Study of Anomaly Detection Based on Randomized Subspace Methods in IP Networks
M. Kaloorazi, R. C. de Lamare

TL;DR
This paper introduces randomized subspace methods for anomaly detection in IP networks, improving robustness and detection accuracy over traditional PCA-based techniques through a novel matrix decomposition approach.
Contribution
It presents a new randomized subspace approach for network anomaly detection that enhances robustness and detection performance compared to existing PCA-based methods.
Findings
Improved detection rate over PCA-based methods
Enhanced robustness to noise in network traffic analysis
Effective anomaly detection in IP networks using randomized subspace techniques
Abstract
In this paper we propose novel randomized subspace methods to detect anomalies in Internet Protocol networks. Given a data matrix containing information about network traffic, the proposed approaches perform a normal-plus-anomalous matrix decomposition aided by random subspace techniques and subsequently detect traffic anomalies in the anomalous subspace using a statistical test. Experimental results demonstrate improvement over the traditional principal component analysis-based subspace methods in terms of robustness to noise and detection rate.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSparse and Compressive Sensing Techniques · Network Security and Intrusion Detection · Anomaly Detection Techniques and Applications
Study of Anomaly Detection Based on Randomized Subspace Methods in IP Networks
Abstract
In this paper we propose novel randomized subspace methods to detect anomalies in Internet Protocol networks. Given a data matrix containing information about network traffic, the proposed approaches perform a normal-plus-anomalous matrix decomposition aided by random subspace techniques and subsequently detect traffic anomalies in the anomalous subspace using a statistical test. Experimental results demonstrate improvement over the traditional principal component analysis-based subspace methods in terms of robustness to noise and detection rate.
Keywords— anomaly detection, PCA subspace methods, orthonormal basis, -statistic.
1 Introduction
Network anomalies typically refer to abnormal behavior in the network traffic such as traffic volume, bandwidth and protocol use, which indicate a potential threat. Traffic anomalies may arise due to various causes ranging from network attacks such as denials-of-service (DoS) and network scans, to atypical circumstances such as flash-crowds and failures, which can have serious destructive effects on the performance and security of Internet Protocol (IP) networks [1], [2].
The seminal paper by Lakhina et al. [3] first employed Principal Component Analysis (PCA) [4] to detect network-wide traffic anomalies. Given a matrix of link traffic data , the approach performs a normal-plus-anomalous matrix decomposition (i.e., ) using (a specific number of) its principal components and seeks anomalies in the anomalous subspace . The emergence of this approach inspired researchers to improve its performance and to evaluate its sensitivity for detecting anomalies [5], [6]. Ringberg et al. [5] point out that since PCA does not consider the temporal correlation of the data, the normal subspace is contaminated with anomalies. To address this issue, Brauckhoff et al. [6] propose to apply the Karhunen-Loeve (KL) expansion [7], which considers both the temporal and spatial correlations. Recently, inspired by the well-established compressed sensing (CS) theory [8], [9] and also by robust principal component analysis (RPCA) [10], [11], [12], several works have approached network-wide traffic anomaly detection using these methods (i.e., by solving a constrained optimization problem) [13], [14].
The PCA-based methods [3], [15], [6] focus on link traffic covariance matrix and accordingly compute its singular value decomposition (SVD), a computationally expensive factorization, to separate the subspaces. In this paper, we present two novel randomized subspace approaches to detect anomalies in network traffic. In contrast to the works in [3], [15], [6], the proposed approaches do not form the covariance matrix and consequently obviate the computation of the SVD for subspace separation. We validate the proposed approaches using synthetically generated data. Experimental results demonstrate that the proposed techniques can successfully diagnose network-wide anomalies with more effectiveness than PCA and robust PCA (RPCA).
The remainder of this paper is organized as follows. In Section 2 we introduce the signal model that represents IP traffic and formulate the problem we are interested in solving. We review the method of PCA for network anomaly detection in Section 3. In Section 4, we describe our proposed methods in detail. In Section 5, we present and discuss our experimental results and our conclusion remarks are given in Section 6.
2 Signal Model and Problem Formulation
In this section, we describe a signal model that represents the traffic in an IP network using linear algebra and state the problem of interest. Based on the structure of a network and the flow of data obtained by network tomography [16], we can model the link traffic as a function of the origin-destination (OD) flow traffic and the network-specific routing. Specifically, the relationship between the link traffic and OD flow traffic , for a network with links and OD flows may be written as:
[TABLE]
where is the number of snapshots and is a routing matrix. The entries of , i.e., , are assigned a value equal to one () if the OD flow traverses link , and are assigned a value equal to zero otherwise.
The network traffic model that takes into account the anomalies and the measurement noise over the links can be expressed by
[TABLE]
where is a fixed routing matrix, is the clean traffic matrix, is the matrix with traffic anomalies and denotes the link measurement noise samples. The problem we are interested in this work is how detect anomalies by observing .
3 Principal Component Analysis for Network Anomaly Detection
Given the link traffic , in order to detect anomalies the work in [3] performs a normal-plus-anomalous matrix decomposition such that , where is the modeled traffic and is the projection of onto the anomalous subspace , using a selected number of its principal components.
The modeled traffic represented by is the projection of onto the normal subspace and the residual traffic modeled by is the projection of onto the anomalous subspace . Specifically, the modeled traffic can be obtained by
[TABLE]
and
[TABLE]
where is formed by the first singular vectors of the covariance of the centered traffic data and is a singular value decomposition.
In order to detect abnormal changes in , a statistic referred to as the -statistic [17] is applied by computing the squared prediction error (SPE) of the residual traffic:
[TABLE]
The network traffic is considered to be normal if
[TABLE]
where is a threshold for the SPE defined as:
[TABLE]
where
[TABLE]
and
[TABLE]
with denoting the -th singular value of and is the percentile in a standard normal distribution.
The singular vectors of (or principal components of ) maximize the variance of the projected data. Thus, for instance, the -the singular value of (or the variance captured by the -the PC) can be expressed as . Note that, each row in , .
4 Proposed Subspace-Projected Basis for Anomaly detection
This section describes our proposed approaches termed Randomized Bases Anomaly Detection (RBAD) and Switched Subspace-Projected Bases for Anomaly Detection (SSPBAD). Similar to the works in [18] and [3], given the data traffic matrix , RBAD and SSPBAD perform a normal-plus-anomalous matrix decomposition. However, instead of the principal components of , they employ a matrix with a set of orthonormal bases whose range approximates the range of . Once is constructed, as will be explained in the next subsections, is represented as a linear superposition of normal and anomalous components () as given by
[TABLE]
and
[TABLE]
where the matrix contains the first columns of . Accordingly, the variances captured by the orthonormal basis are computed as:
[TABLE]
Then, the -statistic is applied to the anomalous component to diagnose anomalies. In contrast to [18] and [3], the proposed approaches do not require the estimation of the covariance matrix from the data and, as a result, the SVD is not required to be computed to separate subspaces. This also results in the reduction of the number of floating-point operations (flops) to detect anomalies in the traffic network.
4.1 Randomized Basis Anomaly Detection
To separate normal and anomalous subspaces as in (3), RBAD uses orthonormal bases whose range approximates the range of the traffic matrix (instead of the singular vectors of used in [18] and [3]). To compute the bases, the product is first formed using a random matrix and a factorization is then performed on (i.e., ) [19]. To improve the approximation accuracy the work in [19] multiplies with and alternately. Once the bases are obtained, the variances captured by are calculated (i.e., ) to detect abnormal behavior in anomalous components. Moreover, to apply -statistics the variances must be known [17], [20]. A pseudocode for RBAD is given in Table 1.
4.2 Switched Subspace-Projected Basis for Anomaly Detection
The proposed SSPBAD technique, similar to RBAD, also constructs bases with orthonormal columns whose range approximates the range of which based on projects the traffic data onto two subspaces orthogonal to each other ( and ). First, the product is formed using a random matrix . Next, is updated by such that . Afterwards, a factorization is performed to construct the orthonormal bases for the range of . These orthonormal bases will serve as a surrogate to the bases of principal components used in [18] and [3] to separate normal and anomalous subspaces. Subsequently, the variances captured by are computed (i.e., ) to detect traffic anomalies in the anomalous component using the -statistic.
A similar approach to constructing the orthonormal bases as in SSPBAD was proposed in [21] to approximate a rank- matrix, but they construct the bases for the range of . To increase robustness of the algorithm for detecting anomalies, we employ different matrices as in [22], [23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36]. The random matrices generated include:
- •
a matrix with i.i.d Gaussian entries i.e., ,
- •
a matrix whose entries are i.i.d. random variables drawn from a Bernoulli distribution with probability 0.5,
- •
a Markov matrix whose entries are all nonnegative and the entries of each column add up to 1,
- •
a matrix whose entries are independently drawn from -1, 1.
Thus, SSPBAD switches among different random matrices and chooses the best one in order to obtain the maximum number of anomalies. A pseudocode for SSPBAD is given in Table 2.
5 Experimental Results
To validate the proposed approaches, we conduct experiments on synthetically generated data and compare them with PCA and RPCA. The data matrix is generated according to the model in (2) with dimensions . The low-rank matrix is formed by a matrix multiplication , where and have Gaussian distributed entries and , respectively and . The routing matrix is generated by entries drawn from a Bernoulli distribution with probability . The sparse matrix of anomalies has non-zero elements drawn randomly from the set and the noise matrix has independent and identically distributed (i.i.d) Gaussian entries with variance , i.e., . We set the confidence limit for the value of the -statistic for all three approaches.
In Fig. 1, we compare the variances captured by the proposed approaches (orthonormal basis) with the PCA method (PCs) since they play a crucial role in the statistical test (-statistic) used to detect anomalies (cf. (8)). As can be seen, returned variances by RBAD and SSPBAD are very close to those returned by SVD.
Fig. 2 compares the detection rate against the number of bases for different approaches. As pointed out in [2] the detection rate combines false-alarm rate and detection probability into one measure and obviates the need for showing these two probabilities in one versus the other manner. As can be seen, the proposed RBAD and SSPBAD approaches outperform PCA when the measurement noise has a higher variance. Furthermore, RPCA [10],[11], [12] performs poorly. Since we consider measurement noises in our data model (cf. 2), by increasing the rank, these noise samples contaminate the matrix of outliers returned by RPCA and as a result the abnormal patterns of the network (anomalies) cannot be recovered.
5.1 Computational Complexity
The traditional PCA method operates on the link traffic covariance () to separate the subspaces. In particular, PCA employs the SVD which requires floating-point operations (flops). RBAD and SSPBAD operate on the link traffic directly but employ the factorization, which requires flops as well. Although the computational complexity of RBAD and SSPBAD is roughly the same as PCA in the context of anomaly detection, in certain applications where SVD cannot be efficiently used, an extension of the proposed approaches can be employed. For instance, they can be used to build a direct solver for contour integral equations with nonoscillatory kernels where the computational cost for a factorization is considerably less prohibitive than that of SVD [37].
6 Conclusion
In this paper, we have proposed the RBAD and SSPBAD random subspace methods to detect traffic anomalies in IP networks. Both approaches form normal and anomalous randomized subspaces by orthonormal bases constructed for the range of the traffic data. A statistical test is then applied and detects anomalies in the traffic. Simulations show that RBAD and SSPBAD outperform PCA and RPCA. Future work will concentrate on mathematical analysis of RBAD and SSPBAD.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] M. Thottan and C. Ji, “Anomaly detection in IP networks,” IEEE Transactions on Signal Processing , vol. 51, no. 8, pp. 2191 – 2204, aug 2003.
- 2[2] Y. Zhang, Z. Ge, A. Greenberg, and M. Roughan, “Network Anomography,” in Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement (IMC ’05) , oct 2005.
- 3[3] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing Network-Wide Traffic Anomalies,” in proceedings of ACM SIGCOMM , aug 2004.
- 4[4] I. T. Jolliffe, “Principal Component Analysis,” 2nd ed, Springer, 2002.
- 5[5] H. Ringberg, A. Soule, J. Rexford, and C. Diot, “Sensitivity of PCA for traffic anomaly detection,” in Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems , jun 2007, pp. 109–120.
- 6[6] D. Brauckhoff, K. Salamatian, and M. Martin, “Applying PCA for Traffic Anomaly Detection: Problems and Solutions,” in Proceedings of INFOCOM 2009 , apr 2009, pp. 2866 – 2870.
- 7[7] R. M. Gray and L. D. Davisson, “An Introduction to Statistical Signal Processing,” Cambridge University Press, 2005.
- 8[8] D. L. Donoho, “Compressed Sensing,” IEEE Transactions on Information Theory , vol. 52, no. 4, pp. 1289 – 1306, apr 2006.
