Network Anomaly Identification based on Tensor Decomposition
Abstract
The problem of detecting anomalies in data networks has been widely studied and is a topic of fundamental importance. Many anomaly detection methods are based on packet inspection collected at the network core routers, with consequent disadvantages in terms of computational cost and privacy. We propose an alternative method in which package header inspection is not needed. The method is based on the extraction of a normal subspace obtained by the tensor decomposition technique considering the correlation between different metrics. Another advantage of our proposal is the interpretability of the obtained models. The flexibility of the proposal is illustrated by applying it to two distinct examples, both using actual data collected on residential routers.
Keywords:
Data intensive computing (big data), Data mining and analysis, Detection and prevention of anomalies and attacks, Network measurement and monitoring
References
Bro, R. (1997). Parafac. tutorial and applications. Chemometrics and intelligent laboratory systems, 38(2):149–171.
Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., and Pepe, T. (2011). A novel pca-based network anomaly detection. In IEEE ICC 2011, pages 1–5.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):15.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine learning DDoS detection for consumer IoT devices. IEEE Security and Privacy Workshops, pages 29–35.
Fadilpasic, S. (2019). Aws hit by DDoS attack. Acessado em 19/12/2019.
Harshman, R. A. (1984). ”how can i know if it’s real?”a catalogue of diagnostics for use with three-mode factor analysis and multidimensional scaling. Research methods for multimode data analysis, pages 566–591.
Harshman, R. A. and Lundy, M. E. (1984). The parafac model for three-way factor analysis and multidimensional scaling. Research methods for multimode data analysis, 46:122–215.
Koutra, D., Papalexakis, E. E., and Faloutsos, C. (2012). Tensorsplat: Spotting latent anomalies in time. In 16th Panhellenic Conference on Informatics, pages 144–149.
Kruskal, J. (1983). Multilinear methods. In Proc. Symp. Appl. Math, volume 28, page 75.
Lakhina, A., Crovella, M., and Diot, C. (2004). Diagnosing network-wide traffic anomalies. In ACM computer communication review, volume 34, pages 219–230.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In ACM computer communication review, volume 35, pages 217–228.
Lorenzo-Seva, U. and Ten Berge, J. M. (2006). Tucker’s congruence coefficient as a meaningful index of factor similarity. Methodology, 2(2):57–64.
Mao, H.-H., Wu, C.-J., Papalexakis, E. E., Faloutsos, C., Lee, K.-C., and Kao, T.-C. (2014). Malspot: Multi 2 malicious network behavior patterns analysis. In Pacific-Asia Conference on Knowledge Discovery and Data Mining, pages 1–14.
Maruhashi, K., Guo, F., and Faloutsos, C. (2011). Multiaspectforensics: Pattern mining on large-scale heterogeneous networks with tensor analysis. In International Conference on Advances in Social Networks Analysis and Mining, pages 203–210.
Mendonça, G., Santos, G., de Souza e Silva, E., Leão, R., Menasché, D., and Towsley, D. (2019). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021.
Ringberg, H., Soule, A., Rexford, J., and Diot, C. (2007). Sensitivity of pca for traffic anomaly detection. In ACM SIGMETRICS Performance Evaluation Review, volume 35, pages 109–120.
Santos, G. H., Mendonça, G., de Souza, E., Leão, R. M. M., Menasche, D. S., et al. (2019). Análise não supervisionada para inferência de qualidade de experiência de usuários residenciais. In SBRC 2019, pages 958–971.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267–278.
Streit, A. G., Leão, R. M. M., de Souza, E., Menasche, D., et al. (2019). Descobrindo perfis de tráfego de usuários: uma abordagem não supervisionada. In SBRC 2019, pages 169–182.
Sun, J., Tao, D., and Faloutsos, C. (2006). Beyond streams and graphs: dynamic tensor analysis. In 12th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 374–383.
Sundaresan, S., de Donato, W., N.Feamster, Teixeira, R., Crawford, S., and Pescapé, A.(2011). Broadband internet performance: A view from the gateway. In ACM SIGCOMM 2011.
Xie, K., Li, X., Wang, X., Xie, G., Wen, J., and Zhang, D. (2018). Graph based tensor recovery for accurate internet anomaly detection. In IEEE INFOCOM 2018, pages 1502–1510.
Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., and Pepe, T. (2011). A novel pca-based network anomaly detection. In IEEE ICC 2011, pages 1–5.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):15.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine learning DDoS detection for consumer IoT devices. IEEE Security and Privacy Workshops, pages 29–35.
Fadilpasic, S. (2019). Aws hit by DDoS attack. Acessado em 19/12/2019.
Harshman, R. A. (1984). ”how can i know if it’s real?”a catalogue of diagnostics for use with three-mode factor analysis and multidimensional scaling. Research methods for multimode data analysis, pages 566–591.
Harshman, R. A. and Lundy, M. E. (1984). The parafac model for three-way factor analysis and multidimensional scaling. Research methods for multimode data analysis, 46:122–215.
Koutra, D., Papalexakis, E. E., and Faloutsos, C. (2012). Tensorsplat: Spotting latent anomalies in time. In 16th Panhellenic Conference on Informatics, pages 144–149.
Kruskal, J. (1983). Multilinear methods. In Proc. Symp. Appl. Math, volume 28, page 75.
Lakhina, A., Crovella, M., and Diot, C. (2004). Diagnosing network-wide traffic anomalies. In ACM computer communication review, volume 34, pages 219–230.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In ACM computer communication review, volume 35, pages 217–228.
Lorenzo-Seva, U. and Ten Berge, J. M. (2006). Tucker’s congruence coefficient as a meaningful index of factor similarity. Methodology, 2(2):57–64.
Mao, H.-H., Wu, C.-J., Papalexakis, E. E., Faloutsos, C., Lee, K.-C., and Kao, T.-C. (2014). Malspot: Multi 2 malicious network behavior patterns analysis. In Pacific-Asia Conference on Knowledge Discovery and Data Mining, pages 1–14.
Maruhashi, K., Guo, F., and Faloutsos, C. (2011). Multiaspectforensics: Pattern mining on large-scale heterogeneous networks with tensor analysis. In International Conference on Advances in Social Networks Analysis and Mining, pages 203–210.
Mendonça, G., Santos, G., de Souza e Silva, E., Leão, R., Menasché, D., and Towsley, D. (2019). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021.
Ringberg, H., Soule, A., Rexford, J., and Diot, C. (2007). Sensitivity of pca for traffic anomaly detection. In ACM SIGMETRICS Performance Evaluation Review, volume 35, pages 109–120.
Santos, G. H., Mendonça, G., de Souza, E., Leão, R. M. M., Menasche, D. S., et al. (2019). Análise não supervisionada para inferência de qualidade de experiência de usuários residenciais. In SBRC 2019, pages 958–971.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267–278.
Streit, A. G., Leão, R. M. M., de Souza, E., Menasche, D., et al. (2019). Descobrindo perfis de tráfego de usuários: uma abordagem não supervisionada. In SBRC 2019, pages 169–182.
Sun, J., Tao, D., and Faloutsos, C. (2006). Beyond streams and graphs: dynamic tensor analysis. In 12th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 374–383.
Sundaresan, S., de Donato, W., N.Feamster, Teixeira, R., Crawford, S., and Pescapé, A.(2011). Broadband internet performance: A view from the gateway. In ACM SIGCOMM 2011.
Xie, K., Li, X., Wang, X., Xie, G., Wen, J., and Zhang, D. (2018). Graph based tensor recovery for accurate internet anomaly detection. In IEEE INFOCOM 2018, pages 1502–1510.
Published
2020-12-07
How to Cite
STREIT, Ananda Görck; SANTOS, Gustavo H. A.; LEÃO, Rosa M. M.; E SILVA, Edmundo de Souza; MENASCHÉ, Daniel Sadoc.
Network Anomaly Identification based on Tensor Decomposition. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 38. , 2020, Rio de Janeiro.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 952-965.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2020.12337.
