Decision theoretic approach to detect anomalies beyond enterprise boundaries

Many algorithms have been proposed in the last decade to detect traffic anomalies in enterprise networks. However, most of these algorithms cannot detect anomalies that occur beyond enterprise boundaries. Anomaly monitoring and detection on end-to-end Internet paths, although important for network operations, is challenging due to lack of access and control over intermediate network devices. In this paper, we propose an algorithm that detects anomalies or significant events on an end-to-end Internet path by monitoring the path´s available bandwidth. We first evaluate existing algorithms on a comprehensive dataset of more than a million bandwidth measurements spanning three years. We show that existing algorithms do not incorporate the typical behavior of a path in the anomaly detection process and consequently incur accuracy degradations. We therefore propose to filter noisy bandwidth measurements to extract a typical or baseline statistical distribution of a path´s bandwidth. This baseline model is in turn leveraged in a generic decision-theoretic framework to provide timely detection of significant path events. We show that the proposed detector provides highly accurate performance and easily surpasses the accuracy of existing techniques.