Papers by Alessandro D'Alconzo
Despite the long literature and assorted list of proposed systems for performing detection and cl... more Despite the long literature and assorted list of proposed systems for performing detection and classification of anomalies in operational networks, Internet Service Providers (ISPs) are still looking for effective means to manage the ever-growing number of network traffic anomalies they face in their daily business. In this paper we address the problem of automatic network traffic anomaly detection and classification using Machine Learning (ML) based techniques, for the specific case of traffic anomalies observed in cellular network measurements. We devise a simple detection and classification technique based on decision tress, and compare its performance to that achieved by other supervised learning classifiers well known in the ML literature (e.g., SVM, neuronal networks, etc.). The proposed solution is evaluated using syntheticallygenerated data from an operational cellular ISP, drawn from real traffic statistics to resemble the real cellular network traffic. Furthermore, we comp...
annals of telecommunications - annales des télécommunications, 2012
In this work a basic Resource Allocation (RA) problem is considered, where a fixed capacity must ... more In this work a basic Resource Allocation (RA) problem is considered, where a fixed capacity must be shared among a set of users. The RA task can be formulated as an optimization problem, with a set of simple constraints and an objective function to be minimized. A fundamental relation between the RA optimization problem and the notion of max-min fairness is established. A sufficient condition on the objective function that ensures the optimal solution is max-min fair is provided. Notably, some important objective functions like Least Squares and Maximum Entropy fall in this case. Finally, an application of max-min fairness for overload protection in 3G networks is considered.
Lecture Notes in Computer Science, 2009
In this study we present network-wide measurements of Round-Trip-Time (RTT) from an operational 3... more In this study we present network-wide measurements of Round-Trip-Time (RTT) from an operational 3G network, separately for GPRS/EDGE and UMTS/HSxPA sections. The RTTs values are estimated from passive monitoring based on the timestamps of TCP handshaking packets. Compared to a previous study in 2004, the measured RTT values have decreased considerably. We show that the network-wide RTT percentiles in UMTS/HSxPA are very stable in time and largely independent from the network load. Additionally, we present separate RTT statistics for handsets and laptops, finding that they are very similar in UMTS/HSxPA. During the study we identified a problem with the RTT measurement methodology -mostly affecting GPRS/EDGE data -due to early retransmission of SYNACK packets by some popular servers.
Computer Communications, 2010
Third-generation cellular networks are exposed to novel forms of denial-of-service attacks that o... more Third-generation cellular networks are exposed to novel forms of denial-of-service attacks that only recently have started to be recognized and documented by the scientific community. In this contribution, we review some recently published attack models specific for cellular networks. We review them collectively in order to identify the main system-design aspects that are ultimately responsible for the exposure to the attack. The goal of this contribution is to build awareness about the intrinsic weaknesses of 3G networks from a system-design perspective. In doing that we hope to inform the design practice of future generation networks, motivating the adoption of randomization, adaptation and prioritization as central ingredients of robust system design.
VTC Spring 2009 - IEEE 69th Vehicular Technology Conference, 2009
In this contribution we address the problem of using cellular network signaling for inferring rea... more In this contribution we address the problem of using cellular network signaling for inferring real-time road traffic information. We survey and categorize the approaches that have been proposed in the literature for a cellular-based road monitoring system and identify advantages and limitations. We outline a unified framework that encompasses UMTS and GPRS data collection in addition to GSM, and prospectively combines passive and active monitoring techniques. We identify the main research challenges that must be faced in designing and implementing such an intelligent road traffic estimation system via third-generation cellular networks.
GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference, 2009
In this work we present a novel scheme for statistical-based anomaly detection in 3G cellular net... more In this work we present a novel scheme for statistical-based anomaly detection in 3G cellular networks. The traffic data collected by a passive monitoring system are reduced to a set of per-mobile user counters, from which time-series of unidimensional feature distributions are derived. An example of feature is the number of TCP SYN packets seen in uplink for each mobile user in fixed-length time bins. We design a changedetection algorithm to identify deviations in each distribution time-series. Our algorithm is designed specifically to cope with the marked non-stationarities, daily/weekly seasonality and longterm trend that characterize the global traffic in a real network. The proposed scheme was applied to the analysis of a large dataset from an operational 3G network. Here we present the algorithm and report on our practical experience with the analysis of real data, highlighting the key lessons learned in the perspective of the possible adoption of our anomaly detection tool on a production basis.
Lecture Notes in Computer Science, 2013
ABSTRACT In this Chapter we address the problem of detecting "anomalies" in the... more ABSTRACT In this Chapter we address the problem of detecting "anomalies" in the global network traffic produced by a large population of end-users. Empirical distributions across users are considered for several traffic variables at different timescales, and the goal is to identify statistically-significant deviations from the past behavior. This problem is casted into the framework of hypothesis testing. We first address the methodology for dynamically identifying a reference for the null hypothesis ("normal" traffic) that takes into account the typical non-stationarity of real traffic in volume and composition. Then, we illustrate two general distribution-based detection approaches based on both heuristic and formal methods. We discuss also operational criteria for dynamically tuning the detector, so as to track the physiological variation of traffic profiles and number of active users. The Chapter includes a final evaluation based on the analysis of a dataset from an operational 3G network, so as to show in practice the detection of real-world traffic anomalies.
Computer Networks, 2013
ABSTRACT We address the problem of detecting “anomalies” in the network traffic produced by a lar... more ABSTRACT We address the problem of detecting “anomalies” in the network traffic produced by a large population of end-users following a distribution-based change detection approach. In the considered scenario, different traffic variables are monitored at different levels of temporal aggregation (timescales), resulting in a grid of variable/timescale nodes. For every node, a set of per-user traffic counters is maintained and then summarized into histograms for every time bin, obtaining a timeseries of empirical (discrete) distributions for every variable/timescale node. Within this framework, we tackle the problem of designing a formal Distribution-based Change Detector (DCD) able to identify statistically-significant deviations from the past behavior of each individual timeseries. For the detection task we propose a novel methodology based on a Maximum Entropy (ME) modeling approach. Each empirical distribution (sample observation) is mapped to a set of ME model parameters, called “characteristic vector”, via closed-form Maximum Likelihood (ML) estimation. This allows to derive a detection rule based on a formal hypothesis test (Generalized Likelihood Ratio Test, GLRT) to measure the coherence of the current observation, i.e., its characteristic vector, to the given reference. The latter is dynamically identified taking into account the typical non-stationarity displayed by real network traffic. Numerical results on synthetic data demonstrates the robustness of our detector, while the evaluation on a labeled dataset from an operational 3G cellular network confirms the capability of the proposed method to identify real traffic anomalies.
GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference, 2009
In this work we present a simple toy-model that is able to explain certain empirical observations... more In this work we present a simple toy-model that is able to explain certain empirical observations reported in a set of previous papers by Hohn et al.
Lecture Notes in Computer Science, 2013
ABSTRACT In this Chapter we give an overview of statistical methods for anomaly detection (AD), t... more ABSTRACT In this Chapter we give an overview of statistical methods for anomaly detection (AD), thereby targeting an audience of practitioners with general knowledge of statistics. We focus on the applicability of the methods by stating and comparing the conditions in which they can be applied and by discussing the parameters that need to be set.
International Journal of Network Management, 2010
... Similarly, we define the external dispersion Γ(k) as a synthetic indicator extracted from the... more ... Similarly, we define the external dispersion Γ(k) as a synthetic indicator extracted from the set of ... The detection scheme is based on the comparison between the internal and external metrics. ... method as it allows coping with the marked non-stationarity of real traffic (see analysis ...
2015 27th International Teletraffic Congress, 2015
ABSTRACT The DNS protocol has proved to be a valuable means for identifying and dissecting large-... more ABSTRACT The DNS protocol has proved to be a valuable means for identifying and dissecting large-scale anomalies in omnipresent Over The Top (OTT) Internet services. In this paper, we present and evaluate a framework for detecting and diagnosing traffic anomalies via DNS traffic analysis. Detection of such anomalies is achieved by monitoring different DNS-related symptomatic features, flagging a warning as soon as one or more of them show a significant change. The investigation of the root causes for such deviations is done by looking at significant changes in a number of diagnostic features (i.e., device manufacturer and OS, requested host name, error codes, etc.), which convey information directly linked to the potential origins of the detected anomalies. For the purpose of detecting significant changes in the time-series of diagnostic features, we propose two different schemes: the first is based of change point detection applied to the entropy of the considered features, the second considers the full statistical distribution of the traffic features. The proposed solutions are tested and compared using both real and synthetic data from a nationwide mobile ISP, the latter generated from real traffic statistics to resemble the real mobile network traffic. To show the operational value of the proposed framework, we report the results of the diagnosis in two prototypical cases.
Lecture Notes in Computer Science, 2015
ABSTRACT Nowadays mobile devices are highly heterogeneous both in terms of terminal types (e.g., ... more ABSTRACT Nowadays mobile devices are highly heterogeneous both in terms of terminal types (e.g., smartphones versus data modems) and usage scenarios (e.g., mobile browsing versus machine-to-machine applications). Additionally, the complexity of mobile terminals is continuously growing due to increases in computational power and advances in mobile operating systems. In this scenario novel traffic patterns may arise in mobile networks, and it is highly desirable for operators to understand their impact on the network performance. We address this problem by characterizing the traffic of different device types and Operating systems, analyzing real traces from a large scale mobile operator. We find the presence of highly time synchronized spikes in both data and signaling plane traffic generated by different types of devices. Additionally, by investigating a real case, we show that a device-specific view on traffic can efficiently support the root cause analysis of some type of network anomalies. Our analysis confirms that large traffic peaks, potentially leading to large-scale anomalies, can be induced by the misbehavior of a specific device type. Accordingly, we advocate the need for novel analysis methodologies for automatic detection and possibly mitigation of such device-triggered network anomalies.
Uploads
Papers by Alessandro D'Alconzo