Leveraging a Probabilistic PCA Model to Understand the Multivariate Statistical Network Monitoring Framework for Network Security Anomaly Detection

TL;DR

This paper revisits PCA-based anomaly detection in network security by establishing a probabilistic model that connects traditional PCA techniques with the MSNM framework, supported by evaluations on synthetic and real datasets.

Contribution

It introduces a mathematical model linking probabilistic PCA to MSNM, enhancing understanding of generative models in network anomaly detection.

Findings

Probabilistic PCA relates to MSNM framework.

Model validated on synthetic and real datasets.

Provides insights for applying generative models in security detection.

Abstract

Network anomaly detection is a very relevant research area nowadays, especially due to its multiple applications in the field of network security. The boost of new models based on variational autoencoders and generative adversarial networks has motivated a reevaluation of traditional techniques for anomaly detection. It is, however, essential to be able to understand these new models from the perspective of the experience attained from years of evaluating network security data for anomaly detection. In this paper, we revisit anomaly detection techniques based on PCA from a probabilistic generative model point of view, and contribute a mathematical model that relates them. Specifically, we start with the probabilistic PCA model and explain its connection to the Multivariate Statistical Network Monitoring (MSNM) framework. MSNM was recently successfully proposed as a means of incorporating industrial process anomaly detection experience into the field of networking. We have evaluated the mathematical model using two different datasets. The first, a synthetic dataset created to better understand the analysis proposed, and the second, UGR'16, is a specifically designed real-traffic dataset for network security anomaly detection. We have drawn conclusions that we consider to be useful when applying generative models to network security detection.