On the Use of TCP Passive Measurements for Anomaly Detection: A Case Study from an Operational 3G Network

Romirer-Maierhofer, Peter; Coluccia, Angelo; Witek, Tobias

doi:10.1007/978-3-642-12365-8_14

Peter Romirer-Maierhofer¹⁹,
Angelo Coluccia²⁰ &
Tobias Witek¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 6003))

Included in the following conference series:

International Workshop on Traffic Monitoring and Analysis

647 Accesses
6 Citations

Abstract

In this work we discuss the use of passive measurements of TCP performance indicators in support of network operation and troubleshooting, presenting a case-study from a real 3G cellular network. From the analysis of TCP handshaking packets measured in the core network we infer Round-Trip-Times (RTT) on both the client and server sides separately for UMTS/HSPA and GPRS/EDGE sections. We also keep track of the relative share of packet pairs which did not lead to a valid RTT sample, e.g. due to loss and/or retransmission events, and use this metric as an additional performance signal. In a previous work we identified the risk of measurement bias due to early retransmission of TCP SYNACK packets by some popular servers. In order to mitigate this problem we introduce here a novel algorithm for dynamic classification and filtering of early retransmitters. We present a few illustrative cases of abrupt-change observed in the real network, based on which we derive some lessons learned about using such data for detecting anomalies in a real network. Thanks to such measurements we were able to discover a hidden congestion bottleneck in the network under study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Benko, P., Malicsko, G., Veres, A.: A Large-scale, Passive Analysis of End-to-End TCP Performance over GPRS. In: IEEE INFOCOM 2004 (2004)
Google Scholar
Vacirca, F., Ricciato, F., Pilz, R.: Large-Scale RTT Measurements from an Operational UMTS/GPRS Network. In: Proc. of WICON 2005, Budapest (July 2005)
Google Scholar
Romirer-Maierhofer, P., Ricciato, F., D’Alconzo, A., Franzan, R., Karner, W.: Network-wide measurements of TCP RTT in 3G. In: Papadopouli, M., Owezarski, P., Pras, A. (eds.) TMA 2009. LNCS, vol. 5537, pp. 17–25. Springer, Heidelberg (2009)
Chapter Google Scholar
Aikat, J., Kaur, J., Smith, F.D., Jeffay, K.: Variability in TCP round-trip times. In: ACM SIGCOMM IMC 2003, Miami Beach, USA (October 2003)
Google Scholar
Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., Towsley, D.: Inferring TCP Connection Characteristics Through Passive Measurements. In: IEEE INFOCOM 2003, San Francisco, USA (April 2003)
Google Scholar
Rewaskar, S., Kaur, J., Smith, F.D.: A passive state-machine approach for accurate analysis of TCP out-of-sequence segments. ACM SIGCOMM Computer Communication Review 36(3), 51–64 (2006)
Article Google Scholar
Mellia, M., Meo, M., Muscariello, L., Rossi, D.: Passive analysis of TCP anomalies. Computer Networks 52(14), 2663–2676 (2008)
Article MATH Google Scholar
RFC2988: Computing TCP’s Retransmission Timer (November 2000)
Google Scholar
Ricciato, F., Vacirca, F., Svoboda, P.: Diagnosis of Capacity Bottlenecks via Passive Monitoring in 3G Networks: an Empirical Analysis. Computer Networks 51(4), 1205–1231 (2007)
Article MATH Google Scholar
Bannister, J., Mather, P., Coope, S.: Convergence Technologies for 3G Networks: IP, UMTS, EGPRS and ATM. Wiley, Chichester (2004)
Google Scholar
METAWIN and DARWIN projects: http://userver.ftw.at/~ricciato/darwin
Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface, 3GPP TS 29.060, Version 8.9.0, Release 8 (October 2009)
Google Scholar
Coluccia, A., Ricciato, F., Romirer-Maierhofer, P.: On Robust Estimation of Network-wide Packet Loss in 3G Cellular Networks. In: IEEE BWA 2009, Honolulu, USA, November 30 (2009)
Google Scholar
RFC1122: Requirements for Internet Hosts - Communication Layers (October 1989)
Google Scholar

Download references

Author information

Authors and Affiliations

Forschungszentrum Telekommunikation Wien (FTW), Austria
Peter Romirer-Maierhofer & Tobias Witek
Università del Salento, Italy
Angelo Coluccia

Authors

Peter Romirer-Maierhofer
View author publications
You can also search for this author in PubMed Google Scholar
Angelo Coluccia
View author publications
You can also search for this author in PubMed Google Scholar
Tobias Witek
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Università del Salento, Lecce, Italy, and FTW Forschungszentrum Telekommunikation, Vienna, Austria
Fabio Ricciato
Dipartimento di Elettronica, Politecnico di Torino, Corso Duca degli Abruzzi 24, 10129, Torino, Italy
Marco Mellia
Institut EURECOM, Sophia Antipolis, France
Ernst Biersack

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Romirer-Maierhofer, P., Coluccia, A., Witek, T. (2010). On the Use of TCP Passive Measurements for Anomaly Detection: A Case Study from an Operational 3G Network. In: Ricciato, F., Mellia, M., Biersack, E. (eds) Traffic Monitoring and Analysis. TMA 2010. Lecture Notes in Computer Science, vol 6003. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12365-8_14

Download citation

DOI: https://doi.org/10.1007/978-3-642-12365-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12364-1
Online ISBN: 978-3-642-12365-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics