PCA-Based Network Traffic Anomaly Detection

With the rapid development of Internet technology,various applications are developed.However,different network problems are caused at the same time.Network anomaly is one of the most frequent problems happened,which results in packet loss,long delay and even network breakdown.It is very important for network managers to detect anomalies effectively,respond rapidly and take action to repair the network.Therefore,network anomaly detection has been paid much attention by engineers and researchers.In general,anomaly detection works on two types of data:end-to-end path traffic and Traffic Matrix(TM)of the whole network.Study on end-to-end path traffic is relatively simple,focusing on a limited number of links or nodes.The overall traffic characteristic of a network can be described by a TM.In network engineering,study on the overall traffic is of great significance.Anomaly detection on TM is helpful to network optimization,forecasting and other applications.However,it is difficult to detect the anomaly due to the massive amount of data involved in networks.In this paper,Principal Component Analysis(PCA)based TM analysis and anomaly detection are explored.The characteristic of TM is represented in a small dimension through PCA.Anomaly can be detected effectively by analysis on the small dimension.The main contributions of the paper consist of three aspects:(1)Analyzing and comparing existing anomaly detection methods by studying existing network traffic models and anomaly detection approaches.(2)Analyzing TMs based on PCA.By applying PCA,the least number of principal components can be extracted to reduce the dimension of data space.The extracted principal components can contain the most significant features of the original data and lose least information.Thus,the dimension of original characteristic space can be reduced.(3)Proposing a PCA-based anomaly detection method and analyzing the performance.Anomaly detection experiments on TMs are carried out from the view of anomaly type and the probability model of characteristic parameters and other aspects.Anomaly detection methods for single and multi-nodes are given,relatively.Also,the method for distinguishing two main types of anomalies is presented in this paper.Due to the high dimensionality and sparsity of network traffic,PCA is efficient and effective for traffic analysis.Original network traffic space can be well represented by the space with appropriate dimensionality by PCA on TMs.Thus,by this method,the computing complexity is reduced,and the accuracy of anomaly detection is improved.Finally,compared to other existing approaches,the method proposed in this paper demonstrates its outperformance in anomaly detection for the whole network.