The DNS protocol has proved to be a valuable means for identifying and dissecting large-scale anomalies in omnipresent Over The Top (OTT) Internet services. In this paper, we present and evaluate a framework for detecting and diagnosing traffic anomalies via DNS traffic analysis. Detection of such anomalies is achieved by monitoring different DNS-related symptomatic features, flagging a warning as soon as one or more of them show a significant change. The investigation of the root causes for such deviations is done by looking at significant changes in a number of diagnostic features (i.e., device manufacturer and OS, requested host name, error codes, etc.), which convey information directly linked to the potential origins of the detected anomalies. For the purpose of detecting significant changes in the time-series of diagnostic features, we propose two different schemes: the first is based of change point detection applied to the entropy of the considered features, the second considers the full statistical distribution of the traffic features. The proposed solutions are tested and compared using both real and synthetic data from a nationwide mobile ISP, the latter generated from real traffic statistics to resemble the real mobile network traffic. To show the operational value of the proposed framework, we report the results of the diagnosis in two prototypical cases.
%0 Conference Paper
%1 7277443
%A Fiadino, P.
%A D'Alconzo, A.
%A Schiavone, M.
%A Casas, P.
%B Teletraffic Congress (ITC 27), 2015 27th International
%D 2015
%K DNS-related_symptomatic_features DNS_protocol DNS_traffic_analysis Entropy Feature_extraction IP_networks Internet Measurement Mobile_communication Mobile_computing OTT RCATool Radiation_detectors cellular_networks cellular_radio change_point_detection computer_network_security entropy full_statistical_distribution itc itc27 nationwide_mobile_ISP over-the-top_Internet_services real_mobile_network_traffic statistical_distributions telecommunication_traffic time-series traffic_anomaly_detection traffic_anomaly_diagnosis traffic_features
%P 194-202
%R 10.1109/ITC.2015.30
%T RCATool - A Framework for Detecting and Diagnosing Anomalies in Cellular Networks
%U https://gitlab2.informatik.uni-wuerzburg.de/itc-conference/itc-conference-public/-/raw/master/itc27/7277443.pdf?inline=true
%X The DNS protocol has proved to be a valuable means for identifying and dissecting large-scale anomalies in omnipresent Over The Top (OTT) Internet services. In this paper, we present and evaluate a framework for detecting and diagnosing traffic anomalies via DNS traffic analysis. Detection of such anomalies is achieved by monitoring different DNS-related symptomatic features, flagging a warning as soon as one or more of them show a significant change. The investigation of the root causes for such deviations is done by looking at significant changes in a number of diagnostic features (i.e., device manufacturer and OS, requested host name, error codes, etc.), which convey information directly linked to the potential origins of the detected anomalies. For the purpose of detecting significant changes in the time-series of diagnostic features, we propose two different schemes: the first is based of change point detection applied to the entropy of the considered features, the second considers the full statistical distribution of the traffic features. The proposed solutions are tested and compared using both real and synthetic data from a nationwide mobile ISP, the latter generated from real traffic statistics to resemble the real mobile network traffic. To show the operational value of the proposed framework, we report the results of the diagnosis in two prototypical cases.
@inproceedings{7277443,
abstract = {The DNS protocol has proved to be a valuable means for identifying and dissecting large-scale anomalies in omnipresent Over The Top (OTT) Internet services. In this paper, we present and evaluate a framework for detecting and diagnosing traffic anomalies via DNS traffic analysis. Detection of such anomalies is achieved by monitoring different DNS-related symptomatic features, flagging a warning as soon as one or more of them show a significant change. The investigation of the root causes for such deviations is done by looking at significant changes in a number of diagnostic features (i.e., device manufacturer and OS, requested host name, error codes, etc.), which convey information directly linked to the potential origins of the detected anomalies. For the purpose of detecting significant changes in the time-series of diagnostic features, we propose two different schemes: the first is based of change point detection applied to the entropy of the considered features, the second considers the full statistical distribution of the traffic features. The proposed solutions are tested and compared using both real and synthetic data from a nationwide mobile ISP, the latter generated from real traffic statistics to resemble the real mobile network traffic. To show the operational value of the proposed framework, we report the results of the diagnosis in two prototypical cases.},
added-at = {2016-07-11T18:20:14.000+0200},
author = {Fiadino, P. and D'Alconzo, A. and Schiavone, M. and Casas, P.},
biburl = {https://www.bibsonomy.org/bibtex/26c854e1ea689b666dba85fe2f01638f4/itc},
booktitle = {Teletraffic Congress (ITC 27), 2015 27th International},
doi = {10.1109/ITC.2015.30},
interhash = {bb004a2c158e7acab046a40cfefd7430},
intrahash = {6c854e1ea689b666dba85fe2f01638f4},
keywords = {DNS-related_symptomatic_features DNS_protocol DNS_traffic_analysis Entropy Feature_extraction IP_networks Internet Measurement Mobile_communication Mobile_computing OTT RCATool Radiation_detectors cellular_networks cellular_radio change_point_detection computer_network_security entropy full_statistical_distribution itc itc27 nationwide_mobile_ISP over-the-top_Internet_services real_mobile_network_traffic statistical_distributions telecommunication_traffic time-series traffic_anomaly_detection traffic_anomaly_diagnosis traffic_features},
month = {Sept},
pages = {194-202},
timestamp = {2020-04-30T18:18:14.000+0200},
title = {RCATool - A Framework for Detecting and Diagnosing Anomalies in Cellular Networks},
url = {https://gitlab2.informatik.uni-wuerzburg.de/itc-conference/itc-conference-public/-/raw/master/itc27/7277443.pdf?inline=true},
year = 2015
}