- Link saturation.
Assume a company with four local area networks (in four different buildings for example) interconnected using an all-to-all topology. Let experiments with id 1 to 6 measure the available bandwidth of the interconnecting paths. We want an alarm to be raised if any of the links becomes more than 80% utilized, i.e. the available bandwidth drops below 20% of the capacity of the link.
|
|
The assumption behind these rules is that for each path, the maximum value of the available bandwidth over a period of 14 days will be equal to the capacity of that path. This way the rule doesn't have to be updated if the network is upgraded (or changed in any way). In a network where this assumption doesn't hold, the user can directly assign the actual values of the capacities to the appropriate variables, as shown in following examples.
- Subnet overload.
Assume the same network as in the previous example. We now want to detect possible load imbalances between the different departments, so we want an alarm to be raised if for any subnet, all its links become more than 70% utilized at the same time.
| D0: | 1 Mins |
| D1: | 0 Mins |
| D2: | 14 Days |
| D3: | 0 Mins |
| V0: | From D0 To D1 AVG( b ) + 0.00 ExpID: 1 |
| V1: | From D2 To D3 MAX( b ) * 0.30 ExpID: 1 |
| V2: | From D0 To D1 AVG( b ) + 0.00 ExpID: 2 |
| V3: | From D2 To D3 MAX( b ) * 0.30 ExpID: 2 |
| V4: | From D0 To D1 AVG( b ) + 0.00 ExpID: 3 |
| V5: | From D2 To D3 MAX( b ) * 0.30 ExpID: 3 |
| V6: | From D0 To D1 AVG( b ) + 0.00 ExpID: 4 |
| V7: | From D2 To D3 MAX( b ) * 0.30 ExpID: 4 |
| V8: | From D0 To D1 AVG( b ) + 0.00 ExpID: 5 |
| V9: | From D2 To D3 MAX( b ) * 0.30 ExpID: 5 |
| V10: | From D0 To D1 AVG( b ) + 0.00 ExpID: 6 |
| V11: | From D2 To D3 MAX( b ) * 0.30 ExpID: 6 |
| C0: | V0 <= V1 |
| C1: | V2 <= V3 |
| C2: | V4 <= V5 |
| C3: | V6 <= V7 |
| C4: | V8 <= V9 |
| C5: | V10 <= V11 |
| CC0: | C0 && C2 && C8 |
| CC1: | C2 && C4 && C10 |
| CC2: | C4 && C6 && C8 |
| CC3: | C0 && C6 && C10 |
| CC4: | CC0 || CC1 || CC2 || CC3 |
| Rule: | CC4 |
- Sudden increase of the popularity of a web page.
Let experiment with id 1 measure the available bandwidth of the path from the web server (or some important server) of a company to the gateway. We want an alarm to be raised if say the avail. bandwidth of the path drops below 70% of the expected value. As expected value we can define the minimum value of the previous day at this time of day.
| D0: | 1 Mins | |
| D1: | 0 Mins | |
| D2: | 1 Day 30 Mins | |
| D3: | 1 Day | |
| V0: | From D0 To D1 AVG( b ) + 0.00 ExpID: 1 | |
| V1: | From D2 To D3 MIN( b ) + 0.00 ExpID: 1 | |
| V2: | From D0 To D0 MIN( b ) + 0.70 ExpID: 0 | [ V2 will actually be the constant 0.7 ] |
| VC0: | V2 * V1 | |
| C0: | VC0 > V0 | |
| CC0: | C0 && C0 | |
| Rule: | CC0 |
- Possible DoS attack 1.
Let experiment with id 2 measure the available bandwidth of the path from the web server (or some important server) of a company to the gateway, and the experiment with id 3 the Loss Rate of the same path. We want to detect possible DoS attacks, and we consider suspicious the cases where the Loss Rate is high (thus the server appears loaded), but the available bandwidth is high as well (thus the server does not serve many requests). We want an alarm to be raised, if say the avail. bandwidth of the path is above 80% of the expected value, and the Loss Rate is above 150% of the expected value. As expected value we define the average and maximum value (respectively) of the previous day at this time of day.
| D0: | 1 Mins |
| D1: | 0 Mins |
| D2: | 1 Day 30 Mins |
| D3: | 1 Day |
| V0: | From D0 To D1 AVG( b ) + 0.00 ExpID: 2 |
| V1: | From D2 To D3 AVG( b ) * 0.80 ExpID: 2 |
| V2: | From D0 To D1 AVG( b ) + 0.00 ExpID: 3 |
| V3: | From D2 To D3 MAX( b ) * 1.50 ExpID: 3 |
| C0: | V0 > V1 |
| C1: | V2 > V3 |
| CC0: | C0 && C1 |
| Rule: | CC0 |
- Possible DoS attack 2.
In this case we want to check the same metrics as before, but we want a better definition for the expected values. Therefore we take the average between the value one day before and one week before. This will avoid the potential problem the simple method can exhibit in small networks on Mondays, due to the lower traffic usually observed in such networks on Sundays.
| D0: | 1 Mins | |
| D1: | 0 Mins | |
| D2: | 1 Days 30 Mins | |
| D3: | 1 Days | |
| D4: | 7 Days 30 Mins | |
| D5: | 7 Days | |
| V0: | From D0 To D1 AVG( b ) + 0.00 ExpID: 2 | |
| V1: | From D2 To D3 AVG( b ) + 0.00 ExpID: 2 | |
| V2: | From D4 To D5 AVG( b ) + 0.00 ExpID: 2 | |
| V3: | From D0 To D1 AVG( b ) + 0.00 ExpID: 3 | |
| V4: | From D2 To D3 MAX( b ) + 0.00 ExpID: 3 | |
| V5: | From D4 To D5 MAX( b ) + 0.00 ExpID: 3 | |
| V6: | From D0 To D0 MIN( b ) + 0.40 ExpID: 0 | |
| V7: | From D0 To D0 MIN( b ) + 0.75 ExpID: 0 | |
| VC0: | V1 + V2 | |
| VC1: | V6 * VC0 | |
| VC2: | V4 + V5 | |
| VC3: | V7 * VC2 | |
| C0: | V0 > VC1 | [ V0 > 0.40 * (V1 + V2) ] |
| C1: | V3 > VC3 | [ V3 > 0.75 * (V4 + V5) ] |
| CC0: | C0 && C1 | |
| Rule: | CC0 |
Obviously, the sampling to evaluate the expected value can be extended to include more days of the week, or more times in a day. Additionally, different weights can be applied to different values to exploit a specific periodic behavior of the network traffic, if such a behavior is known to the user.
- Need for route change in an Overlay Network.
Let the experiments with id 1 to 3, measure the Round Trip Time of the paths A->B, B->C and C->D and exp. 4 the RTT of the path A->D, that connects A and D directly. Let the experiments with id 5 to 7, measure the Av. Bandwidth of the paths A->B, B->C and C->D and exp. 8 the Av. Bandwidth of the path A->D, that connects A and D directly. We want an alarm to be raised, If the RTT of the "long way" is less than the RTT of the direct path AND the available bandwidth in all of the parts of the "long way" is greater than the available bandwidth in A->D. In this case we would obviously want to make A forward to B the traffic going to D.
| D0: | 1 Mins | |
| D1: | 0 Mins | |
| V0: | From D0 To D1 AVG( b ) + 0.0 ExpID: 1 | [ RTT(A->B) ] |
| V1: | From D0 To D1 AVG( b ) + 0.0 ExpID: 2 | [ RTT(B->C) ] |
| V2: | From D0 To D1 AVG( b ) + 0.0 ExpID: 3 | [ RTT(C->D) ] |
| V3: | From D0 To D1 AVG( b ) + 0.00 ExpID: 4 | [ RTT(A->D) ] |
| V4: | From D0 To D1 AVG( b ) + 0.00 ExpID: 5 | [ AvBand(A->B) ] |
| V5: | From D0 To D1 AVG( b ) + 0.00 ExpID: 6 | [ AvBand(B->C) ] |
| V6: | From D0 To D1 AVG( b ) + 0.00 ExpID: 7 | [ AvBand(C->D) ] |
| V7: | From D0 To D1 AVG( b ) + 0.00 ExpID: 8 | [ AvBand(A->D) ] |
| VC0: | V0 + V1 + V2 | [ RTT(A->B->C->D) ] |
| C0: | V3 > VC0 | [ RTT(A->D) > RTT(A->B->C->D) ] |
| C1: | V7 <= V4 | [ AvBand(A->D) <= AvBand(A->B) ] |
| C2: | V7 <= V5 | [ AvBand(A->D) <= AvBand(B->C) ] |
| C3: | V7 <= V6 | [ AvBand(A->D) <= AvBand(C->D) ] |
| CC0: | C0 && C1 && C2 && C3 | |
| Rule: | CC0 |
The number of paths being compared can be anything from 2 to 30. Additionally, the boolean expression can be more complicated to express more complicated cases. For example, if the user needs an alarm when the RTT of the direct path grow large (larger than the RTT of the multi-hop path), OR the available path of the direct path is low (lower than the av. bandwidth in all the parts of the multi-hop path), the two last lines of the previous rule would become:
| CC0: | C1 && C2 && C3 |
| CC1: | C0 || CC0 |
| Rule: | CC1 |