Studies in applying PCA and wavelet algorithms for network traffic anomaly detection

The rising complexity of network anomalies necessitates increased attention to developing new techniques for detecting those anomalies. The majority of current network and security monitoring tools utilize a signature-based approach to detect anomalies. This approach must be complemented with other methods to widen the coverage and speed of anomaly detection. In recent years, a great deal of effort has been spent on studying network traffic anomaly detection techniques by security researchers. Those techniques include the statistical analysis technique referred to as PCA (Principal Component Analysis), clustering and Wavelet-based spectral analysis of network traffic. This paper makes three key contributions to advance the state of the art in network traffic anomaly detection. First, we study the effectiveness of PCA and Wavelet algorithms in detecting network anomalies from a labeled data set known as Kyoto2006+ - providing a useful baseline for future researchers. Second, we propose a novel anomaly detection approach based on a hybrid PCA-Haar Wavelet analysis methodology. The hybrid approach uses PCA to describe the data and Haar Wavelet filtering for analysis. Finally, we study the impact of applying the techniques solely to flow-based traffic summary data to detect network anomalies. The experimental results demonstrate an improved accuracy of the hybrid approach in comparison with the two algorithms individually.