A Multivariate Online Anomaly Detection Algorithm Based on SVD Updating

Qian  Ye-Kui; Chen Ming

doi:10.3724/SP.J.1146.2009.01342

Volume 32 Issue 10

Dec. 2010

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2010 > 32(10): 2404-2409

Qian Ye-Kui, Chen Ming. A Multivariate Online Anomaly Detection Algorithm Based on SVD Updating[J]. Journal of Electronics & Information Technology, 2010, 32(10): 2404-2409. doi: 10.3724/SP.J.1146.2009.01342

Citation:

Qian Ye-Kui, Chen Ming. A Multivariate Online Anomaly Detection Algorithm Based on SVD Updating[J]. Journal of Electronics & Information Technology, 2010, 32(10): 2404-2409. doi: 10.3724/SP.J.1146.2009.01342

Citation:

PDF( 310 KB)

A Multivariate Online Anomaly Detection Algorithm Based on SVD Updating

doi: 10.3724/SP.J.1146.2009.01342

Qian Ye-Kui^{①② 陈鸣
,},
Chen Ming

Received Date: 2009-10-15
Rev Recd Date: 2010-02-16
Publish Date: 2010-10-19

Abstract

Abstract

Network anomaly detection is critical to guarantee stabilized and effective network operation. Although PCA-based network-wide anomaly detection algorithm has good detection performance, it can not satisfy demands of online detection. In order to solve the problem, the traffic matrix model is introduced and a Multivariate Online Anomaly Detection Algorithm based on Singular Value Decomposition Updating named MOADA-SVDU is proposed. The algorithm constructs normal subspace and abnormal subspace incrementally and implements online detection of network traffic anomalies. Theoretic analysis shows that MOADA-SVDU has lower storage and less computing overhead compared with PCA. Analyses for traffic matrix datasets from Internet and simulation experiments show that MOADA-SVDU algorithm not only achieves online detection of network anomaly but also has very good detection performance.
- Network anomaly detection,
- Online algorithm,
- Singular Value Decomposition (SVD),
- Multivariate analysis,
- Incremental learning

FullText(HTML)

References(1)

References

[1] Lakhina A, Crovella M, and Diot C. Diagnosing network-wide traffic anomalies[C]. SIGCOMM, Portland, Oregon, USA, 2004: 224-235. [2] Lakhina A, Crovella M, and Diot C. Mining anomalies using traffic feature distributions[C]. SIGCOMM, Philadelphia, Pennsylvania, USA, 2005: 164-175. [3] Jin Y, Sharafuddin E, and Zhang Z L. Unveiling core network-wide communication patterns through application traffic activity graph decomposition[C]. SIGMETRICS, Seattle, WA, USA, 2009: 86-91. Torres R, Hajjat M, and Rao S G, et al.. Inferring undesirable behavior from P2P traffic analysis[C]. SIGMETRICS, Seattle, WA, USA, 2009: 156-167. [4] Logg C, Cottrell L, and Navratil J. Experiences in traceroute and available bandwidth change analysis[C]. SIGCOMM Workshop, Portland, Oregon, USA, 2004: 81-90. [5] 吴志军, 张东. 低速率DDoS攻击的仿真和特征提取[J].通信学报.2008, 29(1):71-76 Wu Z J and Zhang D. Attack simulation and signature extraction of low-rate DDoS[J]. Journal on Communications, 2008, 29(1): 71-76. [6] 谢逸, 余顺争. 基于Web用户浏览行为的统计异常检测[J].软件学报.2007, 18(4):967-977 Xie Y and Yu S Z. Anomaly detection based on web users browsing behaviors[J].Journal of Software.2007, 18(4):967-977 [7] Zhao H, Yuen P C, and Kwok J T. A novel incremental principal component analysis and its application for face recognition[J].IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics.2006, 36(3):873-886 [8] Ahmed T, Coates M, and Lakhina A. Multivariate online anomaly detection using kernel recursive least squares[C]. INFOCOM, Los Angeles, USA, 2007: 387-396. [9] Lakhina A, Papagiannaki K, and Crovella M, et al.. Structural analysis of network traffic flows[C]. SIGMETRICS, New York, NY, USA, 2004: 156-167. [10] Soule A, Salamatian K, and Taft N. Combining filtering and statistical methods for anomaly detection[C]. IMC, Boston, USA, 2005: 168-179. [11] Rubinstein B, Nelson B, and Huang L. Stealthy poisoning attacks on PCA-based anomaly detectors[C]. SIGMETRICS, Seattle, WA, USA, 2009: 168-179. Zhang Y, Roughan M, and Willinger W, et al.. Spatio-temporal compressive sensing and Internet traffic matrices[C]. SIGCOMM, Barcelona, Spain, 2009: 110-121.

Relative Articles

Supplements(0)

Cited By

Proportional views