Real-time anomaly detection and mitigation using streaming telemetry in SDN

Measurement and monitoring are crucial for various network tasks such as traffic engineering, anomaly detection, and intrusion prevention. The success of critical capabilities such as anomaly detection and prevention depends on whether the utilized network measurement method is able to provide granular, near real-time, low-overhead measurement data or not. In addition to the measurement method, the anomaly detection and mitigation algorithm is also essential for recognizing normal and abnormal traffic patterns in such a huge amount of measured data with high accuracy and low latency. Software-defined networking is an emerging concept to enable programmable and efficient measurement functions for these kinds of challenging requirements. In this paper, we present a new, real-time, model-driven anomaly detection and mitigation platform. Model-driven streaming telemetry and exponential smoothing are the underlying approaches of the platform. A customized collector is proposed to gather streaming telemetry metrics, and Holt’s prediction algorithm is improved to handle real-time streaming data and decrease false positives. The developed system is tested on a campus network and the success rate of the system is calculated as 92%. © TÜBİTAK