CINBAD - CERN Investigation of Network Behavior Anomaly Detection
The project originates from a common interest between CERN and HP/ProCurve. As a leading scientific organization with open environment and demanding users, CERN looks for innovative technologies to meet the needs of the Large Hadron Collider (LHC). We would like to improve the reliability, security, speed and performance of our IT infrastructure. The collaboration between CERN and HP/ProCurve puts our ideas and experience together in order to develop appropriate solutions for high-performance networking.
Overview
Today's networks are getting more complex and harder to master. They consist of many different elements, like switches, routers, servers and firewalls. An increase in configuration and topology complexity as well as in a number of users and services in the network might cause problems. Also the number of potential new network attacks and viruses grow with this complexity. For that reason, the computer network might indeed operate in unexpected way. This deviation from the normal state is an anomaly. Even in CERN 'academic' environment, we can not afford network downtimes, especially when LHC starts to produce peta bytes of data. The goal of the project is to detect these anomalies as early as possible. To achieve this goal, we look for all potential data sources, collect and store the data, and provide algorithms in order to accurately detect the anomalies. Using CERN's large network infrastructure as a source of data will help in providing scalable, efficient and accurate anomaly detection systems.
The project goal is to understand the behavior of large computer networks (10’000+ nodes) in High Performance Computing or large Campus installations to be able to:
-
Detect traffic anomalies in the system
-
Be able to perform trend analysis
-
Automatically take counter measures
-
Provide post-mortem analysis facilities
Results
The results of this project (which started during CERN openlab II and was completed during CERN openlab III), are available to you in the openlab III section of the CERN openlab website and by clicking here.
Resources
Packet Sampling for Network Monitoring - Technical Report