Network anomaly confirmation, diagnosis and remediation

Identifying and diagnosing network traffic anomalies, and rectifying their effects are standard, daily activities of network operators. While there is a large and growing literature on techniques for detecting network anomalies, there has been little or no treatment of what to do after a candidate anomaly has been identified. In this paper, we present a first step toward formalizing and automating the time-consuming and challenging tasks associated with network anomaly confirmation, diagnosis and remedy. Our work assumes that potential anomalies are identified either through visual analysis of key traffic measurements or from a Network Anomaly Detection System (NADS). We describe a flexible framework for network anomaly confirmation, diagnosis and remedy that is based on workflow concepts. The key features of this framework include data types/sources, analyses and decision points. We present an instantiation of our framework that includes a taxonomy of network traffic anomalies and detailed steps for confirmation of anomalies associated with malicious attacks. We demonstrate our framework by applying it to traffic in our university network. We propose that our framework is a starting point for streamlining operational tasks associated with traffic anomalies, and for the generation of annotated data sets that can be used in future NADS development.