TMAS: A Traffic Monitoring Analytics System Leveraging Machine Learning

Content Delivery Networks (CDNs) provide high quality of service by storing content in edge-servers close to users. Attacks against CDN edge-servers can lead to loss in revenue and reputation. Attacks are becoming more sophisticated, and new attacks are being introduced constantly. In our previous work, we developed a security orchestration system driven by high-level security policies to dynamically deploy mitigation services. In this system, security policies are triggered at the occurrence of low-level alerts that correspond to misuse of an edge-server's resources. However, a network operator must know the effects of any attack on resources to deploy an appropriate mitigation service. Moreover, pin-pointing the actual cause (e.g., malicious IPs) of resource misuse is challenging. Also, edge-server's resources may not be affected by some attacks.Leveraging advanced machine learning techniques, we extend our system to detect new and sophisticated attacks. The goal is to enable the network operator to specify higher-level security policies without worrying about analyzing low-level resource usage alerts. Further, policy enforcement can trigger the deployment of mitigation services only for malicious entities identified by the alerts. In this perspective, we propose a Hybrid Classification Clustering (HCC) method that not only detects known sophisticated attacks accurately (with 99.9% detection recall) but is capable of detecting new attacks (with 56.4% detection recall). Further, to improve the detection rate of new attacks and anomalies, we propose an Autoencoder-based Network Anomaly Detection (ANAD) method using a fully-connected autoencoder model. The evaluation results show that our model achieves 76.7% recall surpassing the isolation forest and the local outlier factor methods.