Open AccessImproving network anomaly detection effectiveness via an integrated multi‐metric‐multi‐link (M 3 L) PCA‐based approach
Author(s) -
Chatzigiannakis V.,
Papavassiliou S.,
Androulidakis G.
Publication year - 2008
Publication title -
security and communication networks
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.446
H-Index - 43
eISSN - 1939-0122
pISSN - 1939-0114
DOI - 10.1002/sec.69
Subject(s) - anomaly detection , computer science , metric (unit) , anomaly (physics) , data mining , principal component analysis , volume (thermodynamics) , range (aeronautics) , performance metric , artificial intelligence , operations management , physics , materials science , management , quantum mechanics , economics , composite material , condensed matter physics
In this paper an enhanced anomaly detection approach based on the fusion of data gathered from various monitors spread throughout a wide area network is introduced. The proposed approach is based on the application of principal component analysis on multi‐metric‐multi‐link data, and provides an efficient and unified way of taking into account the combined effect of the correlated observed data, for anomaly detection purposes. It actually introduces a generalized anomaly detection methodology, capable of detecting not only volume based anomalies but also a much wider range of classes of anomalies, such as the ones that may result in alterations in traffic composition or traffic paths. The performance of the proposed multi‐metric‐multi‐link anomaly detection approach is evaluated via simulation, and is compared against the corresponding techniques that are based on the single‐metric analysis. Finally, its operational effectiveness is demonstrated in a realistic environment using real data collected from the core routers of the Greek research and technology network (GRNET). Copyright © 2008 John Wiley & Sons, Ltd.