Active Network Probing Framework for Real-Time Detection of Anomalous Internet Traffic Patterns

Abstract

The growing size and sophistication of the worldwide Internet systems require effective techniques of real-time monitoring of abnormal network activity. The given paper presents an active network probing framework which repeatedly measures the quality of end-to-end Internet paths with lightweight ICMP and TCP-based measurement packets. The framework is dynamically tweaked to either shorten or lengthen its probing interval, based on the volatility of the network that it monitors, allowing it to distinguish between a benign congestion event and an anomaly caused by an attack, e.g. by Distributed Denial-of-Service (DDoS) amplification or route hijacking. The probes are spread on ten geographically different vantage points that offer coverage and a high level of temporal granularity. Information regarding the collected data is analysed with a hybrid statistical-machine learning model that matches traffic deviations on real-time. Experimental tests had 92% accuracy in anomaly detection using less than 1% bandwidth footprint, which means that it does not cause much interference to the traffic being carried out. Findings prove the scalability, flexibility and efficiency of the framework in improving the visibility of the performance of the global Internet. The study will help in the development of non-invasive, proactive, and distributed network monitoring systems to ensure service reliability and safety in the current communication infrastructures.