Communications networks increasingly rely on robust, accurate monitoring systems to help network operators detect disruptions, misconfigurations, and failures. Accurate monitoring techniques detect disruptions when they occur (with a negligible number of false alarms), and identify the source of the disruption, for example, the faulty network element, the source of unwanted traffic. Robust monitoring detects disruptions when measurements may be noisy, incomplete, or when attackers are actively trying to disguise their presence. Network monitoring is most accurate when distributed; that is, when it draws upon observations from a large number of vantage points. Monitoring is more robust when it is network-level; that is, when it can rely on properties of the network traffic, rather than on other features such as traffic content. The researchers are developing techniques for distributed, network-level monitoring and incorporating these techniques into a distributed data management system for detecting network disruptions in two areas: internal network faults and failures, and external threats and unwanted traffic.
The research has three themes: (1) Online, distributed, detection algorithms; (2) Informed actuation that uses passive measurements as a baseline, judiciously choosing active measurements to issue in support of the passive measurements, (3) Incorporating these techniques into real-world systems to evaluate the practicality of the schemes and their applicability in realistic network monitoring settings. We will evaluate our algorithms in two settings: detection of internal network disruptions (e.g., failures, faults and misconfigurations within a single network, such as a campus or enterprise network); and fast detection of global threats (e.g. spam, botnets).
