A reconfigurable architecture for network intrusion detection using principal component analysis

Abstract

In this work, we develop an architecture for principal component analysis (PCA) to be used as an outlier detection method for high-speed network intrusion detection systems (NIDS). PCA is a common statistical method used in multivariate optimization problems in order to reduce the dimensionality of data while retaining a large fraction of the data characteristic. First, using KDD Cup 1999 data sets composed of all normal connections, PCA is used to project the training set onto eigenspace vectors representing the mean of the data. These eigenspace vectors are then used to predict malicious connections in a workload containing normal and attack behavior. Our simulations show that the proposed architecture correctly classifies attacks with detection rates exceeding 99% and false alarms rates below 2%. For next generation NIDS, anomaly detection methods must satisfy the demands of Gigabit Ethernet. FPGAs are an attractive medium to handle both high throughput and adaptability to the dynamic nature of intrusion detection. Using hardware parallelism and extensive pipelining, our architecture is implemented on FPGAs to achieve Gigabit link speeds. Particularly, our simulation results show that for a realistic workload our architecture clocks at 92.82 MHz on a Virtex-II Pro FPGA and achieves a 23.76 Gbps throughout.