack causes resource waste and performance loss in the server, rendering it unable to provide service to legitimate clients. We propose an approach for SYN flood attack mitigation based on supervised learning classification methods which identify and block SYN flood traffic before they reach their target, hence preventing resource consumption and loss of performance. At this stage, our method identifies SYN flood attack and applies the classifier models in batch mode. This method chooses the classifiers and adjusts the parameters according to the policies and the changing characteristics of SYN flood attack.