-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-netana-nmop-network-anomaly-lifecycle-05.xml
1165 lines (1010 loc) · 45.2 KB
/
draft-netana-nmop-network-anomaly-lifecycle-05.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="2"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="exp" docName="draft-netana-nmop-network-anomaly-lifecycle-04" ipr="trust200902">
<front>
<title abbrev="network-anomaly-lifecycle">An Experiment: Network Anomaly
Lifecycle</title>
<author fullname="Vincenzo Riccobene" initials="V." surname="Riccobene">
<organization>Huawei</organization>
<address>
<postal>
<street/>
<city>Dublin</city>
<region/>
<code/>
<country>Ireland</country>
</postal>
<phone/>
<facsimile/>
<email>[email protected]</email>
<uri/>
</address>
</author>
<author fullname="Antonio Roberto" initials="A." surname="Roberto">
<organization>Huawei</organization>
<address>
<postal>
<street/>
<city>Dublin</city>
<region/>
<code/>
<country>Ireland</country>
</postal>
<phone/>
<facsimile/>
<email>[email protected]</email>
<uri/>
</address>
</author>
<author fullname="Thomas Graf" initials="T" surname="Graf">
<organization>Swisscom</organization>
<address>
<postal>
<street>Binzring 17</street>
<city>Zurich</city>
<code>8045</code>
<country>Switzerland</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Wanting Du" initials="W" surname="Du">
<organization>Swisscom</organization>
<address>
<postal>
<street>Binzring 17</street>
<city>Zurich</city>
<code>8045</code>
<country>Switzerland</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Alex Huang Feng" initials="A." surname="Huang Feng">
<organization>INSA-Lyon</organization>
<address>
<postal>
<street/>
<city>Lyon</city>
<region/>
<code/>
<country>France</country>
</postal>
<phone/>
<facsimile/>
<email>[email protected]</email>
<uri/>
</address>
</author>
<date day="19" month="October" year="2024"/>
<area>Operations and Management</area>
<workgroup>NMOP</workgroup>
<abstract>
<t>Network Anomaly Detection is the act of detecting
problems in the network. Accurately detect problems is
very challenging for network operators in production networks.
Good results require a lot of expertise and knowledge around both
the implied network technologies and the connectivity services provided
to customers, apart from a proper monitoring infrastructure.
In order to facilitate network anomaly detection, novel techniques
are being introduced, including programmatical, rule-based
and AI-based, with the promise of improving scalability and the
hope to keep a high detection accuracy. To guarantee acceptable
results, the process needs to be properly designed, adopting
well-defined stages to accurately collect evidence of anomalies,
validate their relevancy and improve the detection systems
over time, iteratively.</t>
<t>This document describes a well-defined approach on managing
the lifecycle process of a network anomaly detection system,
spanning across the recording of its output and its iterative
refinement, in order to facilitate network engineers
to interact with the network anomaly detection system,
enable the "human-in-the-loop"
paradigm and refine the detection abilities over time.
The major contributions of this document are: the definition
of three key stages of the lifecycle process, the definition
of a state machine for each anomaly annotation on the system
and the definition of YANG data models describing a
comprehensive format for the anomaly labels, allowing a
well-structured exchange of those between all the interested
actors.
</t>
</abstract>
</front>
<middle>
<section anchor="discussion_venues" title="Discussion Venues">
<t>This note is to be removed before publishing as an RFC.</t>
<t>Discussion of this document takes place on the Network
Management and Operations Area Working Group Working Group mailing list
([email protected]), which is archived at
https://mailarchive.ietf.org/arch/browse/nmop/.</t>
<t>Source for this draft and an issue tracker can be found at
https://github.com/network-analytics/draft-netana-nmop-network-
anomaly-lifecycle.</t>
</section>
<section anchor="status" title="Status of this document">
<t>This document is experimental. The main goal of this document is to
propose an iterative lifecycle process to network anomaly detection by
proposing a data model for metadata to be addressed at different
lifecycle stages.</t>
<t>The experiment consists of verifying whether the approach is usable
in real use case scenarios to support proper refinement and adjustments
of network anomaly detection algorithms. The experiment can be deemed
successful if validated at least with an open-source implementation
successfully applied with real networks.</t>
</section>
<section anchor="Introduction" title="Introduction">
<t>
In <xref target="I-D.ietf-nmop-terminology"/> a network anomaly
is defined as "an unusual or unexpected event or
pattern in network data in the forwarding plane, control plane,
or management plane that deviates from the normal, expected behavior".
</t>
<t>
A network problem is defined as "a state regarded as undesirable
and may require remedial action" (see <xref
target="I-D.ietf-nmop-terminology"/>).
</t>
<t>
The main objective of a network anomaly detection system
is to identify Relevant States of the network
(defined as states that have relevancy for network operators,
according to
<xref target="I-D.ietf-nmop-terminology"/> ), as those are states
that could lead to problems or might be clear indications of problem
already happening.
</t>
<t>
It is still remarkably difficult to gain
a full understanding and a complete perspective of "if" and "how"
a relevant state is actually an indication of a problem or it is just
unexpected, but has no impact on services and end users.
Providers of solutions for network anomaly detection should aim
at increasing accuracy, by minimizing false positives and
false negatives.
Moreover, the behaviour of the network naturally changes over time,
when more connectivity services are deployed, more customers on-boarded,
devices are upgraded or replaced, and therefore it is almost
impossible to identify anomaly detection techniquest that can
keep working accurately over time, without changing the detection
criterias (or methodologies) over time.
</t>
<t>
This opens up to the necessity of further validating notified relevant
states to check if a detected symptom is actually
impacting connectivity services: this might require different actors
(both human and algorithmic) to act during the process and refine
their understanding across the network anomaly lifecycle.
</t>
<t>
Finally, once validation has happened, this might lead to refinements
to the logic that is used by the detection, so that this process can
improve the detection accuracy over time.
</t>
<t>
Performing network anomaly detection is a process that requires a
continuous learning and continuous improvement. Relevant states are
detected by aggregating and understanding Symptoms, then validated,
confirming that Symptoms actually impacted connectivity services
impacting and eventually need to be further analyzed by performing
postmortem analysis to identify any potential adjustment to improve the
detection capability.
Each of these steps represents an opportunity to learn and refine the
process, and since implementations of these steps might also be
provided by different parties and/or products, this document also
contributes a formal data model to capture and exchange Symptom
information across the lifecycle.
</t>
</section>
<section anchor="notation" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
they appear in all capitals, as shown here.</t>
<t>This document makes use of the terms defined in <xref
target="I-D.ietf-nmop-terminology"/>.</t>
<t><list style="symbols">
<t>State</t>
<t>Problem</t>
<t>Event</t>
<t>Alarm</t>
<t>Symptom</t>
</list></t>
<t>The following terms are used as defined in <xref
target="RFC9417"/>.</t>
<t><list style="symbols">
<t>Metric</t>
<t>Intent</t>
</list></t>
<t>The following terms are defined in this document.</t>
<t><list style="symbols">
<t>Annotator: Is a human or an algorithm which produces metadata by
describing anomalies with Symptoms.</t>
<t>False Positive: Is a detected anomaly which has been identified
during the postmortem to be not anomalous.</t>
<t>False Negative: Is anomalous but has not been identified by
the anomaly detection system.</t>
</list></t>
</section>
<section anchor="Defining_desired_states" title="Defining Desired States">
<t>The above definitions of network problem provide the scope for what
to be looking for when detecting network anomalies. Concepts like
"desirable state" and "required state" are introduced. This poses the
attention on a significant problem that network operators have to face:
the definition of what is to be considered "desirable" or "undesirable".
It is not always easy to detect if a network is operating in an
undesired state at a given point in time. To approach this, network
operators can rely on different methodologies, more or less
deterministic and more or less sensitive: on the one side, the
definition of intents (including Service Level Objectives and Service
Level Agreements) which approaches the problem top-down; on the other
side, the definition of Symptoms, by mean of solutions like <xref
target="RFC9417">SAIN</xref>, <xref target="RFC9418"/> and <xref
target="I-D.ietf-nmop-network-anomaly-architecture"/>, which
approaches the problem bottom-up. At the center of these approaches,
there are the so-called Symptoms, explaining what is
not working as expected in the network, sometimes also providing hints
towards issues and their causes.</t>
<t>One of the more deterministic approaches is to rely on Symptoms based
on measurable service-based KPIs, for example, by using Service Level
Indicators, Objectives and Agreements (<xref target="RFC9543"/>).
This is the case when rules on SLOs and SLIs are manually defined
once and the used afterwards for detection at runtime.</t>
<t>However, defining SLOs in a "static way" can bring some
challenges as well, related to the dynamic nature of networks
and services.</t>
<t>Alternative methodologies rely on a more "relaxed" approach
to detect symptoms and their impact to services as a way to
generate analytical data out of operational data.
For instance:</t>
<dl>
<dt>SAIN</dt>
<dd>introduces the definition and exposure of Symptoms as a mechanism
for detecting those concerning behaviors in more deterministic ways.
Moreover, the concept of "impact score" has been introduced by SAIN,
to indicate what is the expected degree of impact that a given Symptom
will have on the services relying on the related subservice to which
the Symptom is attached.</dd>
</dl>
<dl>
<dt>Daisy</dt>
<dd>introduces the concept of concern score to indicate what is the
degree of concern that a given Symptom could cause a degradation for a
connectivity service.</dd>
</dl>
<t>In general, defining boundaries between desirable vs. undesirable in
an accurate fashion requires continuous iterations and improvements
coming from all the stages of the network anomaly detection lifecycle,
by which network engineers can transfer what they learn through the
process into new Symptom definitions and, ultimately, into refinements
of the detection algorithms.</t>
</section>
<section anchor="lifecycle_network_anomaly"
title="Lifecycle of a Network Anomaly">
<t>The lifecycle of a network anomaly can be articulated in three
phases, structured as a loop: Detection, Validation, Refinement.</t>
<figure anchor="simplified_lifecycle"
title="Anomaly Detection Refinement Lifecycle">
<artwork align="center"><![CDATA[
+-------------+
+--------> | Detection | ---------+
Adjustments | +-------------+ | Symptoms
| |
| v
+------------+ +------------+
| Refinement |<--------------------- | Validation |
+------------+ Problem +------------+
Confirmation
]]></artwork>
</figure>
<t>Each of these phases can either be performed by a network expert or
an algorithm or complementing each other.</t>
<t>The network anomaly metadata is generated by an annotator, which can
be either a human expert or an algorithm. The annotator can produce the
metadata for a network anomaly, for each stage of the cycle and even
multiple versions for the same stage. In each version of the network
anomaly metadata, the annotator indicates the list of Symptoms that are
part of the network anomaly taken into account. The iterative process is
about the identification of the right set of Symptoms.</t>
<section anchor="network_anomaly_detection"
title="Network Anomaly Detection">
<t>The Network Anomaly Detection stage is about the continuous
monitoring of the network through Network Telemetry <xref
target="RFC9232"/> and the identification of Symptoms. One of the main
requirements that operator have on network anomaly detection systems
is the high accuracy. This means having a small number of false
negatives, Symptoms causing connectivity service impact are not missed,
and false positives, Symptoms that are actually innocuous are not
picked up.</t>
<t>As the detection stage is becoming more and more automated for
production networks, the identified Symptoms might point towards three
potential kinds of behaviors:</t>
<t>i. those that are surely corresponding to an impact on connectivity
services, (e.g. the breach of an SLO),</t>
<t>ii. those that will cause problems in the future (e.g. rising
trends on a timeseries metric hitting towards saturation),</t>
<t>iii. those or which the impact to connectivity services cannot be
confirmed (e.g. sudden increase/decrease of timeseries metrics,
anomalous amounts of log entries, etc.).</t>
<t>The first category requires immediate intervention (a.k.a. the
problem is "confirmed"), the second one provides pointers towards
early signs of an problem potentially happening in the near future
(a.k.a. the problem is "forecasted"), and the third one requires some
analysis to confirm if the detected Symptom requires any attention or
immediate intervention (a.k.a. the problem is "potential"). As part of
the iterative improvement required in this stage, one that is very
relevant is the gradual conversion of the third category into one of
the first two, which would make the network anomaly detection system
more deterministic. The main objective is to reduce uncertainty around
the raised alarms by refining the detection algorithms. This can be
achieved by either generating new Symptom definitions, adjusting the
weights of automated algorithms or other similar approaches.</t>
</section>
<section anchor="network_anomaly_validation"
title="Network Anomaly Validation">
<t>The key objective for the validation stage is clearly to decide if
the detected Symptoms are signaling a real problem (a.k.a. requires
action) or if they are to be treated as false positives (a.k.a.
suppressing the alarm). For those Symptoms surely having impact on
connectivity services, 100% confidence on the fact that a network
problem is happening can be assumed. For the other two categories,
"forecasted" and "potential", further analysis and validation is
required.</t>
</section>
<section anchor="network_anomaly_refinement"
title="Network Anomaly Refinement">
<t>After validation of a problem, the service provider performs
troubleshooting and resolution of the problem. Although the network
might be back in a desired state at this point, network operators can
perform detailed postmortem analysis of network problems with the
objective to identify useful adjustments to the prevention and
detection mechanisms (for instance improving or extending the
definition of SLIs and SLOs, refining concern/impact scores, etc.),
and improving the accuracy of the validation stage (e.g. automating
parts of the validation, implementing automated root cause analysis
and automation for remediation actions). In this stage of the
lifecycle it is assumed that the problem is under analysis.</t>
<t>After the adjustments are performed to the network anomaly
detection methods, the cycle starts again, by "replaying" the network
anomaly and checking if there is any measurable improvement in the
ability to detect problems by using the updated method.</t>
</section>
</section>
<section anchor="label_store"
title="Introducing a Label Store for Network Anomaly labels">
<t>
The information that is produced at each stage needs to be
persisted and retrieved to perform the network anomaly
lifecycle.
The lifecycle begins with the detector notifying anomalies
to the "Alarm and Problem Management System" and to
the "Post-mortem System" according to
(see <xref target="I-D.ietf-nmop-network-anomaly-architecture"/>).
In this case the Post-mortem system is identified as the
Label Store. Once the notification arrives to the Label Store,
the anomaly label is persisted.
In the following stages (i.e. validation and refinement), the
information about the labels are retrieved, reviewd, modified
and persisted again, generating every time a new version of the
same annotation, or tagging the annotation as irrelevant, if
it would be necessary to remove it.
</t>
<t>
In the following sections, the following are defined:
* a state machine for a label
* a YANG data model for the notification sent by the Detector
to the Label Store
* a YANG data model to the define the interrogation (and retrieval)
of the labels from the label store.
</t>
</section>
<section anchor="network_anomaly_state_machine"
title="Network Anomaly State Machine">
<t>
In the context of this document, from a network anomaly detection
point of view a network problem is defined as a collection of
interrelated Symptoms, as specified in <xref
target="I-D.netana-nmop-network-anomaly-semantics"/>.
</t>
<t>
The understanding of a network problem can change over time.
Moreover, multiple actors are involved in the process of refining this
understanding in the different phases.
</t>
<t>
From this perspective, a problem can be refined according to the
following states (<xref target="state_machine"/>).
</t>
<t>
<figure anchor="state_machine" title="Network Anomaly State Machine">
<artwork align="center"><![CDATA[
+---------+
| Initial |-----------------+
+---------+ |
| |
+-----+---------+ |
+--------|---------------|------+ |
| +------v-----+ +------v----+ | |
| | Problem | | Problem | | |
+---->| | Forecasted | | Potential | | |
| | +------------+ +-----------+ | |
| +--------|--Detection---|-------+ |
| | | |
+-------+ | +------- ----- + |
| Final | | | |
+---^---+ | | |
| | | |
| | v |
| | +-----------Validation------------+ |
+-----------------------+ | | +-----------+ | |
| | | | | | Problem | | Problem | | |
| +-----------------+ | | | | Discarded | | Confirmed |<-|---+
| | Detection | | | | +-----|-----+ +-----------+ |
| | Adjusted |-------+ +---------------------------------+
| +--------^--------+ | | |
| | | | |
| | | +---v---+ |
| | | | Final | |
| | | +-------+ |
| +---------|--------+ | |
| | Problem | | |
| | Analyzed |<-|-----------------------------------+
| +------------------+ |
+-------Refinement------+
]]></artwork>
</figure>
</t>
<t>
The knowledge gained at each stage is codified as a list of
anomaly labels that can be stored on a Label Store (
see <xref target="Implementation-Antagonist"/> for a reference).
</t>
</section>
<section anchor="network_anomaly_data model"
title="Network Anomaly Data Model">
<section anchor="network-anomaly-model-tree"
title="Overview of the Data Model for the Relevant
State and all the related entities">
<figure anchor="ietf-relevant-state-tree"
title="YANG tree diagram for ietf-relevant-state">
<artwork align="center">
<![CDATA[
module: ietf-relevant-state
+--rw relevant-state
+--ro id yang:uuid
+--rw description? string
+--rw start-time yang:date-and-time
+--rw end-time? yang:date-and-time
+--rw anomalies* [id version]
+--rw id yang:uuid
+--rw version yang:counter32
+--rw state identityref
+--rw description? string
+--rw start-time yang:date-and-time
+--rw end-time? yang:date-and-time
+--rw confidence-score score
+--rw (pattern)?
| +--:(drop)
| | +--rw drop? empty
| +--:(spike)
| | +--rw spike? empty
| +--:(mean-shift)
| | +--rw mean-shift? empty
| +--:(seasonality-shift)
| | +--rw seasonality-shift? empty
| +--:(trend)
| | +--rw trend? empty
| +--:(other)
| +--rw other? string
+--rw annotator!
| +--rw name string
| +--rw (annotator-type)?
| +--:(human)
| | +--rw human? empty
| +--:(algorithm)
| +--rw algorithm? empty
+--rw symptom!
| +--rw id yang:uuid
| +--rw concern-score score
+--rw service!
+--rw id yang:uuid
notifications:
+---n relevant-state-notification
+--ro description? string
+--ro start-time yang:date-and-time
+--ro end-time? yang:date-and-time
+--ro anomalies* [id version]
+--ro id yang:uuid
+--ro version yang:counter32
+--ro state identityref
+--ro description? string
+--ro start-time yang:date-and-time
+--ro end-time? yang:date-and-time
+--ro confidence-score score
+--ro (pattern)?
| +--:(drop)
| | +--ro drop? empty
| +--:(spike)
| | +--ro spike? empty
| +--:(mean-shift)
| | +--ro mean-shift? empty
| +--:(seasonality-shift)
| | +--ro seasonality-shift? empty
| +--:(trend)
| | +--ro trend? empty
| +--:(other)
| +--ro other? string
+--ro annotator!
| +--ro name string
| +--ro (annotator-type)?
| +--:(human)
| | +--ro human? empty
| +--:(algorithm)
| +--ro algorithm? empty
+--ro symptom!
| +--ro id yang:uuid
| +--ro concern-score score
+--ro service!
+--ro id yang:uuid
]]>
</artwork>
</figure>
<figure anchor="ietf-relevant-state-module"
title="YANG module for ietf-relevant-state">
<artwork>
<![CDATA[
<CODE BEGINS> file "[email protected]"
module ietf-relevant-state {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-relevant-state";
prefix rsn;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
organization
"IETF NMOP Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/nmop/>
WG List: <mailto:[email protected]>
Authors: Vincenzo Riccobene
<mailto:[email protected]>
Antonio Roberto
<mailto:[email protected]>
Thomas Graf
<mailto:[email protected]>
Wanting Du
<mailto:[email protected]>
Alex Huang Feng
<mailto:[email protected]>";
description
"This module defines the relevant-state container and
notifications to be used by a network anomaly detection
system. The defined objects can be used to augment
operational network collected observability data and
analytical problem data equally. Describing the relevant-state
of observed symptoms.
Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision 2024-11-02 {
description
"Initial version";
reference
"RFC XXX: Semantic Metadata Annotation for Network Anomaly Detection";
}
typedef score {
type uint8 {
range "0 .. 100";
}
}
identity network-anomaly-state {
description
"Base identity for representing the state of the network anomaly";
}
identity detection {
base network-anomaly-state;
description
"A problem reached detection state";
}
identity validation {
base network-anomaly-state;
description
"A problem reached validation state";
}
identity refinement {
base network-anomaly-state;
description
"A problem reached refinement state";
}
identity problem-forecasted {
base detection;
description
"A problem has been forecasted, as it is expected that
the indicated list of symptoms will impact a service
in the near future";
}
identity problem-potential {
base detection;
description
"A problem has been detected with a confidence
lower than 100%. In order to confirm that this set of
symptoms are generating service impact, it requires further
validation";
}
identity problem-confirmed {
base validation;
description
"After validation, the problem has been confirmed";
}
identity discarded {
base validation;
description
"After validation, the network anomaly has been
discarded, as there is no evindence that it is causing an
problem";
}
identity analyzed {
base refinement;
description
"The anomaly detection went through analysis to identify
potential ways to further improve the detection process in
for future anomalies";
}
identity adjusted {
base refinement;
description
"The network anomaly has been solved and analysed.
No further action is required.";
}
identity pattern {
description
"Pattern identified by the Detector.";
}
identity drop {
description
"Drop of the value";
}
identity spike {
description
"Spike of the value";
}
identity mean-shift {
description
"Shift of the mean of the value";
}
identity seasonality-shift {
description
"Shift of the seasonality of the value";
}
identity trend {
description
"Trend exhibited by the value";
}
identity other {
description
"Any other type of pattern";
}
grouping relevant-state-grouping {
leaf description {
type string;
description
"Textual description of the fault";
}
leaf start-time {
type yang:date-and-time;
mandatory true;
description
"Date and time indicating the beginning of the fault";
}
leaf end-time {
type yang:date-and-time;
description
"Date and time indicating the end of the fault";
}
}
grouping annotator-grouping {
leaf name {
mandatory true;
type string;
description
"Name of the annotator (either user or algorithm)
If it is an algorithm, the name can also include
the version.";
}
choice annotator-type {
case human {
leaf human {
description
"This option is used if a human provided the label";
type empty;
}
}
case algorithm {
leaf algorithm {
description
"This option is used if a software provided the label";
type empty;
}
}
}
}
grouping anomaly-grouping {
list anomalies {
key "id version";
leaf id {
type yang:uuid;
description
"Unique ID of the anomaly";
}
leaf version {
type yang:counter32;
description
"Version of the problem metadata object.
It allows multiple versions of the metadata to be
generated in order to support the definition of
multiple problem objects from the same source to
facilitate improvements overtime";
}
leaf state {
type identityref {
base network-anomaly-state;
}
mandatory true;
description "State of the anomaly";
}
leaf description {
type string;
description
"Textual description of the anomaly";
}
leaf start-time {
type yang:date-and-time;
mandatory true;
description
"Date and time indicating the beginning of the anomaly
A detection system will alwasys set a start time,
as it represents the moment in time from which the
behaviour of the monitored system is considered
to be anomalous with respect its expected behaviour";
}
leaf end-time {
type yang:date-and-time;
description
"Date and time indicating the end of the anomaly.
This field is indicated as non mandatory, as it could
be the case that the anomaly is still happening at the
time of generation of the label";
}
leaf confidence-score {
type score;
mandatory true;
}
leaf identityref {
base pattern;
}
container annotator {
presence "It specifies an annotator for the anomaly";
uses annotator-grouping;
}
container symptom {
presence "It specifies the symptom for the anomaly";
leaf id {
type yang:uuid;
mandatory true;
description
"Unique ID of the symptom type";
}
leaf concern-score {
type score;
mandatory true;
}
}
container service {
presence "It specifies the service (or the monitored entity) affected by the anomaly";
leaf id {
type yang:uuid;
mandatory true;
description
"Unique ID of the service (or monitored entity)
This is supposed to be augmented by other modules
that want to define the service affected by the
anomaly";
}
}
}
}
notification relevant-state-notification {
uses relevant-state-grouping;
uses anomaly-grouping;
}
container relevant-state {
leaf id {
mandatory true;
type yang:uuid;
config false;
description
"Unique ID of the relevant state
It is unique in the scope of the Label Store";
}
uses relevant-state-grouping;
uses anomaly-grouping;
}
}
<CODE ENDS>]]>
</artwork>
</figure>
<t>
The data model provides support for "human-in-the-loop", allowing
for network experts to validate and adjust network anomaly
labels and detection systems. An example of human-in-the-loop
has been demonstrated with Antagonist <xref
target="Antagonist"/>, by building a User Interface that
interacts with an API based on this data model.
</t>
<t>
The base for the modules is the relevant-state data model.
Relevant state is at the root of the data model, with its parameters
(ID, description, start-time, end-time) and a collection of anomalies.
This allows the relevant state to be considered as a container of
anomalies.
</t>
<t>
Each anomaly is characterized by some intrinsic fields (such as
id, version, state, description, start-time, end-time,
confidence score and pattern)
Particularly the confidence score is a measure of how confident
was the detector in considering the given anomaly as an anomalous
behaviour.