Privacy-preserving anomaly detection across multi-domain networks

A lot of traffic anomalies, such as flash crowds, denial-of-service attacks, port scans, can often span multiple ISP networks. Cooperatively detecting and diagnosing these anomalies is critical for network operators to choose the appropriate response. However, legitimate concerns about privacy, such as network topology and link loads, often inhibit network operators in collaborative detection. In this paper, we propose a privacy-preserving mechanism that allows ISPs to cooperatively detect anomalies without requiring them to reveal private traffic information. We design a “semi-centralized” architecture and use secure multiparty computation (SMC) protocol to make the Principal Component Analysis (PCA) based detection method privacy-preserving and at same time keep its scalability and accuracy. We evaluate our design at a simulated distributed environment by using traffic traces from the Abilene backbone network as well as synthetic traces. The results show that it performs well for network-wide anomaly detection and enable larger-scale ISPs cooperation without privacy concerns.