Anomaly Detection Based on Available Bandwidth Estimation

Identifying anomaly detection such as failure and attacks rapidly and accurately over the Internet holds interest of both network operators and researchers. Network behavior analysis (NBA) system is usually disposed over an intranet, passively collects SNMP data or flow data, and uses signature and anomaly mechanisms to identify and analyze interesting network activities, including traffic anomaly. In order to discover the anomalies of networks outside manageable areas, we need to use active probing techniques. In this paper we first present PQLink, a tool that allows end users to accurately measure the available bandwidth (AB) of arbitrary links on a network. PQLink uses a novel probing technique called trains of packet-quartets and only needs a single end point. Then we propose a novel approach for anomaly detection based on PQLink, which keeps monitoring the AB of vital links. Simulations validate the efficiency of PQLink and our anomaly detection approach.