SlideShare a Scribd company logo

Semantic Metadata Annotation for Network Anomaly Detection

T
ThomasGraf42

This document proposes defining standardized semantic metadata annotations for network anomaly detection. This would help network operators, vendors, and academia collaborate by enabling data exchange and facilitating supervised/semi-supervised machine learning development. Key benefits include testing and comparing outlier detection methods, making anomalies understandable for humans, and automating the learning process from network incidents. The document discusses categorizing network symptoms and defining their associated actions, reasons, and causes using YANG data models to annotate operational and analytical data.

Internet
1 of 15
Download to read offline
Semantic Metadata Annotation for Network Anomaly Detection draft-netana-opsawg-nmrg-network-anomaly-semantics-01 Helps to test, validate and compare outlier detection, supports supervised and semi-supervised machine learning development, enables data exchange among network operators, vendors and academia, and make anomalies for humans apprehensible 1 thomas.graf@swisscom.com wanting.du@swisscom.com alex.huang-feng@insa-lyon.fr vincenzo.riccobene@huawei-partners.com antonio.roberto@huawei.com 04. November 2023
« Network operators connect customers in routing tables called VPN's » 2 Packet Segment Routing Connection Point Connection Point Logical Connection IPFIX YANG Push BMP IPFIX YANG Push BMP IPFIX YANG Push BMP Extended Community: RT:60633:1100001064 Standard Community: 64497:798 Prefixes: 64499:123:172.16.31.0/24, 64499:456:100.67.1.0/24 VRF Name: ABC Route Distinguisher: 0:64499:1 Standard Community: 64499:123 Prefixes: 172.16.31.0/24 VRF Name: DEF Route Distinguisher: 0:64499:2 Standard Community: 64499:456 Prefixes: 100.67.1.0/24 IPv4/6 Source: 172.16.31.1 Port Source: 23456 IP Protocol: TCP IP Type of Service: 192 IPv4/6 Destination: 100.67.1.2 Port Destination: 443 Ingress Logical Interface ID: 32 Ingress Physical Interface ID: 21 Ingress VRF ID: 0x100 Egress Logical Interface ID: 11 Egress Physical Interface ID: 43 Egress VRF ID: 0x16 Forwarding Status: FWD Unkown What to monitor Which operational metrics are collected Forwarding Plane Data Models How customers are using our network and services. Active and passive delay measurement Control Plane Data Models How networks are provisioned and redundancy adjusts to topology Management Plane Data Models How logical and physical network devices are connected with each other and carry load Network Connectivity Service Service Models Translates between what customers wishes and intend which should be fulfilled « Network Telemetry (RFC 9232) describes how to collect data from all 3 network planes efficiently »
« Customers are always connected, when VPN's changing, regardless due to operational or configurational reasons, network operators are late to react due to missing visibility and automation » 3 Why to automate monitoring Recognize network incidents faster than humans can
4 Network Data Collection Network Device Trend Detection Verify, Troubleshoot and Notify Closed Loop Operation Network Anomaly Detection Network Visualization Network SLI and SLO Service Owner Platform Owner Operation Data Products Governed by Network Telemetry RFC 9232 Analytical Data Products Governed by Network Operator Data Product Owner Data Product Owner How to organize and collaborate with data The Data Mesh Architecture enables Network Analytics use
5 NetworkAnomaly Detection For VPNs, Network Anomaly Detection constantly monitors and detects any network or device topology changes, along with their associated forwarding consequences for customers as outliers. Notifications are sent to the Network Operation Center before the customer is aware of service disruptions. It offers operational metrics for in-depth analysis, allowing to understand on which platform the problem originates and facilitates problem resolution. Answers What changed and when, on which connectivity service, and how does it impact the customers? Focuses Provides meaningful connectivity service impact information before customer is aware of and support in root-cause analysis. Data Mesh Consumes operational real-time Forwarding Plane, Control Plane and Management Plane metrics and produces analytical alerts. Direction From connectivity service to network platform. What does Network Anomaly Detection mean Monitor changes
6 « A more detailing paper will be submitted soon to IEEE Transactions on Network and Service Management» Presented in ANRW 2023 At IETF 117 San Francisco
7 From network incidents postmortems we network operators learn and improve so does network anomaly detection and supervised and semi-supervised machine learning. The more network incidents are observed, the more we can improve. With more incidents the postmortem process needs be automated, let's get organized first by defining human and machine-readable metadata semantics and annotate operational and analytical data. Let's get further organized by exchanging standardized labeled network incident data among network operators, vendors and academia to collaborate on academic research. « The community working on Network Anomaly Detection is probably the only group wishing for more network incidents » What our motivation is Automate learn and improve
8 Action: Which action the network node performed for a packet in the forwarding plane, a path or adjacency in the control plane or state or statistical changes in the management plane. Reason: For each reason one or more actions describing why this action was used. From drop unreachable, administered, and corrupt in forwarding plane, to reachability withdraw and adjacency teared down in control plane, to Interface down, errors or discard in management plane. Cause: For each reason one or more causes describes why the action was chosen. From missing next-hop and link-layer information in forwarding plane, to reachability withdrawn due to peer down or path no longer redistributed. « Symptoms are categorized in which plane they have been observed, their action, reason and cause » What is a symptom and how to categorize them From action to reason to cause
9 Network Operators: Do you agree that today’s actions; traffic is dropped, path is withdrawn and interface down, are always exposed through Network Telemetry. But reasons and causes, dropped due to unreachable next-hop, withdrawn due to peer down, interface down due to missing signal, are rarely exposed to telemetry would be most interesting? Network Vendors: Is the assumption correct that a when network service process, routing process and withdrawing a path occur, most of the time the vendor knows why it acts that way, and could potential make this reason and cause information available? Academia: Would it help if network operators would provide well defined labeled operational and analytical data to enable and validate their research? Everybody: Should these symptoms be clearly described and standardized for a common terminology so that operators, researchers and anomaly detection systems alike understand their meaning and learn and act accordingly? Questions to the audience Do you care?
10 Global outliers: An outlier is considered "global" if its behavior is outside the entirety of the considered data set. Contextual outliers: An outlier is considered "contextual" if its behavior is within a normal (expected) range, but it would not be expected based on some context. Context can be defined as a function of multiple parameters, such as time, location, etc. Collective outliers: An outlier is considered "collective" if the behavior of each single data point that are part of the anomaly are within expected ranges (so they are not anomalous, it’s either a contextual or a global sense), but the group taking all the data points together, is. « Collective outliers are important because networks are connected. Through different planes interconnected symptoms from various angles can be observed » Outliers in Anomaly Detection From global to contextual to collective
• Symptoms describe what changed in the network for what reason and cause with which concern score from when to when. • Tags describes in which network plane, which action, reason and cause was observed. • Pattern describes the measurement pattern over time of the time series data. • Source describes which system observed the outlier. A human or a network anomaly detection system. 11 Annotate Operation Data YANG Module module: ietf-symptom-semantic-metadata +--rw symptom +--rw id yang:uuid +--rw event-id yang:uuid +--rw description string +--rw start-timeyang:date-and-time +--rw end-time yang:date-and-time +--rw confidence-score float +--rw concern-score? float +--rw tags* [key] | +--rw key string | +--rw value string +--rw (pattern)? | +--:(drop) | | +--rw dropempty | +--:(spike) | | +--rw spike empty | +--:(mean-shift) | | +--rw mean-shift empty | +--:(seasonality-shift) | | +--rw seasonality-shift empty | +--:(trend) | | +--rw trend empty | +--:(other) | +--rw other string +--rw source +--rw (source-type) | +--:(human) | | +--rw human empty | +--:(algorithm) | +--rw algorithm empty +--rw name? string
module: ietf-incident-semantic-metadata +--rw incident +--rw id yang:uuid +--rw description string +--rw start-time yang:date-and-time +--rw end-time yang:date-and-time +--rw symptoms* [] | +--rw symptom | +--rw id yang:uuid | +--rw event-id yang:uuid <snip> +--rw source +--rw (type) | +--:(human) | | +--rw human empty | +--:(algorithm) | +--rw algorithm empty +--rw name? string 12 Annotate Analytical Data YANG Module • Incidents has a unique ID and description with a start and end time and a concern score. • Symptoms describe what changed in the network for what reason and cause with which concern score from when to when. • Source describes which system reported the outlier. A human or a network anomaly detection system.
13 IETF 118 Hackathon – Antagonist Labelling a Symptom in Grafana (1) Vertical dotted lines are the tagged symptoms. (2) Once the symptom is selected, the user can add all the details. Once the symptom is defined it gets submitted to Antagonist. 1 2
14 IETF 118 Hackathon - Antagonist Workflow Antagonist (Anomaly tagging on historical data) https://github.com/vriccobene/antagonist Incidents & Symptoms REST Telemetry Data is stored Symptom and Incident Data is visually annotated 2 Symptoms and Incidents are processed 3 Ground Truth is exposed through the YANG format 4 REST
Semantic Metadata Annotation for Network Anomaly Detection Next steps • This work relates to the data topic, specifically semantics and ontology for network management related artificial intelligence and machine learning previously discussed in NMRG meetings. • Do you realize the benefit of having standardized semantic metadata annotation for Network Anomaly Detection and how it helps network operators, vendor and academia to collaborate? • -> What are your thoughts and comments? • This document looks for a community and working group who have interest in Network Anomaly Detection, bridging network and data engineering, operator, vendors and academia, by writing the semantics and ontology of network symptoms for operational and analytical data. • This work will unveil what is missing in Network Telemetry data and provide input for other documents to enable a more detailed and holistic view from networks. thomas.graf@swisscom.com wanting.du@swisscom.com alex.huang-feng@insa-lyon.fr vincenzo.riccobene@huawei-partners.com antonio.roberto@huawei.com 04. November 2023 Transforms semantic referance Publishes and subscribes with semantic reference Apache Kafka Message Broker Timeseries DB YANG push receiver YANG push publisher Consolidates Messages Transforms semantics in ingestion specifications Network Analytics Uses network semantics to visualize and validate 15

Recommended

network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
AssadLeo1
 
Cloud data management
Cloud data managementCloud data management
Cloud data management
ambitlick
 
An Enhanced Technique for Network Traffic Classification with unknown Flow De...
An Enhanced Technique for Network Traffic Classification with unknown Flow De...An Enhanced Technique for Network Traffic Classification with unknown Flow De...
An Enhanced Technique for Network Traffic Classification with unknown Flow De...
IRJET Journal
 
Network visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetryNetwork visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetry
pphaal
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations center
Satish Chavan
 
SDN approach.pptx
SDN approach.pptxSDN approach.pptx
SDN approach.pptx
TrongMinhHoang1
 
FIOT_Uni4.pptx
FIOT_Uni4.pptxFIOT_Uni4.pptx
FIOT_Uni4.pptx
RishikeshPathak10
 
Automatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault MappingAutomatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault Mapping
IRJET Journal
 

Recommended

network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
AssadLeo1
 
Cloud data management
Cloud data managementCloud data management
Cloud data management
ambitlick
 
An Enhanced Technique for Network Traffic Classification with unknown Flow De...
An Enhanced Technique for Network Traffic Classification with unknown Flow De...An Enhanced Technique for Network Traffic Classification with unknown Flow De...
An Enhanced Technique for Network Traffic Classification with unknown Flow De...
IRJET Journal
 
Network visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetryNetwork visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetry
pphaal
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations center
Satish Chavan
 
SDN approach.pptx
SDN approach.pptxSDN approach.pptx
SDN approach.pptx
TrongMinhHoang1
 
FIOT_Uni4.pptx
FIOT_Uni4.pptxFIOT_Uni4.pptx
FIOT_Uni4.pptx
RishikeshPathak10
 
Automatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault MappingAutomatic Analyzing System for Packet Testing and Fault Mapping
Automatic Analyzing System for Packet Testing and Fault Mapping
IRJET Journal
 
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKSA SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
ijdpsjournal
 
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveTop 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
ManageEngine, Zoho Corporation
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
Streaming real time data with Vibe Data Stream
Streaming real time data with Vibe Data StreamStreaming real time data with Vibe Data Stream
Streaming real time data with Vibe Data Stream
InformaticaMarketplace
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
Datacomsystemsinc
 
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdfSwisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
ThomasGraf40
 
fault localization in computer network..
fault localization in computer network..fault localization in computer network..
fault localization in computer network..
CDAC PUNE
 
10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition
VSS Monitoring
 
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
chennaijp
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
Gyan Prakash
 
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation AnalysisA New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
ijceronline
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
snrism
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
Lori Head
 
NetBrain-in-Action
NetBrain-in-ActionNetBrain-in-Action
NetBrain-in-Action
Ken Reiff
 
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTINGNETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
Nishanth Gandhidoss
 
Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3
Open Access Systems Corporation
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
IEEEMEMTECHSTUDENTPROJECTS
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
Rick Kingsley
 
Network predictive analysis
Network predictive analysisNetwork predictive analysis
Network predictive analysis
Prabhakaran Palanisamy
 
BMP Peer Up Message Namespace
BMP Peer Up Message NamespaceBMP Peer Up Message Namespace
BMP Peer Up Message Namespace
ThomasGraf42
 
YANG push Integration into Apache Kafka
YANG push Integration into Apache KafkaYANG push Integration into Apache Kafka
YANG push Integration into Apache Kafka
ThomasGraf42
 

More Related Content

Similar to Semantic Metadata Annotation for Network Anomaly Detection

A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKSA SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
ijdpsjournal
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
snrism
 
NetBrain-in-Action
NetBrain-in-ActionNetBrain-in-Action
NetBrain-in-Action
Ken Reiff
 
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTINGNETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
Nishanth Gandhidoss
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 

Similar to Semantic Metadata Annotation for Network Anomaly Detection (20)

A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKSA SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKS
 
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveTop 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
Streaming real time data with Vibe Data Stream
Streaming real time data with Vibe Data StreamStreaming real time data with Vibe Data Stream
Streaming real time data with Vibe Data Stream
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
 
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdfSwisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
Swisscom Network Analytics Data Mesh Architecture - ETH Viscon - 10-2022.pdf
 
fault localization in computer network..
fault localization in computer network..fault localization in computer network..
fault localization in computer network..
 
10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition
 
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
JPD1423 A Probabilistic Misbehavior Detection Scheme toward Efficient Trust ...
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
 
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation AnalysisA New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
NetBrain-in-Action
NetBrain-in-ActionNetBrain-in-Action
NetBrain-in-Action
 
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTINGNETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
 
Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A probabilistic-misbehavior-de...
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
Network predictive analysis
Network predictive analysisNetwork predictive analysis
Network predictive analysis
 

More from ThomasGraf42

slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
ThomasGraf42
 
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdfslides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
ThomasGraf42
 
slides-117-grow-bmp-peer-up-message-namespace-00.pdf
slides-117-grow-bmp-peer-up-message-namespace-00.pdfslides-117-grow-bmp-peer-up-message-namespace-00.pdf
slides-117-grow-bmp-peer-up-message-namespace-00.pdf
ThomasGraf42
 
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
ThomasGraf42
 

More from ThomasGraf42 (20)

BMP Peer Up Message Namespace
BMP Peer Up Message NamespaceBMP Peer Up Message Namespace
BMP Peer Up Message Namespace
 
YANG push Integration into Apache Kafka
YANG push Integration into Apache KafkaYANG push Integration into Apache Kafka
YANG push Integration into Apache Kafka
 
Support of Hostname and Sequencing in YANG Notifications
Support of Hostname and Sequencing in YANG NotificationsSupport of Hostname and Sequencing in YANG Notifications
Support of Hostname and Sequencing in YANG Notifications
 
UDP-based Transport for Configured Subscriptions
UDP-based Transport for Configured SubscriptionsUDP-based Transport for Configured Subscriptions
UDP-based Transport for Configured Subscriptions
 
Subscription to Distributed Notifications
Subscription to Distributed NotificationsSubscription to Distributed Notifications
Subscription to Distributed Notifications
 
YANG Grouping for UDP Clients and UDP Servers
YANG Grouping for UDP Clients and UDP ServersYANG Grouping for UDP Clients and UDP Servers
YANG Grouping for UDP Clients and UDP Servers
 
YANG model for NETCONF Event Notifications
YANG model for NETCONF Event NotificationsYANG model for NETCONF Event Notifications
YANG model for NETCONF Event Notifications
 
slides-117-nmrg-sessb-data-management-paradigms-data-fabric-and-data-mesh-00.pdf
slides-117-nmrg-sessb-data-management-paradigms-data-fabric-and-data-mesh-00.pdfslides-117-nmrg-sessb-data-management-paradigms-data-fabric-and-data-mesh-00.pdf
slides-117-nmrg-sessb-data-management-paradigms-data-fabric-and-data-mesh-00.pdf
 
slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
slides-117-opsawg-modeling-the-digital-map-based-on-rfc8345-sharing-experienc...
 
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdfslides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
slides-117-opsawg-a-data-manifest-for-contextualized-telemetry-data-00.pdf
 
slides-117-grow-grow-bmp-enhancements-to-frrouting-00.pdf
slides-117-grow-grow-bmp-enhancements-to-frrouting-00.pdfslides-117-grow-grow-bmp-enhancements-to-frrouting-00.pdf
slides-117-grow-grow-bmp-enhancements-to-frrouting-00.pdf
 
slides-117-grow-draft-francios-grow-bmp-loc-peer-00.pdf
slides-117-grow-draft-francios-grow-bmp-loc-peer-00.pdfslides-117-grow-draft-francios-grow-bmp-loc-peer-00.pdf
slides-117-grow-draft-francios-grow-bmp-loc-peer-00.pdf
 
slides-117-grow-bmp-peer-up-message-namespace-00.pdf
slides-117-grow-bmp-peer-up-message-namespace-00.pdfslides-117-grow-bmp-peer-up-message-namespace-00.pdf
slides-117-grow-bmp-peer-up-message-namespace-00.pdf
 
ietf117-netconf-yang-push-data-mesh-integration.pdf
ietf117-netconf-yang-push-data-mesh-integration.pdfietf117-netconf-yang-push-data-mesh-integration.pdf
ietf117-netconf-yang-push-data-mesh-integration.pdf
 
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
slides-117-anrw-sessb-daisy-practical-anomaly-detection-in-large-bgpmpls-and-...
 
BMP YANG Module
BMP YANG ModuleBMP YANG Module
BMP YANG Module
 
BMP Extension for Path Status TLV
BMP Extension for Path Status TLVBMP Extension for Path Status TLV
BMP Extension for Path Status TLV
 
TLV support for BMP Route Monitoring and Peer Down Messages
TLV support for BMP Route Monitoring and Peer Down MessagesTLV support for BMP Route Monitoring and Peer Down Messages
TLV support for BMP Route Monitoring and Peer Down Messages
 
BMP Loc-RIB: Peer address
BMP Loc-RIB: Peer addressBMP Loc-RIB: Peer address
BMP Loc-RIB: Peer address
 
UDP-based Transport for Configured Subscriptions
UDP-based Transport for Configured SubscriptionsUDP-based Transport for Configured Subscriptions
UDP-based Transport for Configured Subscriptions
 

Recently uploaded

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 

Recently uploaded (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 

Semantic Metadata Annotation for Network Anomaly Detection

  • 1. Semantic Metadata Annotation for Network Anomaly Detection draft-netana-opsawg-nmrg-network-anomaly-semantics-01 Helps to test, validate and compare outlier detection, supports supervised and semi-supervised machine learning development, enables data exchange among network operators, vendors and academia, and make anomalies for humans apprehensible 1 thomas.graf@swisscom.com wanting.du@swisscom.com alex.huang-feng@insa-lyon.fr vincenzo.riccobene@huawei-partners.com antonio.roberto@huawei.com 04. November 2023
  • 2. « Network operators connect customers in routing tables called VPN's » 2 Packet Segment Routing Connection Point Connection Point Logical Connection IPFIX YANG Push BMP IPFIX YANG Push BMP IPFIX YANG Push BMP Extended Community: RT:60633:1100001064 Standard Community: 64497:798 Prefixes: 64499:123:172.16.31.0/24, 64499:456:100.67.1.0/24 VRF Name: ABC Route Distinguisher: 0:64499:1 Standard Community: 64499:123 Prefixes: 172.16.31.0/24 VRF Name: DEF Route Distinguisher: 0:64499:2 Standard Community: 64499:456 Prefixes: 100.67.1.0/24 IPv4/6 Source: 172.16.31.1 Port Source: 23456 IP Protocol: TCP IP Type of Service: 192 IPv4/6 Destination: 100.67.1.2 Port Destination: 443 Ingress Logical Interface ID: 32 Ingress Physical Interface ID: 21 Ingress VRF ID: 0x100 Egress Logical Interface ID: 11 Egress Physical Interface ID: 43 Egress VRF ID: 0x16 Forwarding Status: FWD Unkown What to monitor Which operational metrics are collected Forwarding Plane Data Models How customers are using our network and services. Active and passive delay measurement Control Plane Data Models How networks are provisioned and redundancy adjusts to topology Management Plane Data Models How logical and physical network devices are connected with each other and carry load Network Connectivity Service Service Models Translates between what customers wishes and intend which should be fulfilled « Network Telemetry (RFC 9232) describes how to collect data from all 3 network planes efficiently »
  • 3. « Customers are always connected, when VPN's changing, regardless due to operational or configurational reasons, network operators are late to react due to missing visibility and automation » 3 Why to automate monitoring Recognize network incidents faster than humans can
  • 4. 4 Network Data Collection Network Device Trend Detection Verify, Troubleshoot and Notify Closed Loop Operation Network Anomaly Detection Network Visualization Network SLI and SLO Service Owner Platform Owner Operation Data Products Governed by Network Telemetry RFC 9232 Analytical Data Products Governed by Network Operator Data Product Owner Data Product Owner How to organize and collaborate with data The Data Mesh Architecture enables Network Analytics use
  • 5. 5 NetworkAnomaly Detection For VPNs, Network Anomaly Detection constantly monitors and detects any network or device topology changes, along with their associated forwarding consequences for customers as outliers. Notifications are sent to the Network Operation Center before the customer is aware of service disruptions. It offers operational metrics for in-depth analysis, allowing to understand on which platform the problem originates and facilitates problem resolution. Answers What changed and when, on which connectivity service, and how does it impact the customers? Focuses Provides meaningful connectivity service impact information before customer is aware of and support in root-cause analysis. Data Mesh Consumes operational real-time Forwarding Plane, Control Plane and Management Plane metrics and produces analytical alerts. Direction From connectivity service to network platform. What does Network Anomaly Detection mean Monitor changes
  • 6. 6 « A more detailing paper will be submitted soon to IEEE Transactions on Network and Service Management» Presented in ANRW 2023 At IETF 117 San Francisco
  • 7. 7 From network incidents postmortems we network operators learn and improve so does network anomaly detection and supervised and semi-supervised machine learning. The more network incidents are observed, the more we can improve. With more incidents the postmortem process needs be automated, let's get organized first by defining human and machine-readable metadata semantics and annotate operational and analytical data. Let's get further organized by exchanging standardized labeled network incident data among network operators, vendors and academia to collaborate on academic research. « The community working on Network Anomaly Detection is probably the only group wishing for more network incidents » What our motivation is Automate learn and improve
  • 8. 8 Action: Which action the network node performed for a packet in the forwarding plane, a path or adjacency in the control plane or state or statistical changes in the management plane. Reason: For each reason one or more actions describing why this action was used. From drop unreachable, administered, and corrupt in forwarding plane, to reachability withdraw and adjacency teared down in control plane, to Interface down, errors or discard in management plane. Cause: For each reason one or more causes describes why the action was chosen. From missing next-hop and link-layer information in forwarding plane, to reachability withdrawn due to peer down or path no longer redistributed. « Symptoms are categorized in which plane they have been observed, their action, reason and cause » What is a symptom and how to categorize them From action to reason to cause
  • 9. 9 Network Operators: Do you agree that today’s actions; traffic is dropped, path is withdrawn and interface down, are always exposed through Network Telemetry. But reasons and causes, dropped due to unreachable next-hop, withdrawn due to peer down, interface down due to missing signal, are rarely exposed to telemetry would be most interesting? Network Vendors: Is the assumption correct that a when network service process, routing process and withdrawing a path occur, most of the time the vendor knows why it acts that way, and could potential make this reason and cause information available? Academia: Would it help if network operators would provide well defined labeled operational and analytical data to enable and validate their research? Everybody: Should these symptoms be clearly described and standardized for a common terminology so that operators, researchers and anomaly detection systems alike understand their meaning and learn and act accordingly? Questions to the audience Do you care?
  • 10. 10 Global outliers: An outlier is considered "global" if its behavior is outside the entirety of the considered data set. Contextual outliers: An outlier is considered "contextual" if its behavior is within a normal (expected) range, but it would not be expected based on some context. Context can be defined as a function of multiple parameters, such as time, location, etc. Collective outliers: An outlier is considered "collective" if the behavior of each single data point that are part of the anomaly are within expected ranges (so they are not anomalous, it’s either a contextual or a global sense), but the group taking all the data points together, is. « Collective outliers are important because networks are connected. Through different planes interconnected symptoms from various angles can be observed » Outliers in Anomaly Detection From global to contextual to collective
  • 11. • Symptoms describe what changed in the network for what reason and cause with which concern score from when to when. • Tags describes in which network plane, which action, reason and cause was observed. • Pattern describes the measurement pattern over time of the time series data. • Source describes which system observed the outlier. A human or a network anomaly detection system. 11 Annotate Operation Data YANG Module module: ietf-symptom-semantic-metadata +--rw symptom +--rw id yang:uuid +--rw event-id yang:uuid +--rw description string +--rw start-timeyang:date-and-time +--rw end-time yang:date-and-time +--rw confidence-score float +--rw concern-score? float +--rw tags* [key] | +--rw key string | +--rw value string +--rw (pattern)? | +--:(drop) | | +--rw dropempty | +--:(spike) | | +--rw spike empty | +--:(mean-shift) | | +--rw mean-shift empty | +--:(seasonality-shift) | | +--rw seasonality-shift empty | +--:(trend) | | +--rw trend empty | +--:(other) | +--rw other string +--rw source +--rw (source-type) | +--:(human) | | +--rw human empty | +--:(algorithm) | +--rw algorithm empty +--rw name? string
  • 12. module: ietf-incident-semantic-metadata +--rw incident +--rw id yang:uuid +--rw description string +--rw start-time yang:date-and-time +--rw end-time yang:date-and-time +--rw symptoms* [] | +--rw symptom | +--rw id yang:uuid | +--rw event-id yang:uuid <snip> +--rw source +--rw (type) | +--:(human) | | +--rw human empty | +--:(algorithm) | +--rw algorithm empty +--rw name? string 12 Annotate Analytical Data YANG Module • Incidents has a unique ID and description with a start and end time and a concern score. • Symptoms describe what changed in the network for what reason and cause with which concern score from when to when. • Source describes which system reported the outlier. A human or a network anomaly detection system.
  • 13. 13 IETF 118 Hackathon – Antagonist Labelling a Symptom in Grafana (1) Vertical dotted lines are the tagged symptoms. (2) Once the symptom is selected, the user can add all the details. Once the symptom is defined it gets submitted to Antagonist. 1 2
  • 14. 14 IETF 118 Hackathon - Antagonist Workflow Antagonist (Anomaly tagging on historical data) https://github.com/vriccobene/antagonist Incidents & Symptoms REST Telemetry Data is stored Symptom and Incident Data is visually annotated 2 Symptoms and Incidents are processed 3 Ground Truth is exposed through the YANG format 4 REST
  • 15. Semantic Metadata Annotation for Network Anomaly Detection Next steps • This work relates to the data topic, specifically semantics and ontology for network management related artificial intelligence and machine learning previously discussed in NMRG meetings. • Do you realize the benefit of having standardized semantic metadata annotation for Network Anomaly Detection and how it helps network operators, vendor and academia to collaborate? • -> What are your thoughts and comments? • This document looks for a community and working group who have interest in Network Anomaly Detection, bridging network and data engineering, operator, vendors and academia, by writing the semantics and ontology of network symptoms for operational and analytical data. • This work will unveil what is missing in Network Telemetry data and provide input for other documents to enable a more detailed and holistic view from networks. thomas.graf@swisscom.com wanting.du@swisscom.com alex.huang-feng@insa-lyon.fr vincenzo.riccobene@huawei-partners.com antonio.roberto@huawei.com 04. November 2023 Transforms semantic referance Publishes and subscribes with semantic reference Apache Kafka Message Broker Timeseries DB YANG push receiver YANG push publisher Consolidates Messages Transforms semantics in ingestion specifications Network Analytics Uses network semantics to visualize and validate 15