Evaluating a modified PCA approach on network anomaly detection

Abstract

As the number, complexity and diversity of cyber threats continues to increase, anomaly detection techniques have proven to be a powerful technique to augment existing methods of security threat detection. Research has shown that Principal Component Analysis (PCA) is an anomaly detection method known to be viable for pinpointing the existence of anomalies in network traffic. Despite its recognized utility in detecting cyber threats, previous relevant research work has highlighted certain inconsistencies when the classical PCA method is used to detect anomalies in network traffic, resulting in false positives and false negatives. Specifically, it has been shown that the efficiency of the results are highly dependent on the nature of the input data and the calibration of its parameters. In classical PCA, the parameters have to be carefully selected in order to correctly define the normal and abnormal space. By obtaining real network traffic traces from a small enterprise and artificially injecting anomalies, we experiment with a modified PCA method to address the above shortcomings. The results of our experimentation are encouraging. The results indicate our modified PCA method may possess promising capabilities to efficiently detect network anomalies while addressing some of the limitations of the classic PCA approach.