-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-ietf-nmop-network-anomaly-lifecycle-00.txt
1288 lines (923 loc) · 47.4 KB
/
draft-ietf-nmop-network-anomaly-lifecycle-00.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NMOP V. Riccobene
Internet-Draft A. Roberto
Intended status: Experimental Huawei
Expires: 11 June 2025 T. Graf
W. Du
Swisscom
A. Huang Feng
INSA-Lyon
8 December 2024
An Experiment: Network Anomaly Lifecycle
draft-ietf-nmop-network-anomaly-lifecycle-00
Abstract
Network Anomaly Detection is the act of detecting problems in the
network. Accurately detect problems is very challenging for network
operators in production networks. Good results require a lot of
expertise and knowledge around both the implied network technologies
and the connectivity services provided to customers, apart from a
proper monitoring infrastructure. In order to facilitate network
anomaly detection, novel techniques are being introduced, including
programmatical, rule-based and AI-based, with the promise of
improving scalability and the hope to keep a high detection accuracy.
To guarantee acceptable results, the process needs to be properly
designed, adopting well-defined stages to accurately collect evidence
of anomalies, validate their relevancy and improve the detection
systems over time, iteratively.
This document describes a well-defined approach on managing the
lifecycle process of a network anomaly detection system, spanning
across the recording of its output and its iterative refinement, in
order to facilitate network engineers to interact with the network
anomaly detection system, enable the "human-in-the-loop" paradigm and
refine the detection abilities over time. The major contributions of
this document are: the definition of three key stages of the
lifecycle process, the definition of a state machine for each anomaly
annotation on the system and the definition of YANG data models
describing a comprehensive format for the anomaly labels, allowing a
well-structured exchange of those between all the interested actors.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Riccobene, et al. Expires 11 June 2025 [Page 1]
Internet-Draft network-anomaly-lifecycle December 2024
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 11 June 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Discussion Venues . . . . . . . . . . . . . . . . . . . . . . 3
2. Status of this document . . . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Defining Desired States . . . . . . . . . . . . . . . . . . . 5
6. Lifecycle of a Network Anomaly . . . . . . . . . . . . . . . 6
6.1. Network Anomaly Detection . . . . . . . . . . . . . . . . 7
6.2. Network Anomaly Validation . . . . . . . . . . . . . . . 8
6.3. Network Anomaly Refinement . . . . . . . . . . . . . . . 8
7. Introducing a Label Store for Network Anomaly labels . . . . 8
8. Network Anomaly State Machine . . . . . . . . . . . . . . . . 9
9. Network Anomaly Data Model . . . . . . . . . . . . . . . . . 10
9.1. Overview of the Data Model for the Relevant State and all
the related entities . . . . . . . . . . . . . . . . . . 10
10. Implementation status . . . . . . . . . . . . . . . . . . . . 20
10.1. Antagonist . . . . . . . . . . . . . . . . . . . . . . . 20
11. Security Considerations . . . . . . . . . . . . . . . . . . . 20
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21
13. Normative References . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
Riccobene, et al. Expires 11 June 2025 [Page 2]
Internet-Draft network-anomaly-lifecycle December 2024
1. Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Network Management and
Operations Area Working Group Working Group mailing list
([email protected]), which is archived at
https://mailarchive.ietf.org/arch/browse/nmop/.
Source for this draft and an issue tracker can be found at
https://github.com/network-analytics/draft-netana-nmop-network-
anomaly-lifecycle.
2. Status of this document
This document is experimental. The main goal of this document is to
propose an iterative lifecycle process to network anomaly detection
by proposing a data model for metadata to be addressed at different
lifecycle stages.
The experiment consists of verifying whether the approach is usable
in real use case scenarios to support proper refinement and
adjustments of network anomaly detection algorithms. The experiment
can be deemed successful if validated at least with an open-source
implementation successfully applied with real networks.
3. Introduction
In [I-D.ietf-nmop-terminology] a network anomaly is defined as "an
unusual or unexpected event or pattern in network data in the
forwarding plane, control plane, or management plane that deviates
from the normal, expected behavior".
A network problem is defined as "a state regarded as undesirable and
may require remedial action" (see [I-D.ietf-nmop-terminology]).
The main objective of a network anomaly detection system is to
identify Relevant States of the network (defined as states that have
relevancy for network operators, according to
[I-D.ietf-nmop-terminology] ), as those are states that could lead to
problems or might be clear indications of problem already happening.
It is still remarkably difficult to gain a full understanding and a
complete perspective of "if" and "how" a relevant state is actually
an indication of a problem or it is just unexpected, but has no
impact on services and end users. Providers of solutions for network
anomaly detection should aim at increasing accuracy, by minimizing
false positives and false negatives. Moreover, the behaviour of the
Riccobene, et al. Expires 11 June 2025 [Page 3]
Internet-Draft network-anomaly-lifecycle December 2024
network naturally changes over time, when more connectivity services
are deployed, more customers on-boarded, devices are upgraded or
replaced, and therefore it is almost impossible to identify anomaly
detection techniquest that can keep working accurately over time,
without changing the detection criterias (or methodologies) over
time.
This opens up to the necessity of further validating notified
relevant states to check if a detected symptom is actually impacting
connectivity services: this might require different actors (both
human and algorithmic) to act during the process and refine their
understanding across the network anomaly lifecycle.
Finally, once validation has happened, this might lead to refinements
to the logic that is used by the detection, so that this process can
improve the detection accuracy over time.
Performing network anomaly detection is a process that requires a
continuous learning and continuous improvement. Relevant states are
detected by aggregating and understanding Symptoms, then validated,
confirming that Symptoms actually impacted connectivity services
impacting and eventually need to be further analyzed by performing
postmortem analysis to identify any potential adjustment to improve
the detection capability. Each of these steps represents an
opportunity to learn and refine the process, and since
implementations of these steps might also be provided by different
parties and/or products, this document also contributes a formal data
model to capture and exchange Symptom information across the
lifecycle.
4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document makes use of the terms defined in
[I-D.ietf-nmop-terminology].
* State
* Problem
* Event
* Alarm
Riccobene, et al. Expires 11 June 2025 [Page 4]
Internet-Draft network-anomaly-lifecycle December 2024
* Symptom
The following terms are used as defined in [RFC9417].
* Metric
* Intent
The following terms are defined in this document.
* Annotator: Is a human or an algorithm which produces metadata by
describing anomalies with Symptoms.
* False Positive: Is a detected anomaly which has been identified
during the postmortem to be not anomalous.
* False Negative: Is anomalous but has not been identified by the
anomaly detection system.
5. Defining Desired States
The above definitions of network problem provide the scope for what
to be looking for when detecting network anomalies. Concepts like
"desirable state" and "required state" are introduced. This poses
the attention on a significant problem that network operators have to
face: the definition of what is to be considered "desirable" or
"undesirable". It is not always easy to detect if a network is
operating in an undesired state at a given point in time. To
approach this, network operators can rely on different methodologies,
more or less deterministic and more or less sensitive: on the one
side, the definition of intents (including Service Level Objectives
and Service Level Agreements) which approaches the problem top-down;
on the other side, the definition of Symptoms, by mean of solutions
like SAIN [RFC9417], [RFC9418] and
[I-D.ietf-nmop-network-anomaly-architecture], which approaches the
problem bottom-up. At the center of these approaches, there are the
so-called Symptoms, explaining what is not working as expected in the
network, sometimes also providing hints towards issues and their
causes.
One of the more deterministic approaches is to rely on Symptoms based
on measurable service-based KPIs, for example, by using Service Level
Indicators, Objectives and Agreements ([RFC9543]). This is the case
when rules on SLOs and SLIs are manually defined once and the used
afterwards for detection at runtime.
However, defining SLOs in a "static way" can bring some challenges as
well, related to the dynamic nature of networks and services.
Riccobene, et al. Expires 11 June 2025 [Page 5]
Internet-Draft network-anomaly-lifecycle December 2024
Alternative methodologies rely on a more "relaxed" approach to detect
symptoms and their impact to services as a way to generate analytical
data out of operational data. For instance:
SAIN introduces the definition and exposure of Symptoms as a
mechanism for detecting those concerning behaviors in more
deterministic ways. Moreover, the concept of "impact score" has
been introduced by SAIN, to indicate what is the expected degree
of impact that a given Symptom will have on the services relying
on the related subservice to which the Symptom is attached.
Daisy introduces the concept of concern score to indicate what is
the degree of concern that a given Symptom could cause a
degradation for a connectivity service.
In general, defining boundaries between desirable vs. undesirable in
an accurate fashion requires continuous iterations and improvements
coming from all the stages of the network anomaly detection
lifecycle, by which network engineers can transfer what they learn
through the process into new Symptom definitions and, ultimately,
into refinements of the detection algorithms.
6. Lifecycle of a Network Anomaly
The lifecycle of a network anomaly can be articulated in three
phases, structured as a loop: Detection, Validation, Refinement.
+-------------+
+--------> | Detection | ---------+
Adjustments | +-------------+ | Symptoms
| |
| v
+------------+ +------------+
| Refinement |<--------------------- | Validation |
+------------+ Problem +------------+
Confirmation
Figure 1: Anomaly Detection Refinement Lifecycle
Each of these phases can either be performed by a network expert or
an algorithm or complementing each other.
The network anomaly metadata is generated by an annotator, which can
be either a human expert or an algorithm. The annotator can produce
the metadata for a network anomaly, for each stage of the cycle and
even multiple versions for the same stage. In each version of the
network anomaly metadata, the annotator indicates the list of
Riccobene, et al. Expires 11 June 2025 [Page 6]
Internet-Draft network-anomaly-lifecycle December 2024
Symptoms that are part of the network anomaly taken into account.
The iterative process is about the identification of the right set of
Symptoms.
6.1. Network Anomaly Detection
The Network Anomaly Detection stage is about the continuous
monitoring of the network through Network Telemetry [RFC9232] and the
identification of Symptoms. One of the main requirements that
operator have on network anomaly detection systems is the high
accuracy. This means having a small number of false negatives,
Symptoms causing connectivity service impact are not missed, and
false positives, Symptoms that are actually innocuous are not picked
up.
As the detection stage is becoming more and more automated for
production networks, the identified Symptoms might point towards
three potential kinds of behaviors:
i. those that are surely corresponding to an impact on connectivity
services, (e.g. the breach of an SLO),
ii. those that will cause problems in the future (e.g. rising trends
on a timeseries metric hitting towards saturation),
iii. those or which the impact to connectivity services cannot be
confirmed (e.g. sudden increase/decrease of timeseries metrics,
anomalous amounts of log entries, etc.).
The first category requires immediate intervention (a.k.a. the
problem is "confirmed"), the second one provides pointers towards
early signs of an problem potentially happening in the near future
(a.k.a. the problem is "forecasted"), and the third one requires some
analysis to confirm if the detected Symptom requires any attention or
immediate intervention (a.k.a. the problem is "potential"). As part
of the iterative improvement required in this stage, one that is very
relevant is the gradual conversion of the third category into one of
the first two, which would make the network anomaly detection system
more deterministic. The main objective is to reduce uncertainty
around the raised alarms by refining the detection algorithms. This
can be achieved by either generating new Symptom definitions,
adjusting the weights of automated algorithms or other similar
approaches.
Riccobene, et al. Expires 11 June 2025 [Page 7]
Internet-Draft network-anomaly-lifecycle December 2024
6.2. Network Anomaly Validation
The key objective for the validation stage is clearly to decide if
the detected Symptoms are signaling a real problem (a.k.a. requires
action) or if they are to be treated as false positives (a.k.a.
suppressing the alarm). For those Symptoms surely having impact on
connectivity services, 100% confidence on the fact that a network
problem is happening can be assumed. For the other two categories,
"forecasted" and "potential", further analysis and validation is
required.
6.3. Network Anomaly Refinement
After validation of a problem, the service provider performs
troubleshooting and resolution of the problem. Although the network
might be back in a desired state at this point, network operators can
perform detailed postmortem analysis of network problems with the
objective to identify useful adjustments to the prevention and
detection mechanisms (for instance improving or extending the
definition of SLIs and SLOs, refining concern/impact scores, etc.),
and improving the accuracy of the validation stage (e.g. automating
parts of the validation, implementing automated root cause analysis
and automation for remediation actions). In this stage of the
lifecycle it is assumed that the problem is under analysis.
After the adjustments are performed to the network anomaly detection
methods, the cycle starts again, by "replaying" the network anomaly
and checking if there is any measurable improvement in the ability to
detect problems by using the updated method.
7. Introducing a Label Store for Network Anomaly labels
The information that is produced at each stage needs to be persisted
and retrieved to perform the network anomaly lifecycle. The
lifecycle begins with the detector notifying anomalies to the "Alarm
and Problem Management System" and to the "Post-mortem System"
according to (see [I-D.ietf-nmop-network-anomaly-architecture]). In
this case the Post-mortem system is identified as the Label Store.
Once the notification arrives to the Label Store, the anomaly label
is persisted. In the following stages (i.e. validation and
refinement), the information about the labels are retrieved, reviewd,
modified and persisted again, generating every time a new version of
the same annotation, or tagging the annotation as irrelevant, if it
would be necessary to remove it.
Riccobene, et al. Expires 11 June 2025 [Page 8]
Internet-Draft network-anomaly-lifecycle December 2024
In the following sections, the following are defined: * a state
machine for a label * a YANG data model for the notification sent by
the Detector to the Label Store * a YANG data model to the define the
interrogation (and retrieval) of the labels from the label store.
8. Network Anomaly State Machine
In the context of this document, from a network anomaly detection
point of view a network problem is defined as a collection of
interrelated Symptoms, as specified in
[I-D.netana-nmop-network-anomaly-semantics].
The understanding of a network problem can change over time.
Moreover, multiple actors are involved in the process of refining
this understanding in the different phases.
From this perspective, a problem can be refined according to the
following states (Figure 2).
Riccobene, et al. Expires 11 June 2025 [Page 9]
Internet-Draft network-anomaly-lifecycle December 2024
+---------+
| Initial |-----------------+
+---------+ |
| |
+-----+---------+ |
+--------|---------------|------+ |
| +------v-----+ +------v----+ | |
| | Problem | | Problem | | |
+---->| | Forecasted | | Potential | | |
| | +------------+ +-----------+ | |
| +--------|--Detection---|-------+ |
| | | |
+-------+ | +------- ----- + |
| Final | | | |
+---^---+ | | |
| | | |
| | v |
| | +-----------Validation------------+ |
+-----------------------+ | | +-----------+ | |
| | | | | | Problem | | Problem | | |
| +-----------------+ | | | | Discarded | | Confirmed |<-|---+
| | Detection | | | | +-----|-----+ +-----------+ |
| | Adjusted |-------+ +---------------------------------+
| +--------^--------+ | | |
| | | | |
| | | +---v---+ |
| | | | Final | |
| | | +-------+ |
| +---------|--------+ | |
| | Problem | | |
| | Analyzed |<-|-----------------------------------+
| +------------------+ |
+-------Refinement------+
Figure 2: Network Anomaly State Machine
The knowledge gained at each stage is codified as a list of anomaly
labels that can be stored on a Label Store ( see Section 10.1 for a
reference).
9. Network Anomaly Data Model
9.1. Overview of the Data Model for the Relevant State and all the
related entities
Riccobene, et al. Expires 11 June 2025 [Page 10]
Internet-Draft network-anomaly-lifecycle December 2024
module: ietf-relevant-state
+--rw relevant-state
+--ro id yang:uuid
+--rw description? string
+--rw start-time yang:date-and-time
+--rw end-time? yang:date-and-time
+--rw anomalies* [id version]
+--rw id yang:uuid
+--rw version yang:counter32
+--rw state identityref
+--rw description? string
+--rw start-time yang:date-and-time
+--rw end-time? yang:date-and-time
+--rw confidence-score score
+--rw (pattern)?
| +--:(drop)
| | +--rw drop? empty
| +--:(spike)
| | +--rw spike? empty
| +--:(mean-shift)
| | +--rw mean-shift? empty
| +--:(seasonality-shift)
| | +--rw seasonality-shift? empty
| +--:(trend)
| | +--rw trend? empty
| +--:(other)
| +--rw other? string
+--rw annotator!
| +--rw name string
| +--rw (annotator-type)?
| +--:(human)
| | +--rw human? empty
| +--:(algorithm)
| +--rw algorithm? empty
+--rw symptom!
| +--rw id yang:uuid
| +--rw concern-score score
+--rw service!
+--rw id yang:uuid
notifications:
+---n relevant-state-notification
+--ro description? string
+--ro start-time yang:date-and-time
+--ro end-time? yang:date-and-time
+--ro anomalies* [id version]
+--ro id yang:uuid
+--ro version yang:counter32
Riccobene, et al. Expires 11 June 2025 [Page 11]
Internet-Draft network-anomaly-lifecycle December 2024
+--ro state identityref
+--ro description? string
+--ro start-time yang:date-and-time
+--ro end-time? yang:date-and-time
+--ro confidence-score score
+--ro (pattern)?
| +--:(drop)
| | +--ro drop? empty
| +--:(spike)
| | +--ro spike? empty
| +--:(mean-shift)
| | +--ro mean-shift? empty
| +--:(seasonality-shift)
| | +--ro seasonality-shift? empty
| +--:(trend)
| | +--ro trend? empty
| +--:(other)
| +--ro other? string
+--ro annotator!
| +--ro name string
| +--ro (annotator-type)?
| +--:(human)
| | +--ro human? empty
| +--:(algorithm)
| +--ro algorithm? empty
+--ro symptom!
| +--ro id yang:uuid
| +--ro concern-score score
+--ro service!
+--ro id yang:uuid
Figure 3: YANG tree diagram for ietf-relevant-state
<CODE BEGINS> file "[email protected]"
module ietf-relevant-state {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-relevant-state";
prefix rsn;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
organization
"IETF NMOP Working Group";
contact
Riccobene, et al. Expires 11 June 2025 [Page 12]
Internet-Draft network-anomaly-lifecycle December 2024
"WG Web: <https://datatracker.ietf.org/wg/nmop/>
WG List: <mailto:[email protected]>
Authors: Vincenzo Riccobene
<mailto:[email protected]>
Antonio Roberto
<mailto:[email protected]>
Thomas Graf
<mailto:[email protected]>
Wanting Du
<mailto:[email protected]>
Alex Huang Feng
<mailto:[email protected]>";
description
"This module defines the relevant-state container and
notifications to be used by a network anomaly detection
system. The defined objects can be used to augment
operational network collected observability data and
analytical problem data equally. Describing the relevant-state
of observed symptoms.
Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision 2024-11-02 {
description
"Initial version";
reference
"RFC XXX: Semantic Metadata Annotation for Network Anomaly Detection";
}
typedef score {
type uint8 {
range "0 .. 100";
}
}
identity network-anomaly-state {
description
Riccobene, et al. Expires 11 June 2025 [Page 13]
Internet-Draft network-anomaly-lifecycle December 2024
"Base identity for representing the state of the network anomaly";
}
identity detection {
base network-anomaly-state;
description
"A problem reached detection state";
}
identity validation {
base network-anomaly-state;
description
"A problem reached validation state";
}
identity refinement {
base network-anomaly-state;
description
"A problem reached refinement state";
}
identity problem-forecasted {
base detection;
description
"A problem has been forecasted, as it is expected that
the indicated list of symptoms will impact a service
in the near future";
}
identity problem-potential {
base detection;
description
"A problem has been detected with a confidence
lower than 100%. In order to confirm that this set of
symptoms are generating service impact, it requires further
validation";
}
identity problem-confirmed {
base validation;
description
"After validation, the problem has been confirmed";
}
identity discarded {
base validation;
description
"After validation, the network anomaly has been
discarded, as there is no evindence that it is causing an
problem";
}
identity analyzed {
base refinement;
description
"The anomaly detection went through analysis to identify
Riccobene, et al. Expires 11 June 2025 [Page 14]
Internet-Draft network-anomaly-lifecycle December 2024
potential ways to further improve the detection process in
for future anomalies";
}
identity adjusted {
base refinement;
description
"The network anomaly has been solved and analysed.
No further action is required.";
}
identity pattern {
description
"Pattern identified by the Detector.";
}
identity drop {
description
"Drop of the value";
}
identity spike {
description
"Spike of the value";
}
identity mean-shift {
description
"Shift of the mean of the value";
}
identity seasonality-shift {
description
"Shift of the seasonality of the value";
}
identity trend {
description
"Trend exhibited by the value";
}
identity other {
description
"Any other type of pattern";
}
grouping relevant-state-grouping {
leaf description {
type string;
description
"Textual description of the fault";
}
leaf start-time {
type yang:date-and-time;
mandatory true;
Riccobene, et al. Expires 11 June 2025 [Page 15]
Internet-Draft network-anomaly-lifecycle December 2024
description
"Date and time indicating the beginning of the fault";
}
leaf end-time {
type yang:date-and-time;
description
"Date and time indicating the end of the fault";
}
}
grouping annotator-grouping {
leaf name {
mandatory true;
type string;
description
"Name of the annotator (either user or algorithm)
If it is an algorithm, the name can also include
the version.";
}
choice annotator-type {
case human {
leaf human {
description
"This option is used if a human provided the label";
type empty;
}
}
case algorithm {
leaf algorithm {
description
"This option is used if a software provided the label";
type empty;
}
}
}
}
grouping anomaly-grouping {
list anomalies {
key "id version";
leaf id {
type yang:uuid;
description
"Unique ID of the anomaly";
}
leaf version {
type yang:counter32;
description
Riccobene, et al. Expires 11 June 2025 [Page 16]
Internet-Draft network-anomaly-lifecycle December 2024
"Version of the problem metadata object.
It allows multiple versions of the metadata to be
generated in order to support the definition of
multiple problem objects from the same source to
facilitate improvements overtime";
}
leaf state {
type identityref {
base network-anomaly-state;
}
mandatory true;
description "State of the anomaly";
}
leaf description {
type string;
description
"Textual description of the anomaly";
}
leaf start-time {
type yang:date-and-time;
mandatory true;
description
"Date and time indicating the beginning of the anomaly
A detection system will alwasys set a start time,
as it represents the moment in time from which the
behaviour of the monitored system is considered
to be anomalous with respect its expected behaviour";
}
leaf end-time {
type yang:date-and-time;
description
"Date and time indicating the end of the anomaly.
This field is indicated as non mandatory, as it could
be the case that the anomaly is still happening at the
time of generation of the label";
}
leaf confidence-score {
type score;
mandatory true;
}
leaf identityref {
base pattern;
}
container annotator {
presence "It specifies an annotator for the anomaly";
uses annotator-grouping;
}
container symptom {
Riccobene, et al. Expires 11 June 2025 [Page 17]
Internet-Draft network-anomaly-lifecycle December 2024
presence "It specifies the symptom for the anomaly";
leaf id {
type yang:uuid;
mandatory true;
description
"Unique ID of the symptom type";
}
leaf concern-score {
type score;
mandatory true;
}
}
container service {
presence "It specifies the service (or the monitored entity) affected by the anomaly";
leaf id {
type yang:uuid;
mandatory true;
description
"Unique ID of the service (or monitored entity)
This is supposed to be augmented by other modules
that want to define the service affected by the
anomaly";
}
}
}
}
notification relevant-state-notification {
uses relevant-state-grouping;
uses anomaly-grouping;
}
container relevant-state {
leaf id {
mandatory true;
type yang:uuid;
config false;
description
"Unique ID of the relevant state
It is unique in the scope of the Label Store";
}
uses relevant-state-grouping;
uses anomaly-grouping;
}