Traffic Monitoring and Diagnosis with Multivariate Statistical Network Monitoring: A Case Study

The research literature on cybersecurity incident response is very rich in automatic intrusion detection methodologies. The most accepted approach to compare the detection performance of the methods is by using a real traffic data set where normal traffic and anomalies are conveniently combined and labeled. In this paper, we follow this approach in a real network where a number of controlled attacks are launched. Using the captured traffic and the feedback of the IT team of the network, we assess the performance of the Multivariate Statistical Network Monitoring (MSNM) technique proposed in a recent paper, and compare it with the one-class Support Vector Machine (OCSVM). We derive two main conclusions from this real experiment: i) while both approaches showed a similar detection performance, MSNM was superior in diagnosis, a step which is seldom considered in comparisons, and ii) the traffic also presented several non-induced anomalies, initially labeled as normal traffic and clearly detected by both MSNM and OCSVM. This suggests caution in the use of typical performance measures in this type of experiments, since they heavily rely on the correctness of the labeling. With this experiment, we illustrate that the MSNM approach is coherent with the needs of an incident response team: it provides an adequate priorization of the security events and gives support to diagnosis, so that in less time and with less resources the team can be more effective.

[1]  Christian Callegari,et al.  A Novel PCA-Based Network Anomaly Detection , 2011, 2011 IEEE International Conference on Communications (ICC).

[2]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[3]  Eiji Okamoto,et al.  Multivariate statistical analysis of network traffic for intrusion detection , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[4]  Alberto Ferrer,et al.  Latent Structures-Based Multivariate Statistical Process Control: A Paradigm Shift , 2014 .

[5]  Christian Callegari,et al.  Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence , 2014, Int. J. Commun. Syst..

[6]  Theodora Kourti,et al.  Multivariate SPC Methods for Process and Product Monitoring , 1996 .

[7]  Gabriel Maciá-Fernández,et al.  Hierarchical PCA-based multivariate statistical network monitoring for anomaly detection , 2016, 2016 IEEE International Workshop on Information Forensics and Security (WIFS).

[8]  Hari Om,et al.  STATISTICAL TECHNIQUES IN ANOMALY INTRUSION DETECTION SYSTEM , 2012 .

[9]  Joel J. P. C. Rodrigues,et al.  Network anomaly detection using IP flows with Principal Component Analysis and Ant Colony Optimization , 2016, J. Netw. Comput. Appl..

[10]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[11]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[12]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[13]  Malik Yousef,et al.  One-Class SVMs for Document Classification , 2002, J. Mach. Learn. Res..

[14]  Gabriel Maciá-Fernández,et al.  Tackling the Big Data 4 vs for anomaly detection , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[15]  José Camacho,et al.  Multivariate Exploratory Data Analysis (MEDA) Toolbox for Matlab , 2015 .

[16]  Masashi Sugiyama,et al.  A least-squares approach to anomaly detection in static and sequential data , 2014, Pattern Recognit. Lett..

[17]  Cheng Yao,et al.  Multi‐scale anomaly detection for high‐speed network traffic , 2015, Trans. Emerg. Telecommun. Technol..

[18]  Salvatore J. Stolfo,et al.  One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses , 2003 .

[19]  Bernhard Schölkopf,et al.  New Support Vector Algorithms , 2000, Neural Computation.

[20]  Ioannis Lambadaris,et al.  Evaluating a modified PCA approach on network anomaly detection , 2014, 2014 International Conference on Next Generation Networks and Services (NGNS).

[21]  Theodora Kourti,et al.  Statistical Process Control of Multivariate Processes , 1994 .

[22]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[23]  Maurizio Mongelli,et al.  Profiling DNS tunneling attacks with PCA and mutual information , 2016, Log. J. IGPL.

[24]  Bu-Sung Lee,et al.  Detection of network anomalies using Improved-MSPCA with sketches , 2017, Comput. Secur..