Evaluating a modified PCA approach on network anomaly detection

As the number, complexity and diversity of cyber threats continues to increase, anomaly detection techniques have proven to be a powerful technique to augment existing methods of security threat detection. Research has shown that Principal Component Analysis (PCA) is an anomaly detection method known to be viable for pinpointing the existence of anomalies in network traffic. Despite its recognized utility in detecting cyber threats, previous relevant research work has highlighted certain inconsistencies when the classical PCA method is used to detect anomalies in network traffic, resulting in false positives and false negatives. Specifically, it has been shown that the efficiency of the results are highly dependent on the nature of the input data and the calibration of its parameters. In classical PCA, the parameters have to be carefully selected in order to correctly define the normal and abnormal space. By obtaining real network traffic traces from a small enterprise and artificially injecting anomalies, we experiment with a modified PCA method to address the above shortcomings. The results of our experimentation are encouraging. The results indicate our modified PCA method may possess promising capabilities to efficiently detect network anomalies while addressing some of the limitations of the classic PCA approach.

[1]  Daniela Brauckhoff,et al.  Network traffic anomaly detection and evaluation , 2010 .

[2]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[3]  Mario Vento,et al.  To reject or not to reject: that is the question-an answer in case of neural classifiers , 2000, IEEE Trans. Syst. Man Cybern. Part C.

[4]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[5]  Ioannis Lambadaris,et al.  Combining statistical and spectral analysis techniques in network traffic anomaly detection , 2012, 2012 Next Generation Networks and Services (NGNS).

[6]  Peter Filzmoser,et al.  Robust feature selection and robust PCA for internet traffic anomaly detection , 2012, 2012 Proceedings IEEE INFOCOM.

[7]  Lei Gao,et al.  PCA-subspace method — Is it good enough for network-wide anomaly detection , 2012, 2012 IEEE Network Operations and Management Symposium.

[8]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[9]  Martin May,et al.  Applying PCA for Traffic Anomaly Detection: Problems and Solutions , 2009, IEEE INFOCOM 2009.

[10]  Mario Silva-Neto,et al.  Netflow services and applications , 2002 .

[11]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[12]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[13]  Martin May,et al.  FLAME: A Flow-Level Anomaly Modeling Engine , 2008, CSET.