Crosstalk: A Scalable Cross-Protocol Monitoring System for Anomaly Detection

Monitoring is crucial both to the correct operation of a network and to the services that run on it. Operators perform monitoring for various purposes, including traffic engineering, quality of service, security and detection of faults and mis-configurations. However, the relentless growth of IP traffic volume renders real-time monitoring and analysis of data a very challenging problem. In this paper we introduce Crosstalk, a scalable and efficient distributed monitoring architecture that uses cross-protocol correlation to detect network anomalies. While applicable to a wide range of applications such as botnet detection, spam mitigation and mis-configurations, we pick a point in this application space, concentrating on VoIP attacks. We present extensive simulation results based both on generated calls and on millions of Call Data Records (CDRs) from a large VoIP operator to show our approach´s performance and effectiveness.