NOMAD: traffic-based network monitoring framework for anomaly detection

Network performance monitoring is essential for managing a network efficiently and for ensuring reliable operation of the network. In this paper we introduce a scalable network monitoring framework, (NOMAD), that detects network anomalies through the characterization of the dynamic statistical properties of network traffic. NOMAD relies on high resolution measurements and on-line analysis of network traffic to provide real-time alarms in the incipient phase of network anomalies. It incorporates a suite of anomaly identification algorithms based on path changes, flow shift, and packet delay variance, and relies extensively on IP packet header information, such as TTL, source/destination address and packet length, and router´s timestamps. NOMAD can be deployed in a single backbone router or incrementally in a regional or large scale network for detecting and locating network anomalies by correlating spatial and temporal network state information