Anomalies are unusual and unexpected events in the network that do not conform to the normal network activity. Accurate and agile anomaly identification is critical for reliable operation of the network. However, identifying complex anomalies within voluminous and diverse network traffic is a challenging task. This problem is further complicated when anomaly detection techniques designed for backbone networks are deployed in edge networks, producing low accuracy and many false alarms.
This thesis reports the anomaly detection performance of three techniques in a large edge network. I enhance two backbone network techniques, BasisDetect and PCA, to work in edge networks. I also develop Gradient, a simple gradient-based multi-resolution anomaly detection technique, that performs efficiently in practice. The experiments are performed on a dataset spanning 23 months with periods of high and low network activity. The diverse sets of hosts in the network included servers, wireless devices, and residential users.
I assess the detection performance using several metrics, including detection accuracy, robustness, and sensitivity to training sets and traffic volumes. I also analyze the impact of configuration parameters on the performance of anomaly detection techniques. My results show that both BasisDetect and Gradient generally perform with high accuracy in edge networks. BasisDetect lacks robustness over a long period of time but this deficiency can be addressed with periodic retraining. PCA, however, has low detection accuracy and generates many false alarms.