Anomaly Detection | Rewinding Network Events to Detect Anomalies

John Huang
Posted on Dec 23, 2015 5:00:00 AM

My earlier blog entry on the idea of a Network DVR made me think of a conversation with a friend who remarked, “Why can't real life be like Tivo?” He wasn’t asking to rewind and relive his childhood again. Rather he was fantasizing about a magic machine that could look through his life and pick out the most interesting events and record them automatically. Facebook’s Timeline feature attempts to do this, but it’s still dependent on you manually adding all your life’s notable content to their website. Wouldn’t it be nice if such a machine exist?


This capability might not exist for the real world, but it does exist in the network world. You see, the Avi Vantage Platform has an analytics engine that not only records all your transactions, but scans through it at all times to spot ‘interesting events’ such as traffic anomalies, DoS attacks, and critical system events. An icon is added to the timeline graph so going back and analyzing the event is simple. The anomaly detection algorithm looks at traffic over a period of time so it knows what is normal for a Tuesday at 3PM versus say Thursdays at 1AM. If your organization kicks off scheduled backups nightly at 1AM, this won’t trigger the anomaly algorithm.  



Another nice feature my friend adores on his Tivo is that he no longer needs to know what time and channel his shows air. Since you only need to tell the DVR the name of your favorite shows, it automatically finds the correct channel, time, and takes care of the rest for you. Avi's intelligent controller also gives load balancing administrators this similar benefit. The need to remember which load balancer has which virtual server (VS) is a thing of the past. Just create a VS, and the Avi controller automatically distributes that VS to an available micro load balancer in the load balancing fabric.

Working with legacy load balancers in the past, I often encountered customers who meticulously managed a spreadsheet just to keep track of which VS lived on which pair of load balancers. Then came the task of logging in to each load balancer to pore through and keep track of the 10-20 tabs open in the browser. This generally starts occurring when organizations get beyond 3 pairs of load balancers and mandatory when they have 20 or even 200 pairs. On the other hand, when an administrator logs in to the Avi Controller, a complete list of all virtual servers in their network are shown in one place and he/she can interact with them immediately. Making changes to or pulling up analytics for the VS is only a couple of clicks away. The days of managing that spreadsheet and keeping 10 load balancing tabs open is a thing of the past. 

If you want to take a look at how this works, join us for our weekly “demonar” on Tuesdays at 11:00 am PST.


Topics: ADC, Network Anomalies, anomaly detection, DoS Attacks

New Call-to-action

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all