In a Network Function Virtualization (NFV) architecture, a VNF is responsible for handling specific network functions that run on one or more virtual machines on top of the hardware networking infrastructure. The infrastructure may include routers, switches, servers, cloud computing systems, and the like. Individual VNFs may be chained or combined together in a building block-style fashion to deliver full-scale networking communication services.
In presently known VNF systems, monitoring and detecting anomalies in an effective manner is difficult in light of problems relating to heterogeneous environment, traffic variability, number of services on each network instance, seasonality, and anomaly characterization. Often, these presently known VNF systems rely on static thresholds for anomaly detection, such as signature-based approaches, which are not effective due to an inability to adapt to network topology and a volatile heterogeneous environment. Moreover, in presently known dynamic VNF systems, such systems rely on volume-based approaches with dynamic thresholds, which are not effective since small volumes of traffic can contain markers of network intrusion.
There is a need for an effective VNF monitoring and detection system that is able to operate in an unsupervised manner, incorporate feedback from a system administrator, and adapt to fluctuating traffic independently. Additionally, such a system should be able to operate and react in real time due to the characteristically brief duration of network intrusions. Finally, such a system should be able to extract sufficient information regarding anomaly activity.