Semantic Metadata Annotation for Network Anomaly Detection

provides an overall introduction into how anomaly detection is being applied into the IP network domain and which operational data is needed. It approaches the problem space by automating what a Network Engineer would normally do when verifying a network connectivity service. Monitor from different network plane perspectives to understand wherever one network plane affects another negatively. In order to fine tune outlier detection as described in , the results provided as analytical data need to be reviewed by a Network Engineer. Keeping the human out of the monitoring but still involving him in the alert verification loop. This document describes what information is needed to understand the output of the outlier detection for a Network Engineer, but also at the same time is semantically structured that it can be used for outlier detection testing by comparing the results systematically and set a baseline for supervised machine learning which requires labeled operational data.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

This document defines the following terms: Message Broker: is an intermediary software component that translates messages from the formal messaging protocol of the sender to the formal messaging protocol of the receiver routed in topics. Message brokers are elements in Data Mesh where software applications communicate by exchanging formally-defined messages. Stream Catalog: provides a single point of access that allows users to centrally search semantics for information across a Message Broker. Additionally it makes use of the terms defined in and . The following terms are used as defined in : Outlier The following terms are used as defined in : System Detect Event State Relevance Occurrence Problem Symptom Cause Alert

In this section observed network symptoms are specified and categorized according to the following scheme:

Action:: Which action the network node performed for a packet in the Forwarding Plane, a path or adjacency in the Control Plane or state or statistical changes in the Management Plane. For Forwarding Plane we distinguish between missing, where the drop occurred outside the measured network node, drop and on-path delay, which was measured on the network node. For Control Plane we distinguish between reachability, which refers to a change in the routing or forwarding information base (RIB/FIB) and adjacency which refers to a change in peering or link-layer resolution. For Management Plane we refer to state or statistical changes on interfaces.

Reason:: For each action, one or more reasons describe why this action was used. For Drops in Forwarding Plane we distinguish between Unreachable because network layer reachability information was missing, Administered because an administrator configured a rule preventing the forwarding for this packet and Corrupt where the network node was unable to determine where to forward to due to packet, software or hardware error. For on-path delay we distinguish between Minimum, Average and Maximum Delay for a given flow. For Control Plane wherever a the reachability was updated or withdrawn or the adjacency was established or teared down. For Management Plane we distinguish between interfaces states up and down, and statistical errors, discards or unknown protocol counters.

Cause:: For each reason one or more cause describe the cause why the network node has chosen that action.

consolidates for the forwarding plane a list of common symptoms with their Actions, Reasons and Causes. Describing Symptoms and their Actions, Reason and Cause for Forwarding Plane

Action	Reason	Cause
Missing	Previous	Time
Drop	Unreachable	next-hop
Drop	Unreachable	link-layer
Drop	Unreachable	Time To Life expired
Drop	Unreachable	Fragmentation needed and Don't Fragment set
Drop	Administered	Access-List
Drop	Administered	Unicast Reverse Path Forwarding
Drop	Administered	Discard Route
Drop	Administered	Policed
Drop	Administered	Shaped
Drop	Corrupt	Bad Packet
Drop	Corrupt	Bad Egress Interface
Delay	Min	-
Delay	Mean	-
Delay	Max	-

consolidates for the control plane a list of common symptoms with their actions, reasons and causess. Describing Symptoms and their Actions, Reason and Cause for Control Plane

Action	Reason	Cause
Reachability	Update	Imported
Reachability	Update	Received
Reachability	Withdraw	Received
Reachability	Withdraw	Peer Down
Reachability	Withdraw	Suppressed
Reachability	Withdraw	Stale
Reachability	Withdraw	Route Policy Filtered
Reachability	Withdraw	Maximum Number of Prefixes Reached
Adjacency	Established	Peer
Adjacency	Established	Link-Layer
Adjacency	Locally Teared Down	Peer
Adjacency	Remotely Teared Down	Peer
Adjacency	Locally Teared Down	Link-Layer
Adjacency	Remotely Teared Down	Link-Layer
Adjacency	Locally Teared Down	Administrative
Adjacency	Remotely Teared Down	Administrative
Adjacency	Locally Teared Down	Maximum Number of Prefixes Reached
Adjacency	Remotely Teared Down	Maximum Number of Prefixes Reached
Adjacency	Locally Teared Down	Transport Connection Failed
Adjacency	Remotely Teared Down	Transport Connection Failed

consolidates for the management plane a list of common symptoms with their Actions, Reasons and Causes. Describing Symptoms and their Actions, Reason and Cause for Management Plane

Action	Reason	Cause
Interface	Up	Link-Layer
Interface	Down	Link-Layer
Interface	Errors	-
Interface	Discards	-
Interface	Unknown Protocol	-

Metadata adds additional context to data. For instance, in networks the software version of a network node where Management Plane metrics are obtained from as described in. Where in Semantic Metadata the meaning or ontology of the annotated data is being described. In this section a YANG model is defined in order to provide a structure for the metadata related to anomalies happening in the network. The module is intended to describe the metadata used to "annotate" the operational data collected from the network nodes, which can include time series data and logs, as well as other forms of data that is "time-bounded". The aspects discussed so far in this document are grouped under the concept of "anomaly" which represents a collection of symptoms. The anomaly overall has a set of parameters that describe the overall behavior of the network in a given time-window including all the spotted symptoms (network anomalies).

contains the YANG tree diagram of the which augments the defined ietf-interfaces and the . For each symptom, the following parameters have been assigned: A unique ID for identification, a description of the symptom, a list of affected metrics or counters, start and end time to specify the time-window, a confident score indicating how accurate the symptom was detected, a concern score indicating how critical the symptom is, the annotator indicating if it has been identified by a network expert or an algorithm, the tags with key value where Action, Reason and Cause can be annotated as described in previous section.

file "ietf-interfaces-with-symptoms@2024-06-29.yang" module ietf-interfaces-with-symptoms { yang-version 1.1; namespace "http://example.org/example-ietf-interfaces-with-symptoms"; prefix "ifws"; import ietf-symptom-semantic-metadata { prefix "sm"; } import ietf-interfaces { prefix "if"; } revision 2024-06-29 { description "Initial version"; reference "Example: Symptoms Annotated IETF Interface"; } augment "/if:interfaces/if:interface" { description "Augment interfaces with symptoms"; uses sm:symptom-group; } augment "/if:interfaces-state/if:interface" { description "Augment interfaces with symptoms"; uses sm:symptom-group; } } ]]>



      
        The YANG module has one typdef defining the score and a grouping
        which can be augmented.

        
             file "ietf-symptom-semantic-metadata@2024-06-29.yang"
module ietf-symptom-semantic-metadata {
    yang-version 1.1;
    namespace "urn:ietf:params:xml:ns:yang:ietf-symptom-semantic-metadata";
    prefix sm;

    import ietf-yang-types {
        prefix yang;
        reference
          "RFC 6991: Common YANG Data Types";
    }

  organization "IETF NMOP (Network Management Operations) Working Group";
  contact
    "WG Web:   
     WG List:  

     Authors:  Thomas Graf
               
               Wanting Du
               
               Alex Huang Feng
               
               Vincenzo Riccobene
               
               Antonio Roberto
               ";
    description
        "This module defines symptom objects to be used by a network
         anomaly detection system. The defined objects can be used to
         augment operational network collected observability data and 
         analytical problem data equally. Describing the observed
         symptoms, confidence and concern scores and outlier patterns.

         Copyright (c) 2023 IETF Trust and the persons identified as
         authors of the code.  All rights reserved.

         Redistribution and use in source and binary forms, with or
         without modification, is permitted pursuant to, and subject
         to the license terms contained in, the Revised BSD License
         set forth in Section 4.c of the IETF Trust's Legal Provisions
         Relating to IETF Documents
         (https://trustee.ietf.org/license-info).

         This version of this YANG module is part of RFC XXXX; see the RFC
         itself for full legal notices.";

    revision 2024-06-29 {
        description
          "Initial version";
        reference
          "RFC XXX: Semantic Metadata Annotation for Network Anomaly Detection";
    }

    typedef score {
      type uint8 {
        range "0 .. 1";
      }
    }

    grouping symptom-group {
        container symptom {
            leaf id {
                type yang:uuid;
                description
                    "Unique ID of the symptom type";
            }
            leaf event-id {
                type yang:uuid;
                description "Reference to the network event this symptom is part of";
            }
            leaf description {
                type string;
                description
                    "Textual description of the symptom";
            }
            leaf start-time {
                type yang:date-and-time;
                description
                    "Date and time indicating the beginning of the symptom";
            }
            leaf end-time {
                type yang:date-and-time;
                description
                    "Date and time indicating the end of the symptom";
            }
            leaf confidence-score {
                type score;
            }
            leaf concern-score {
                type score;
            }
            list tags {
                key "key";
                leaf key {
                    type "string";
                    mandatory "true";
                }
                leaf value {
                    type "string";
                    mandatory "true";
                }
            }
            choice pattern {
                mandatory "false";
                description
                    "Network Plane affected by the symptom";
                case drop {
                    leaf drop {
                        mandatory "true";
                        type empty;
                    }
                }
                case spike {
                    leaf spike {
                        mandatory "true";
                        type empty;
                    }
                }
                case mean-shift {
                    leaf mean-shift {
                        mandatory "true";
                        type empty;
                    }
                }
                case seasonality-shift {
                    leaf seasonality-shift {
                        mandatory "true";
                        type empty;
                    }
                }
                case trend {
                    leaf trend {
                        mandatory "true";
                        type empty;
                    }
                }
                case other {
                    leaf other {
                        type string;
                        mandatory "true";
                        description "specify the type";
                    }
                }
            }
            container annotator {
                choice annotator-type {
                    mandatory "true";
                    case human {
                        leaf human {
                            mandatory "true";
                            type empty;
                        }
                    }
                    case algorithm {
                        leaf algorithm {
                            mandatory "true";
                            type empty;
                        }
                    }
                }
                leaf name {
                    mandatory "false";
                    type string;
                }   
            }
        }
    }
}
]]>



    
      The security considerations.
    

    
      This section provides pointers to existing open source
      implementations of this draft. Note to the RFC-editor: Please remove
      this before publishing.

      
        A tool called Antagonist has been implemented during the IETF 119
        Hackathon, in order to validate the application of the YANG models
        defined in this draft. Antagonist provides visual support for two
        important use cases in the scope of this document: 
            the generation of a ground truth in relation to symptoms and
            problems in timeseries data

            the visual validation of results produced by automated network
            anomaly detection tools.
          
 The open source code can be found here: 
      
    

    
      The authors would like to thank xxx for their review and valuable
      comments.