ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches

Yoshiki Kanda, Romain Fontugne, Kensuke Fukuda, Toshiharu Sugawara

Research output: Contribution to journalArticle

28 Citations (Scopus)

Abstract

Network anomaly detection using dimensionality reduction has recently been well studied in order to overcome the weakness of signature-based detection. Previous works have proposed a method for detecting particular anomalous IP-flows by using random projection (sketch) and a Principal Component Analysis (PCA). It yields promising high detection capability results without needing a pre-defined anomaly database. However, the detection method cannot be applied to the traffic flows at a single measurement point, and the appropriate parameter settings (e.g., the relationship between the sketch size and the number of IP addresses) have not yet been sufficiently studied. We propose in this paper a PCA-based anomaly detection algorithm called ADMIRE to supplement and expand the previous works. The key idea of ADMIRE is the use of three-step sketches and an adaptive parameter setting to improve the detection performance and ease its use in practice. We evaluate the effectiveness of ADMIRE using the longitudinal traffic traces captured from a transpacific link. The main findings of this paper are as follows: (1) We reveal the correlation between the number of IP addresses in the measured traffic and the appropriate sketch size. We take advantage of this relation to set the sketch size parameter. (2) ADMIRE outperforms traditional PCA-based detector and other detectors based on different theoretical backgrounds. (3) The types of anomalies reported by ADMIRE depend on the traffic features that are selected as input. Moreover, we found that a simple aggregation of several traffic features degrades the detection performance.

Original languageEnglish
Pages (from-to)575-588
Number of pages14
JournalComputer Communications
Volume36
Issue number5
DOIs
Publication statusPublished - 2013 Mar 1

Keywords

  • Anomaly detection
  • Entropy
  • Hash
  • PCA
  • Sketch

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches'. Together they form a unique fingerprint.

  • Cite this