Robust PCA for Anomaly Detection in Cyber Networks
Randy Paffenroth, Kathleen Kay, Les Servi
TL;DR
This paper presents a novel application of Robust PCA for detecting cyber-network anomalies using packet data, achieving low false positives and identifying unseen attack types with minimal parameter tuning.
Contribution
It introduces a new RPCA-based method for anomaly detection in cyber networks that requires few parameters and can detect previously unseen attacks.
Findings
Low false-positive rates on DARPA data
Effective detection of unseen attack types
Requires minimal training data and parameters
Abstract
This paper uses network packet capture data to demonstrate how Robust Principal Component Analysis (RPCA) can be used in a new way to detect anomalies which serve as cyber-network attack indicators. The approach requires only a few parameters to be learned using partitioned training data and shows promise of ameliorating the need for an exhaustive set of examples of different types of network attacks. For Lincoln Lab's DARPA intrusion detection data set, the method achieves low false-positive rates while maintaining reasonable true-positive rates on individual packets. In addition, the method correctly detected packet streams in which an attack which was not previously encountered, or trained on, appears.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Anomaly Detection Techniques and Applications · Sparse and Compressive Sensing Techniques