Tuesday, December 10, 2013

CoNEXT'13: An Adaptive Flow Counting Method for Anomaly Detection in SDN

Presenter: Ying Zhang

The problem that this paper is addressing is what data should be collected such that we can do accurate anomaly detection. Prior work has proposed sampling data, however recent work has shown that sampling can severely impact accuracy.

This paper proposes a flexible and interactive interface between anomaly detector applications and network measurement. It proposes OpenWatch, a program that takes as input different anomaly detection applications and decides what flows should be monitored. It leverages the flexibility SDN offers in being able to choose what flows can be monitored. The key feature of OpenWatch is an adaptive mechanism, i.e, based on traffic pattern it can temporally(how frequently flows are reported) and spatially(what flows are reported, it can install more fine-grained or coarse grain rules to achieve that) adjust flow monitoring.

 OpenWatch is evaluated using a real packet trace from a cellular network. Its overhead and detection accuracy are evaluated as a function of the reporting interval and different aggregation levels with different anomaly detectors.

Q: There has been some prior work on flow counting using SDN, how relevant is that? and how does SDN help?

A: The prior work is relevant, with SDN its much easier to implement these function, e.g., selecting what flows to monitor. However, there is lack of study in how we can do active measurements.