Semantic Metadata Annotation for Network Anomaly Detection

Network Anomaly Detection Architecture provides an overall introduction into how anomaly detection is being applied into the IP network domain and which operational data is needed. It approaches the problem space by automating what a Network Engineer would normally do when veryfing a network connectivity service. Monitor from different network plane perspectives to understand wherever one network plane affects another negatively. In order to fine tune outlier detection, the results provided as analytical data need to be reviewed by a Network Engineer. Keeping the human out of the monitoring but still involving him in the alert verification loop. This document describes what information is needed to understand the output of the outlier detection for a Network Engineer, but also at the same time is semantically structured that it can be used for outlier detection testing by comparing the results systematically and set a baseline for supervised machine learning which requires labeled operational data.

Outlier Detection, also known as anomaly detection, describes a systematic approach to identify rare data points deviating significantly from the majority. Outliers are commonly classified in three categories:

Global outliers:: A data point is considered a global outlier if its value is far outside the entirety of a data set. For example, an average dropped packet count is between 0 and 10 per minute during a one week observation and the observed global outlier was 100000 packets.

Contextual outliers:: A data point is considered a contextual outlier if its value significantly deviates from the rest of the data points in the same time series context. For example, the forwarded packet volume in a timeseries are changing during the time of the day like an oscillation curve, where the observed contextual packet volume outlier is outside the oscillation curve at that moment in time. At another time the same value could be considered normal.

Collective outliers:: A subset of data points within a data set is considered anomalous if those values as a collection deviate significantly from the entire data set, but the values of the individual data points are not themselves anomalous in either a contextual or global sense. In Network Telemetry time series, one way this can manifest is that the amount of network path and interface state changes matches the time range when the forwarded packet volume decreases as a group.

For each outlier a score between 0 and 1 is being calculated. The higher the value, the higher the probability that the observed data point is an outlier. Anomaly detection: A survey gives additional details on anomaly detection and its types.

The Data Mesh Architecture distinguishes between operational and analytical data. Operational data refers to collected data from operational systems. While analytical data refers to insights gained from operational data. In terms of network observability, semantics of operational network metrics are defined by IETF and are categorized as described in the Network Telemetry Framework in the following three different network planes:

Management Plane:: Time series data describing the state changes and statistics of a network node and its components. For example, Interface state and statistics modelled in ietf-interfaces.yang

Control Plane:: Time series data describing the state and state changes of network reachability. For example, BGP VPNv6 unicast updates and withdrawals exported in BGP Monitoring Protocol (BMP) and modeled in BGP

Forwarding Plane:: Time series data describing the forwarding behavior of packets and its data-plane context. For example, dropped packet count modelled in IPFIX entity forwardingStatus(IE89) and packetDeltaCount(IE2) and exportet with IPFIX .

In terms of network observability, semantics of analytical data refers to incident notifications or service level indicators. For example the incident notification described in Section 7.2 of , the health status and symptoms described in the Service Assurance Intend Based Networking or the precision availability metrics defined in or network anomalies and its symptoms as described in this document.

In this section observed network symptoms are specified and categorized according to the following scheme:

Action:: Which action the network node performed for a packet in the Forwarding Plane, a path or adjancency in the Control Plane or state or statistical changes in the Management Plane. For Forwarding Plane we distinguish between missing, where the drop occured outside the measured network node, drop and on-path delay, which was measured on the network node. For control-plane we distinguish between reachability, which refers to a change in the routing or forwarding information base (RIB/FIB) and adjcacency which refers to a change in peering or link-layer resolution. For Management Plane we refer to state or statistical changes on interfaces.

Reason:: For each action one or more reasons describinging why this action was used. For Drops in Forwarding Plane we distinguish between Unreachable because network layer reachability information was missing, administered because an administrator configured a rule preventing the forwarding for this packet and Corrupt where the network node was unable to determine where to forward to due to packet, software or hardware error. For On-Path Delay we distinguish between Minimum, Average and Maximum Delay for a given Flow.

Relation:: For each reason one or more relation describe the cause why the action was chosen. These reason could relate network plane entity, a packet, control-plane or node administered instruction.

consolidates for the forwarding plane a list of common symptoms with their actions, reasons and relations. Describing Symptoms and their Actions, Reason and Relation for Forwarding Plane

Action	Reason	Relation
Missing	Previous	Time
Drop	Unreachable	next-hop
Drop	Unreachable	link-layer
Drop	Unreachable	Time To Life expired
Drop	Unreachable	Fragmentation needed and Don't Fragment set
Drop	Administered	Access-List
Drop	Administered	Unicast Reverse Path Forwarding
Drop	Administered	Discard Route
Drop	Administered	Policed
Drop	Administered	Shaped
Drop	Corrupt	Bad Packet
Drop	Corrupt	Bad Egress Interface
Delay	Min	-
Delay	Mean	-
Delay	Max	-

consolidates for the control plane a list of common symptoms with their actions, reasons and relations. Describing Symptoms and their Actions, Reason and Relation for Control Plane

Action	Reason	Relation
Reachability	Update	Imported
Reachability	Update	Received
Reachability	Withdraw	Received
Reachability	Withdraw	Peer Down
Adjacency	Established	Peer
Adjacency	Established	Link-Layer
Adjacency	Teared Down	Peer
Adjacency	Teared Down	Link-Layer

consolidates for the management plane a list of common symptoms with their actions, reasons and relations. Describing Symptoms and their Actions, Reason and Relation for Management Plane

Action	Reason	Relation
Interface	Up	Link-Layer
Interface	Down	Link-Layer
Interface	Errors	-
Interface	Discards	-
Interface	Unknown Protocol	-

Metadata adds additional context to data. For instance, in networks the software version of a network node where management plane metrics are obtained from as described in . Where in Semantic Metadata the meaning or ontology of the annotated data is being described.

contains the YANG tree diagram of the ietf-anomaly-detection-semantic-metadata module.

Describe YANG module

The security considerations.

The authors would like to thank xxx for their review and valuable comments.