Unsupervised packet-based anomaly detection in virtual networks

The enormous number of network packets transferred in modern networks together with the high speed of transmissions hamper the implementation of successful IT security mechanisms. In addition, virtual networks create highly dynamic and flexible environments which differ widely from well-known infrastructures of the past decade. Network forensic investigation that aims at the detection of covert channels, malware usage or anomaly detection is faced with new problems and is thus a time-consuming, error-prone and complex process. Machine learning provides advanced techniques to perform this work faster, more precise and, simultaneously, with fewer errors. Depending on the learning technique, algorithms work nearly without any interaction to detect relevant events in the transferred network packets. Current algorithms work well in static environments, but the highly dynamic environments of virtual networks create additional events which might confuse anomaly detection algorithms. This paper analyzes highly flexible networks and their inherent on-demand changes like the migration of virtual machines, SDN-programmability or user customization and the resulting effect on the detection rate of anomalies in the environment. Our research shows the need for adapted pre-processing of the network data and improved cooperation between IT security and IT administration departments.