SENATUS: An Approach to Joint Traffic Anomaly Detection and Root Cause Analysis

TL;DR

SENATUS is a three-stage approach that detects network traffic anomalies and identifies their root causes using senator flows, voting, and machine learning, demonstrating effectiveness on real traffic data.

Contribution

The paper introduces SENATUS, a novel joint anomaly detection and root cause analysis method based on senator flows, voting, and machine learning, improving diagnosis accuracy.

Findings

Effective detection of network scans and DDoS attacks.

Outperforms lossless compression-based anomaly detection.

Validated on real European network traffic data.

Abstract

In this paper, we propose a novel approach, called SENATUS, for joint traffic anomaly detection and root-cause analysis. Inspired from the concept of a senate, the key idea of the proposed approach is divided into three stages: election, voting and decision. At the election stage, a small number of \nop{traffic flow sets (termed as senator flows)}senator flows are chosen\nop{, which are used} to represent approximately the total (usually huge) set of traffic flows. In the voting stage, anomaly detection is applied on the senator flows and the detected anomalies are correlated to identify the most possible anomalous time bins. Finally in the decision stage, a machine learning technique is applied to the senator flows of each anomalous time bin to find the root cause of the anomalies. We evaluate SENATUS using traffic traces collected from the Pan European network, GEANT, and compare against another approach which detects anomalies using lossless compression of traffic histograms. We show the effectiveness of SENATUS in diagnosing anomaly types: network scans and DoS/DDoS attacks.