Robust control tools for traffic monitoring in TCP/AQM networks

Several studies have considered control theory tools for traffic control in communication networks, as for example the congestion control issue in IP (Internet Protocol) routers. In this paper, we propose to design a linear observer for time-delay systems to address the traffic monitoring issue in TCP/AQM (Transmission Control Protocol/Active Queue Management) networks. Due to several propagation delays and the queueing delay, the set TCP/AQM is modeled as a multiple delayed system of a particular form. Hence, appropriate robust control tools as quadratic separation are adopted to construct a delay dependent observer for TCP flows estimation. Note that, the developed mechanism enables also the anomaly detection issue for a class of DoS (Denial of Service) attacks. At last, simulations via the network simulator NS-2 and an emulation experiment validate the proposed methodology. 1 Motivations and Contributions Internet is becoming the major communication network. It allows an increasing number of activities, ranging from web browsing, file exchanges to on-line games or IP telephony. Because of its increasing popularity, traffic monitoring tools have to be embedded into the network to supervise communications to ensure QoS (Quality of Service) or even to avoid security breaches. Two techniques can be used: Active monitoring [21] consists of generating probes into the network, and then to observe the impact of network components and protocols on traffic: loss rate, delays, RTT (Round Trip Time), capacity... However, since an additional traffic (probes) is injected into the network, the major drawback is the disturbance induced by such traffic (it inevitably affects the current traffic). Intrusiveness of probe traffic is thus one of the key features which active monitoring tools have to care about. Secondly, passive monitoring [3] refers to network measurements with appropriate devices located at some relevant point in the network. Passive monitoring is performed on the capture of traffic and off-line estimate networks features. It provides a non intrusive method but not enough reactive. Université de Toulouse; UPS, 118 Route de Narbonne, F-31062 Toulouse, France. LAAS; CNRS; 7, avenue du Colonel Roche, F-31077 Toulouse, France. [email protected] ha l-0 03 57 76 1, v er si on 1 2 Fe b 20 09 Regarding the security problems, network anomalies typically refer to circumstances when network operations deviate from the expected behavior. Network anomalies can be roughly classified into two categories. The first category is related to network failures and performance problems (like file server failures, broadcast storms, etc...). The second major category of network anomalies is security-related problems (like DoS or DDoS detections) in detecting active security threats. A variety of tools for anomaly detection are mainly based on data packet signatures (i.e. specific formats of packages, packet headers) and the use of statistical profiles of the traffic. The natural variability of the traffic [19] produces important fluctuations of these measurements, inducing thus several false positives (false alarms) and false negatives (missed detections). Some studies have taken into account a richer form of the statistical structure of the traffic (correlation, spectral density ...) to design IDS or ADS (Intrusion or Anomaly Detection System) [9], [14]. In this paper, we propose to address the traffic monitoring issue in networks with the design of an observer. First, a dynamical model which describes the TCP flow rates behavior as well as a class of anomalies is introduced. Then, robust control tools, especially quadratic separation, are used to derive a convergence condition for the time delay observer. Basically, the observer, embedded at a router, uses the queue length measurement of the buffer to reconstruct the whole state composed of flow rates. However, this latter being related to the linearized model of TCP, traffic has to be regulated around an equilibrium point to ensure the validity of the observer model and a congestion control mechanism (as AQM, Active Queue Management) is thus required. Next, the model is extended in order to detect a class of anomalies from the second category (attacks). Note that the proposed methodology allows on-line and non-intrusive monitoring (as active monitoring but without injecting probes into the network). Even if our study focuses on specific and static networks as explained in the next section, it shows encouraging results. The paper is organized as follows. The problem statement introducing the model of a network supporting TCP and the AQM congestion control is presented in the second section. Then, the third part is dedicated to the design of an observer for the estimation of data flow rates as well as anomaly detection. The fourth section shows an illustrative example of the proposed theory using NS-2 simulations and emulations. Finally, the fifth section concludes the paper and proposes future works. 2 NETWORK DYNAMICS 2.1 Fluid-flow model of TCP This section is devoted to the introduction of the network model that describes the traffic behavior. In this paper, we consider networks consisting of a single router and N heterogeneous TCP sources. By heterogeneous, we mean that each source is linked to the router with different propagation times (see Figure 1). Since the bottleneck is shared by N flows, TCP applies the congestion avoidance algorithm to avoid the network saturation [11]. Following the AIMD (Additive-Increase Multiplicative-Decrease) mechanism, the congestion window of TCP sources varies according to the network load state (packet losses and delays). Hence, various deterministic fluid-flow models have been developed ha l-0 03 57 76 1, v er si on 1 2 Fe b 20 09 Figure 1: Network topology Figure 2: A single connection (see [15], [17] and [23] and references therein) to describe the behavior of the transmission protocol. While many studies dealing with network control in the automatic control theory framework consider the model proposed by [17], we use a more accurate one, introduced in [15] and described by (1) which takes into account the forward and backward delays. The model and notations are as follow:    Ẇi(t) = Wi(t−τi) τi(t−τi) (1− pi(t− τ b i )) 1 Wi(t) − Wi(t−τi) τi(t−τi) Wi 2 pi(t− τ b i ), ḃ(t) = −c+ ∑N i=1 ηi Wi(t−τ f i ) τi(t−τ f i ) , τi = b(t) c + Tpi = τ f i + τ b i , (1) whereWi(t) is the congestion window size of the source i, b(t) is the queue length of the buffer at the router, τi is the RTT perceived by the source i. This latter quantity can be decomposed as the sum of the forward and backward delays (τ i and τ i ), standing for, respectively, the trip time from the source i to the router (the one way) and from the router to the source via the receiver (the return) ha l-0 03 57 76 1, v er si on 1 2 Fe b 20 09 (see Figure 2). c, Tpi and N are parameters related to the network configuration and represent, respectively, the link capacity, the propagation time of the path taken by the connection i and the number of TCP sources. ηi is the number of sessions established by source i. The signal pi(t) corresponds to the dropping probability of a packet at the router buffer. Note that the network variables mentionned above in model (1) are considered as mean values [15] (for instance, Wi(t) represents actually the average congestion window size). In this paper, the objective is to develop a method which computes, at the router and during congestion, an estimation of the different flow rates passing through it. The congestion window Wi does not provide a relevant index of the traffic intensity since it only refers to the amount of data sent by the source at a given instant. Consequently, additional frequent measures of the corresponding RTT are required. Hence, we propose to reformulate the model (1) such that the state vector is expressed in terms of aggregate flows instead of congestion windows. To this end, rates of each flow xi, expressed as xi(t) = Wi(t) τi(t) , will be considered. The dynamic of this new quantity becomes of the form ẋi(t) = d dt ( Wi(t) τi(t) ) = Ẇi(t)−xi(t)τ̇i(t) τi(t) . Based on the expressions of Ẇ (t), ḃ(t), τi(t) (see equation (1)) and τ̇(t) = ḃ(t) c , a new model of the TCP behavior is derived    ẋi(t) = xi(t−τ) xi(t)τ(t) (1 − p(t− τ))− xi(t−τ)xi(t) 2 p(t− τ ) + xi(t) τ(t) − xi(t) τ(t)c ∑ i ηixi(t− τ f i ) ḃ(t) = −c+ ∑N i=1 ηixi(t− τ f i ) . (2) 2.2 AQM for congestion control To achieve high efficiency and high reliability of communications in computer networks, many investigations have been done regarding the congestion control issue. Since the congestion window size of the transmission protocol depends on packet losses (specified by pi(t)), a proposal was to use this feature in order to control the source sending rates. Hence, a mechanism, called AQM (Active Queue Management, see Figure 3), has been developed to provoke losses avoiding then severe congestion, buffer overflow, timeout... This strategy allows the regulation of TCP flows with an implicit control (or explicit if the ECN, Explicit Congestion Notification, protocol is enabled). Various AQM have been proposed in the literature such as Random Early Detection (RED) [6], Random Early Marking (REM) [1], Adaptive Virtual Queue (AVQ) [23] and many others [22]. Their performances have been evaluated in [22] and empirical studies have shown their effectiveness. Recently, significant studies initiated by [8] have redesigned AQMs using control theory and P , PI have been developed in order to cope with the packet dropping problem. Then, using dynamical model developed by [17], many researches have been devoted to deal with congestion problem in a control theory framework (for examples see [13], [12], [24] and references therein). So, AQM supports TCP for congestion control and regulates the queue length of the buffer as well as flow rates around an equilibrium point [13], [12], [8]. An efficient control allows thus to approximate the TCP dynamics (2) as a linear model (4) around an equilibrium point (3). Our work focuses on traffic monitoring at a router with a static topology (N and ηi are constant). Moreover, for the mathematical tractability, we make the usual assumption [15], [8], [12] ha l-0 03 57 76 1, v er si on 1 2 Fe b 20 09 Figure 3: Implementation of an AQM that all delays (τi, τ f i and τ b i ) are time invariant when they appear as arguments of variables (for example xi(t − τi(t)) ≡ xi(t − τi)). This latter assumption is valid as long as the queue length remains close to its equilibrium value and when the queueing delay is smaller than propagation delays. Defining an equilibrium point    τi0 = Tp + b0/c ḃ(t) = 0 ⇒ ∑N i=1 ηixi0 = c ẋi(t) = 0 ⇒ pi0 = 2 2+(xi0τi0 ) 2 , (3) model (2) can be linearized to obtain: