NTT Research and Development 2008 Review of Activities

For providing high-reliability network services in a secure fashion, it is necessary to promptly detect network anomalies, which significantly degrade the communication environments of users, and handle them in an appropriate manner. Conventionally, network operators detect anomalies by monitoring; however, it has become difficult to detect anomalies in a short time because of the increased number of monitoring points and monitored data items resulting from increased network scale.

Given that situation, at NTT Laboratories, we have developed a "dynamic-threshold setting technique"—based on network-traffic volume of data items measured at multiple points—for automatically detecting anomalies and notifying the operator. By statistically studying characteristic behavior of past network traffic, this technique can accurately predict present network traffic volume. Moreover, by comparing the predicted volume with the actual (measured) volume, so-called "network anomalies" like increased traffic volume of DDoS^* attacks and reduced traffic volume due to equipment failure can be detected. What's more, by continually predicting normal traffic volume under a condition that an anomaly is ongoing, it is possible to judge whether or not the anomaly will continue. In this way, instantaneous traffic changes and serious anomalies that continue for long periods can be distinguished, and operators can be provided with additional information—namely, whether anomalies are currently ongoing at many different places—that was unavailable with conventional technology (which notified operators of sudden changes in traffic volume only).

From now onwards, aiming to expand the information provided to network operators, we will continue research on anomaly detection technology combining analysis techniques for identifying causes of anomalies and investigation on control-system for realizing automation of initial-stage control for networks.

• * DDoS: Distributed Denial of Service