T 2 Control Chart based on PCA with KDE Control Limit for Monitoring Intrusion

Abstract

In monitoring network anomaly, the traditional T 2 chart can be an alternative owing to its ability to capture the network anomaly. However, the new problem emerges in consequence of the hardship of the network traffic data to satisfy the multivariate normal distribution assumption in Hotelling’s T 2 chart. As a result, many false alarms will be found during the monitoring process. In this work, the combination between Hotelling’s T 2 control chart and the Principal Component Analysis (PCA) is utilized to observe the network traffic data. The PCA is used to minimize the data dimension which can reduce computational time. Meanwhile, the Kernel Density approach is employed in estimating the control limit of the non-normal process. The proposed method is applied to the famous KDD99 dataset, and its performance is compared with the other methods. Compared to the other charts, the proposed control chart yields a higher detection accuracy with a lower false alarm rate. Moreover, the proposed control chart also produces a faster computational time.