• DocumentCode
    2667083
  • Title

    Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares

  • Author

    Ahmed, Tarem ; Coates, Mark ; Lakhina, Anukool

  • Author_Institution
    McGill Univ. Montreal, Montreal
  • fYear
    2007
  • fDate
    6-12 May 2007
  • Firstpage
    625
  • Lastpage
    633
  • Abstract
    High-speed backbones are regularly affected by various kinds of network anomalies, ranging from malicious attacks to harmless large data transfers. Different types of anomalies affect the network in different ways, and it is difficult to know a priori how a potential anomaly will exhibit itself in traffic statistics. In this paper we describe an online, sequential, anomaly detection algorithm, that is suitable for use with multivariate data. The proposed algorithm is based on the kernel version of the recursive least squares algorithm. It assumes no model for network traffic or anomalies, and constructs and adapts a dictionary of features that approximately spans the subspace of normal behaviour. The algorithm raises an alarm immediately upon encountering a deviation from the norm. Through comparison with existing block-based offline methods based upon Principal Component Analysis, we demonstrate that our online algorithm is equally effective but has much faster time-to-detection and lower computational complexity. We also explore minimum volume set approaches in identifying the region of normality.
  • Keywords
    computer networks; data analysis; least squares approximations; principal component analysis; security of data; telecommunication security; telecommunication traffic; computational complexity; data transfer; kernel recursive least square algorithm; multivariate online anomaly detection; network traffic statistics; principal component analysis; Detection algorithms; Dictionaries; Kernel; Least squares approximation; Least squares methods; Principal component analysis; Spine; Statistics; Telecommunication traffic; Traffic control;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE
  • Conference_Location
    Anchorage, AK
  • ISSN
    0743-166X
  • Print_ISBN
    1-4244-1047-9
  • Type

    conf

  • DOI
    10.1109/INFCOM.2007.79
  • Filename
    4215661