Traffic Anomaly Detection Based on Robust Principal Component Analysis Using Periodic Traffic Behavior

Takahiro MATSUDA  Tatsuya MORITA  Takanori KUDO  Tetsuya TAKINE  

IEICE TRANSACTIONS on Communications   Vol.E100-B   No.5   pp.749-761
Publication Date: 2017/05/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.2016EBP3239
Type of Manuscript: PAPER
Category: Network
principal component analysis (PCA),  outlier,  robust PCA,  anomaly detection,  minimum covariance determinant (MCD),  

Full Text: PDF>>
Buy this Article

In this paper, we study robust Principal Component Analysis (PCA)-based anomaly detection techniques in network traffic, which can detect traffic anomalies by projecting measured traffic data onto a normal subspace and an anomalous subspace. In a PCA-based anomaly detection, outliers, anomalies with excessively large traffic volume, may contaminate the subspaces and degrade the performance of the detector. To solve this problem, robust PCA methods have been studied. In a robust PCA-based anomaly detection scheme, outliers can be removed from the measured traffic data before constructing the subspaces. Although the robust PCA methods are promising, they incure high computational cost to obtain the optimal location vector and scatter matrix for the subspace. We propose a novel anomaly detection scheme by extending the minimum covariance determinant (MCD) estimator, a robust PCA method. The proposed scheme utilizes the daily periodicity in traffic volume and attempts to detect anomalies for every period of measured traffic. In each period, before constructing the subspace, outliers are removed from the measured traffic data by using a location vector and a scatter matrix obtained in the preceding period. We validate the proposed scheme by applying it to measured traffic data in the Abiline network. Numerical results show that the proposed scheme provides robust anomaly detection with less computational cost.