Deep IP flow inspection to detect beyond network anomalies

Taking into account the accelerated rate of network growth, the occurrence of anomalies becomes inevitable. A single anomaly can affect the network performance so it is crucial to detect its origin. However, when different kinds of anomalies are present at the same time, it becomes more complicated to detect their root causes. In addition, the network administrator has to deal with questions related to network health, such as bandwidth bottlenecks, and network misuse. Detecting these problems quickly is essential to take appropriate countermeasures. Although many solutions have been proposed to detect anomalies, they do not address other important questions related to network health. In this paper, a system capable of detecting and classifying the anomalies, and extracting detailed information from the network usage, is presented. A graph representation is used, allowing a deep inspection of the IP flows exchanged between the active devices in the network. The Tsallis entropy is applied to detect anomalies. Furthermore, the proposed system allows the network administrator to create metrics to monitor and acquire detailed information about the network equipment, services, and users. Tests using real and artificial datasets demonstrate the effectiveness of the proposed system to detect simultaneous anomalies, and to provide useful information for network-management tasks.