Sensitivity of PCA for traffic anomaly detection 论文

摘要

Detecting anomalous traffic is a crucial part of managing IP networks. In recent years, network-wide anomaly de-tection based on Principal Component Analysis (PCA) has emerged as a powerful method for detecting a wide vari-ety of anomalies. We show that tuning PCA to operate effectively in practice is difficult and requires more robust techniques than have been presented thus far. We analyze a week of network-wide traffic measurements from two IP backbones (Abilene and Geant) across three different traffic aggregations (ingress routers, OD flows, and input links), and conduct a detailed inspection of the feature time se-ries for each suspected anomaly. Our study identifies and evaluates four main challenges of using PCA to detect traf-fic anomalies: (i) the false positive rate is very sensitive to small differences in the number of principal components in the normal subspace, (ii) the effectiveness of PCA is sensi-tive to the level of aggregation of the traffic measurements, (iii) a large anomaly may inadvertently pollute the normal subspace, (iv) correctly identifying which flow triggered the anomaly detector is an inherently challenging problem.