Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Slides:

Advertisements

Similar presentations

Distinctive Image Features from Scale-Invariant Keypoints David Lowe.

Advertisements

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.

Compensation for Measurement Errors Due to Mechanical Misalignments in PCB Testing Anura P. Jayasumana, Yashwant K. Malaiya, Xin He, Colorado State University.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Principal Component Analysis (PCA) for Clustering Gene Expression Data K. Y. Yeung and W. L. Ruzzo.

1 Communication-Efficient Online Detection of Network-Wide Anomalies Ling Huang* XuanLong Nguyen* Minos Garofalakis § Joe Hellerstein* Michael Jordan*

Robust Network Compressive Sensing Lili Qiu UT Austin NSF Workshop Nov. 12, 2014.

Robust Moving Object Detection & Categorization using self- improving classifiers Omar Javed, Saad Ali & Mubarak Shah.

Principal Component Analysis

1 In-Network PCA and Anomaly Detection Ling Huang* XuanLong Nguyen* Minos Garofalakis § Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

1 Toward Sophisticated Detection With Distributed Triggers Ling Huang* Minos Garofalakis § Joe Hellerstein* Anthony Joseph* Nina Taft § *UC Berkeley §

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Design for Network Managability Mung Chiang and Jennifer Rexford Princeton University March 2007.

Feature Extraction for Outlier Detection in High- Dimensional Spaces Hoang Vu Nguyen Vivekanand Gopalkrishnan.

1 USING CLASS WEIGHTING IN INTER-CLASS MLLR Sam-Joo Doh and Richard M. Stern Department of Electrical and Computer Engineering and School of Computer Science.

EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.

Network Anomography Yin Zhang, Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement Conference 2005 Berkeley, CA, USA Presented by Huizhong.

Efficient OLAP Query Processing for Distributed Data Warehouses Michael O. Akinde, SMHI, Sweden & NDB, Aalborg University, Denmark Michael H. Böhlen, NDB,

CS 485/685 Computer Vision Face Recognition Using Principal Components Analysis (PCA) M. Turk, A. Pentland, "Eigenfaces for Recognition", Journal of Cognitive.

1 Activity and Motion Detection in Videos Longin Jan Latecki and Roland Miezianko, Temple University Dragoljub Pokrajac, Delaware State University Dover,

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Eigenfaces for Recognition Student: Yikun Jiang Professor: Brendan Morris.

Principal Component Analysis (PCA) for Clustering Gene Expression Data K. Y. Yeung and W. L. Ruzzo.

1 Prediction of Software Reliability Using Neural Network and Fuzzy Logic Professor David Rine Seminar Notes.

Anomaly detection Problem motivation Machine Learning.

MPlane – Building an Intelligent Measurement Plane for the Internet Maurizio Dusi – NEC Laboratories Europe NSF Workshop on perfSONAR.

The Tutorial of Principal Component Analysis, Hierarchical Clustering, and Multidimensional Scaling Wenshan Wang.

Robust PCA in Stata Vincenzo Verardi FUNDP (Namur) and ULB (Brussels), Belgium FNRS Associate Researcher.

Presented By Wanchen Lu 2/25/2013

Principal Components Analysis BMTRY 726 3/27/14. Uses Goal: Explain the variability of a set of variables using a “small” set of linear combinations of.

1 Validation & Verification Chapter VALIDATION & VERIFICATION Very Difficult Very Important Conceptually distinct, but performed simultaneously.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Anomaly detection with Bayesian networks Website: John Sandiford.

by B. Zadrozny and C. Elkan

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Scalable Analysis of Distributed Workflow Traces Daniel K. Gunter and Brian Tierney Distributed Systems Department Lawrence Berkeley National Laboratory.

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Network Anomography Yin Zhang – University of Texas at Austin Zihui Ge and Albert Greenberg – AT&T Labs Matthew Roughan – University of Adelaide IMC 2005.

Scalable Multi-Class Traffic Management in Data Center Backbone Networks Amitabha Ghosh (UtopiaCompression) Sangtae Ha (Princeton) Edward Crabbe (Google)

Individual Differences Approach

1 Distributed Detection of Network-Wide Traffic Anomalies Ling Huang* XuanLong Nguyen* Minos Garofalakis § Joe Hellerstein* Michael Jordan* Anthony Joseph*

Gap-filling and Fault-detection for the life under your feet dataset.

I can be You: Questioning the use of Keystroke Dynamics as Biometrics —Paper by Tey Chee Meng, Payas Gupta, Debin Gao Presented by: Kai Li Department of.

Mining Anomalies in Network-Wide Flow Data Anukool Lakhina with Mark Crovella and Christophe Diot NANOG35, Oct 23-25, 2005.

Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina Mark Crovella Christophe Diot in ACM SIGCOMM 2005 Presented by: Sailesh Kumar.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Yaping Zhu with: Jennifer Rexford (Princeton University) Aman Shaikh and Subhabrata Sen (ATT Research) Route Oracle: Where Have.

ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.

EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.

Streaming Pattern Discovery in Multiple Time-Series Jimeng Sun Spiros Papadimitrou Christos Faloutsos PARALLEL DATA LABORATORY Carnegie Mellon University.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Network Anomography Yin Zhang Joint work with Zihui Ge, Albert Greenberg, Matthew Roughan Internet Measurement.

DECOR: A Distributed Coordinated Resource Monitoring System Shan-Hsiang Shen Aditya Akella.

LISA A. KELLER UNIVERSITY OF MASSACHUSETTS AMHERST Statistical Issues in Growth Modeling.

3 “Products” of Principle Component Analysis

Face detection and recognition Many slides adapted from K. Grauman and D. Lowe.

Principal Components Analysis ( PCA)

Central limit theorem - go to web applet. Correlation maps vs. regression maps PNA is a time series of fluctuations in 500 mb heights PNA = 0.25 *

Martina Uray Heinz Mayer Joanneum Research Graz Institute of Digital Image Processing Horst Bischof Graz University of Technology Institute for Computer.

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Exposure Prediction and Measurement Error in Air Pollution and Health Studies Lianne Sheppard Adam A. Szpiro, Sun-Young Kim University of Washington CMAS.

Experience Report: System Log Analysis for Anomaly Detection

Jian Wu (University of Michigan)

Detecting Targeted Attacks Using Shadow Honeypots

Jia-Bin Huang Virginia Tech

Achieving Resilient Routing in the Internet

Presentation transcript:

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford 1, Christophe Diot 2 1 Princeton University, 2 Thomson Research

2 Outline Background and motivation Traffic anomaly detection PCA and subspace approach Problems with methodology Conclusion & future directions

3 A network in the Internet

4 Network anomalies We want to be able to detect these anomalies!

5 Network anomaly detectors Monitor health of network Real-time reporting of anomalies

6 Principal Components Analysis (PCA) Benefits Finds correlations across multiple links Network-wide analysis [Lakhina SIGCOMM’04] Demonstrated ability to detect wide variety of anomalies [Lakhina IMC’04] Subspace methodology We use same software

7 Principal Components Analysis (PCA) PCA transforms data into new coordinate system Principal components (new bases) ordered by captured variance The first k tend to capture periodic trends normal subspace vs. anomalous subspace

8 Pictorial overview of subspace methodology 1. Training: separate normal & anomalous traffic patterns 2. Detection: find spikes 3. Identification: find original spatial location that caused spike (e.g. router, flow)

9 Pictorial overview of problems with subspace methodology Defining normalcy can be challenging Tunable knobs Contamination PCA’s coordinate remapping makes it difficult to identify the original location of an anomaly

10 Data used Géant and Abilene networks IP flow traces 21/11 through 28/ Anomalies were manually verified

11 Outline Background and motivation Problems with approach Sensitivity to its parameters Contamination of normalcy Identifying the location of detected anomalies Conclusion & future directions

12 Sensitivity to top k PCA separates normal from anomalous traffic patterns Works because top PCs tend to capture periodic trends And large fraction of variance

13 Sensitivity to top k Where is the line drawn between normal and anomalous? What is too anomalous?

14 Sensitivity to top k Very sensitive to number of principal components included!

15 Sensitivity to top k Sensitivity wouldn’t be an issue if we could tune top k parameter We’ve tried many different methods 3σ deviation heuristic Cattell’s Scree Test Humphrey-Ilgen Kaiser’s Criterion None are reliable

16 Contamination of normalcy What happens to large anomalies? They capture a large fraction of variance Therefore they are included among top PCs Invalidates assumption that top PCs need to be periodic Pollutes definition of normal In our study, the outage to the left affected 75/77 links Only detected on a handful!

17 Identifying anomaly locations Spikes when state vector projected on anomaly subspace But network operators don’t care about this They want to know where it happened! How do we find the original location of the anomaly?

18 Identifying anomaly locations Previous work used a simple heuristic Associate detected spike with k flows with the largest contribution to the state vector v No clear a priori reason for this association

19 Outline Background and motivation Problems with approach Conclusion & future directions Defining normalcy Identifying the location of an anomaly

20 Defining normalcy Large anomalies can cause a spike in first few PCs Diminishes effectiveness But we can presumably smooth these out (WMA) But first PCs aren’t always periodic which k instead of top k ? Initial results suggest this might be challenging also

21 Fundamental disconnect between objective functions PCA is optimal at finding orthogonal vectors ordered by captured variance But variance need not correspond to normalcy (i.e. periodicity) When do they coincide?

22 Identifying anomaly locations PCA is very effective at finding correlations But is accomplished by remapping all data to new coordinate system Strength in detection becomes weakness in identification Inherent limitation

23 Conclusion PCA is sensitive to its parameters More robust methodology required Training: defining normalcy (top k, which k ) Detection: tuning threshold Identification: better heuristic Disconnect between objective functions PCA finds variance We seek periodicity PCA’s strengths can be weaknesses Transformation good at detecting correlations Causes difficulty in identifying anomaly location

Thanks! Questions? Haakon Ringberg Princeton University Computer Science

25 Outline Background and motivation Problems with approach Future directions Conclusion Addressable problems, versus Fundamental problems

26 Conclusion: addressable PCA is sensitive to its parameters More robust methodology required Training: defining normalcy (top k, which k ) Detection: tuning threshold Identification: better heuristic Previous work used same data and optimized parameter settings as Lakhina et al. But these concerns might be addressable

27 Conclusion: fundamental We don’t know what “normal” is Disconnect between objective functions PCA finds variance We seek periodicity PCA’s strengths can be weaknesses Transformation good at detecting correlations Causes difficulty in identifying anomaly location Are other methods are more appropriate? We require a standardized evaluation framework