ieee transactions on cybernetics 1 detection of … · in the training phase, our approach has the...
TRANSCRIPT
IEEE TRANSACTIONS ON CYBERNETICS 1
Detection of cybersecurity attacks throughanalysis of web browsing activities using
principal component analysisInsha Ullah, Kerrie Mengersen, Rob J Hyndman, and James McGree
Abstract—Organizations such as government departments and financial institutions provide online service facilities accessible via anincreasing number of internet connected devices which make their operational environment vulnerable to cyber attacks. Consequently,there is a need to have mechanisms in place to detect cyber security attacks in a timely manner. A variety of Network IntrusionDetection Systems (NIDS) have been proposed and can be categorized into signature-based NIDS and anomaly-based NIDS. Thesignature-based NIDS, which identify the misuse through scanning the activity signature against the list of known attack activities, arecriticized for their inability to identify new attacks (never-before-seen attacks). Among anomaly-based NIDS, which declare aconnection anomalous if it expresses deviation from a trained model, the unsupervised learning algorithms circumvent this issue sincethey have the ability to identify new attacks. In this study, we use an unsupervised learning algorithm based on principal componentanalysis to detect cyber attacks. In the training phase, our approach has the advantage of also identifying outliers in the trainingdataset. In the monitoring phase, our approach first identifies the affected dimensions and then calculates an anomaly score byaggregating across only those components that are affected by the anomalies. We explore the performance of the algorithm viasimulations and through two applications, namely to the UNSW-NB15 dataset recently released by the Australian Centre for CyberSecurity and to the well-known KDD’99 dataset. The algorithm is scalable to large datasets in both training and monitoring phases, andthe results from both the simulated and real datasets show that the method has promise in detecting suspicious network activities.
Index Terms—Intrusion detection, Cyber security, Singular value decomposition, Principal component analysis, Unsupervisedalgorithm.
F
1 INTRODUCTION
The vulnerability of government departments and in-dustries to cyber attacks is rising due to the increased usageand reliance on network-connected platforms and internet-connected devices. As such, there is a need to not only havesecure cyber systems but also have mechanisms in placeto detect cyber security attacks in a timely manner. Theanalysis of automatically generated logs from network andsystem devices can provide deep insight into the currentstate of security of computer systems. In addition, effectivethreat intelligence can be performed which can proactivelypredict several possible attack vectors relevant to govern-ment departments. However, there are particular challengesin dealing with such data, including the sheer volumeof events of web browsing activity. Thus, computationallyefficient approaches are needed for handling and analyzingsuch data.
Network intrusion detection, as a particular form ofanomaly detection, is an active area of research. Many Net-work Intrusion Detection Systems (NIDS) are designed toprotect against malicious activities on the network [e.g. see1, 2, 3, for references]. These systems can be classified intotwo main categories [4]: signature-based NIDS (also known
• Insha Ullah was a research associate in the Science and EngineeringFaculty, Queensland University of Technology, QLD, Australia, 4000.E-mail: [email protected]
• Kerrie Mengersen and James McGree are with the Queensland Universityof Technology, Australia.
• Rob J Hyndman is with Monash University, Australia.
as misuse-based NIDS) and anomaly-based NIDS [5, 6]. Insignature-based NIDS, misuse is identified by scanning theactivities’ signatures against a database of known maliciousactivities signatures. Many companies (such as Splunk1 andSumo Logic2) and open source packages (such as Elastic-Search3 and Graylog4) provide log analysis services basedon static signature matching. Although the signature-basedNIDS have seen high accuracies and low false alarm ratesagainst the known type of attacks, they lack the ability toidentify new attacks due to the incomplete list of knownmalicious activities. Another shortcoming of the signature-based NIDS is that the attackers need to make only a slightmodification to their signature to avoid them [7]. On theother hand, in an anomaly-based NIDS a profile of normalactivities is built using machine learning algorithms andfuture activities are scanned against the normal profile.
A variety of supervised and unsupervised statistical ma-chine learning algorithms have been proposed for intrusiondetection. In general, the supervised learning (classifica-tion) algorithms are known to have superior performancecompared with the unsupervised (clustering) algorithms interms of classification accuracy. However, their requirementof having a pre-labelled training dataset is often unavailablein many applications. For example, large networks can
1. https://www.splunk.com2. https://www.sumologic.com3. https://www.elastic.co/4. https://www.graylog.org/
IEEE TRANSACTIONS ON CYBERNETICS 2
easily produce hundreds of gigabytes in logs each day. Alarge training dataset may be required to learn the normalbehavior of such a large system. Further, the normal activi-ties patterns may change over time, which may require re-training of the previously fitted model periodically. In suchcases, it may not always be feasible to label each instance ofa network activities dataset as normal or malicious since itrequires human involvement to review and classify trainingdata, and this requirement does not scale to large data sets.Further, some anomalies may be unknown or at least unseenin the training dataset.
Consequently, unsupervised learning methods seemmore appealing for monitoring network activities since theydo not require a pre-labelled training dataset. However,they do require a clean dataset (free of attacks) if themonitoring objective is to uncover both known and newtypes of attacks but we note that this is generally easyto acquire [8]. Precisely, an unsupervised anomaly-basedNIDS works in two phases: training and monitoring. In thetraining phase, a model or an algorithm is used to learnthe normal behavior of a system using a ‘normal’ activitydataset. In the monitoring phase, the learned model is usedto evaluate the behavior of the future network traffic. Abehavior that is inconsistent with the trained model triggersan alert such that the activity can be further investigated.If the investigation leads to a declaration of the identifiedanomaly as normal activity, this activity should be includedin the normal profile and the model is re-trained for fu-ture scanning. Unsupervised anomaly-based NIDS have theability to identify what is referred to as zero-day or never-before-seen attacks [9]. Note also that in some applicationsthe objective may be to detect only new attacks, in whichcase the training dataset is allowed to contain the knowntypes of attacks.
A variety of unsupervised learning algorithms havealready been adapted for intrusion detection. However,some of these are computationally intensive and requirelarge computer memory to operate in practice [e.g. see10, 11]. Dimension reduction approaches such as principalcomponent analysis (PCA) have also been proposed [12, 13].These are appealing because they are statistically coherent,computationally faster and scalable. However, PCA-basedNIDS have been criticized by [8] for several reasons. First,these NIDS are sensitive to the choice of the number ofprincipal components that capture the normal activitiespatterns. Often ad hoc approaches are used to make thischoice. Second, the effectiveness of PCA is sensitive to thelevel of aggregation of the traffic measurements. Third, thepresence of unusual observations in the normal activitiesdata that are used for training purpose makes the NIDS lesseffective. Fourth, correctly identifying which flow triggeredthe anomaly detector is an inherently challenging problem.
Most of the PCA-based NIDS developed so far sharedisadvantages highlighted by [8]. For example, [14] and[15] have used the proportion of variance captured and thescree-plot method, respectively, to choose the number ofcomponents. These ad hoc procedures to select the numberof PCs render the PCA less effective, since it is likely to missthe components that describe the anomaly if they are amongthe minor components (last PCs that explain less varianceand are often dropped from the analysis). To address the
third issue; that is, the existence of unusual observationsin the normal activities data, [16] have used PCA based onrobust estimators; however, the selection of the number ofcomponents is still an unsolved problem in their study.
A large number of variables could be recorded to de-scribe the behavior of the network traffic [17]. It could bethat an anomaly is different from normal activities patternswith respect to fewer variables and the other variables areirrelevant. This is assumed by [18], for example, and is theusual assumption of variable selection methods. It may alsobe that a set of variables that distinguishes one kind ofanomaly from normal activities behavior differs from the setthat are useful in identifying another kind of anomaly. PCAseeks to derive new variables called principal components(PCs) as linear combinations of the input variables such thata few of the new variables account for the maximum vari-ability among the input variables. If the data are similarlyscaled, the magnitude of the coefficients (also referred to asloadings) in a PC reflect relative importance of the respectiveinput variables in describing the variation ascribed to thatPC and the signs of the coefficients specify positive ornegative correlation between the input variables. Typicallyeach input variable has a non-zero coefficient across all PCseven if the variables are just a random noise. However,in practice it is common that majority of the componentloadings are close to zero [19] and are of less practicalsignificance. A variable that makes an anomaly detectablein a large number of observations is important and a PCthat has a large loading for this important variable needs tobe taken into account when calculating scores for anomalydetection. It is also likely that this important variable hashigh correlation with all other variables that too are usefulin identifying the same anomaly, hence are likely to havelarger loadings for the same PCs.
In this paper we propose to use PCA to more effectivelydetect unusual web browsing activities and attempt to ad-dress the issues raised by [8]. In the training phase we fitthe PCA model using the normal activities dataset and findthe bootstrap distribution of the standard deviations of thestandardized PCs. These bootstrap distributions are usefulin identifying the important PCs and also helps in locatinglarge influential observations if there are any in the trainingset of data. In the monitoring phase, we take into accountfewer important components to calculate anomaly scores forfuture connections. The scores of anomalous activities basedon only important components are expected to deviate sub-stantially from the scores obtained for normal connectionsand hence should be useful in identifying intrusions. Forillustration we consider the performance of this approach ina simulation study and through application to two publiclyavailable datasets including UNSW-NB15 dataset recentlyreleased by the Australian Centre for Cyber Security. Ourmethod is straightforward to understand, computationallyefficient to implement and empirical evaluation on severalreal-world datasets suggests that it is more effective indetecting abnormal activities when compared to existingmethods.
IEEE TRANSACTIONS ON CYBERNETICS 3
2 PRINCIPAL COMPONENT ANALYSIS
PCA is traditionally used as a dimension reduction tech-nique since it tends to capture as much variation as possiblein a few components and is a useful tool to visualize high-dimensional data in a manageable low-dimensional space[20, 21, 22]. It uses an orthogonal transformation to trans-form a set of p (possibly correlated) observed variables intoanother set of p uncorrelated variables. The new derived setof variables are the p principal components (PCs). Each PCis a linear combination of the originally observed variablessuch that the first PC stands for the axis along which theobserved data exhibit the highest variance, the second PCstands for the axis that is orthogonal to the first PC andalong which the observed data exhibit the second highestvariance, the third PC stands for the axis that is orthogonalto the first two PCs and along which the observed dataexhibit the third highest variance, and so on. Similarly, thepth PC (the last one) stands for the axis that is orthogonalto the remaining p − 1 PCs and along which the observeddata exhibit the least variance. In this way, the p orthogonaldimensions of variability that exist in the data are capturedin p PCs and the proportion of variability that each PCaccounts for accumulates to the total variation in the data.It is often the case that the first q (q � p) PCs retaininterpretable patterns in the observed data and the restcontain variation mainly due to noise [20].
More formally, let yij denote a real-valued observationmade of the jth variable on the ith subject, where i =1, . . . , n and j = 1, . . . , p. Assume that the n observationsare arranged in n rows of a n × p matrix Y with columnscorresponding to p variables or features. We standardizecolumns of matrix Y to have zero mean and unit standarddeviation, and store the resultant values in a matrix X , thatis, the elements xij of X are obtained by xij = (yij− yj)/sj ,where yj and sj are the mean and standard deviation ofthe jth column of matrix Y , respectively. The PCA can beperformed by singular value decomposition (SVD) of X ,that is, the n× p matrix is decomposed as
X = UΓV T , (1)
where U is n × p matrix with orthonormal columns, Γ isa p × p diagonal matrix containing non-negative singularvalues and V is a p × p matrix with orthonormal columns.Denote the sample correlation matrix of X by R, which canbe expressed as
R =1
n− 1XTX = V ΛV T , (2)
where Λ = 1/(n − 1)Γ2 is a p × p diagonal matrix con-taining p eigenvalues λ = (λ1, . . . , λp)
T on the diagonal indecreasing order of magnitude. It follows that the p columnsof matrix V contain the eigenvectors of R and hence are thedesired axes of variation. The derived set of p transformedvariables (the PCs) are obtained by
Z = XV.
It is important to note that the matrix U above containsstandardized PCs in columns and is a scaled version of Z ,which is provided additionally in (1). To see this, multiply(1) on the right by V as follows
XV = UΓ
orZ = UΓ.
In practice, the first q major components are of greaterinterest since they account for most of the variation in thedata and the dimension of Z is thus reduced from p to q,that is
Z = XV ,
where V is a p × q matrix that contains the first q columnsof V and Z contains the first q PCs. A lower rank approxi-mation of X can be obtained by
X = ZV T , (3)
which is the best approximation of X in the least-square-sense by a matrix of rank q [23].
If X has a multivariate normal distribution, then thestatistic
ti =
q∑j=1
z2ijλj
= (n− 1)
q∑j=1
u2ij , (4)
follows a chi-square distribution with q degrees of freedomthat is ti ∼ χ2
q distribution [12, 23], where zij and uij arethe elements of Z and U . Determining a suitable value of qis a model selection problem and a poor model choice mayresult in an incomplete representation of the data. A suitablechoice is made through domain knowledge or using dataexploration together with some available heuristic options[24, 23].
2.1 Intrusion detection system based on PCAAs mentioned above, an unsupervised NIDS operates intwo phases: the training phase and the monitoring phase.In the training phase, the normal activities patterns arelearned through fitting a model to the recorded clean dataset(referred to as training set of data). Precisely, assume that pfeatures are measured for each of the n normal activitiesconnections. Let yij be the recorded observation of theith normal activity connection made on the jth featurecontained in a n× p training data matrix Y . The columns ofthe matrix Y are standardized to have zero mean and unitstandard deviation, and the standardized training datasetis stored in a matrix X , that is, the elements of X areobtained by xij = (yij − yj)/sj , where yj and sj are themean and standard deviation of the jth column of matrixY , respectively. A PCA model given in (1) is fitted to thedata in X .
In the monitoring phase, a newly observed set of net-work traffic connections (referred to as test set of data) ischecked with the normal activities model learned in thetraining phase and an anomaly warning is triggered if anyof the new connections shows deviation from the trainedmodel.
More formally, let Y f be an m × p matrix of newlyobserved set of connections. To obtain Xf , we adjust eachelement yfij of the matrix Y f by first subtracting the meanof the jth column of the normal activities dataset Y andthen divide by the standard deviation of the jth columnof normal activities dataset Y that is xfij = (yfij − yj)/sj .[12] develop an intrusion detection system based on thestatistic ti in (4). They propose to monitor two statistics:
IEEE TRANSACTIONS ON CYBERNETICS 4
one based on principal components (first few componentsthat account for most of the variation in the data) andanother based on minor components (last few components).To obtain a threshold for monitoring future data, they relyon the empirical distribution of ti (they have not mentionedany specific estimation method) since the assumption ofmultivariate normality is often violated in network connec-tions data. Since different kinds of attacks might create shifts(anomalies) along different eigenvectors, the disadvantageof this approach is that it might miss signals along theeigenvectors that are disregarded. [14] proposed to monitorthe error induced by the approximate reconstruction of theactual connection using the expression in (3) instead ofmonitoring two statistics; that is, they monitor
ε = ||Xf − Xf ||2,
where Xf = Xf V V T and V is based on the normalactivities dataset obtained in (1). We will refer to the methodof [12] as PCC and that of [14] as WBPCA for the rest ofthis paper. [14] have shown numerically that WBPCA has aslightly better performance than PCC in terms of detectionrate and false discovery rate. The downside of WBPCA isthat it only takes into account the principal components andignores the minor components completely; therefore, theirmonitoring models are likely to be less sensitive to the at-tacks that affect only the minor components and anomaliesthat are rare events.
It is possible that a particular type of attack creates a shiftalong the directions of fewer eigenvectors (possibly a mix ofsome principal and some minor components) and there isnegligible or no change along the other dimensions. This isbecause each PC is a linear combination of the p observedvariables and it is common in practice that a particular PChas larger coefficients for some of the p observed variableswhile the coefficients for the remainder of the observedvariable are close to zero. Now if an anomalous connectiondiffers to the normal activity connections with respect toonly one feature (say F) and only one particular PC (sayPCF) has a large coefficient for F (the coefficient for theremainder of the observed variables may or may not belarge), the shift caused by this anomalous connection willbe expressed only along PCF. In this case, if ti is basedon only the PCF, the anomaly will be more likely to bedetected, compared to if ti is based on the rest of thecomponents. Further, the first few PCs that account for mostof the variation in the data are noisier and the possibility isthat the perturbations caused by anomalies might be lesspronounced along these PCs, compared to the PCs thataccount for less variation in the data. In order to make thesystem more sensitive to such anomalies, it is important totake into account the most affected dimensions rather thanchoosing some of the principal or minor components which(if not affected) will add noise and may actually obscure theanomalies.
We propose a similar system to PCC that is based onPCA but unlike the above mentioned approaches we takeinto account the dimensions that may be most affected byanomalies or attacks. To proceed, re-write the expression in(1) as
XV Γ−1 = U. (5)
Since the columns of U are orthonormal, we have
(n− 1)cov(XV Γ−1) = (n− 1)cov(U) = I, (6)
where I is an identity matrix. If X and Xf are generated bythe same model then the same relationship in (6) holds forXf , that is,
(n− 1)cov(XfV Γ−1) = (n− 1)cov(Uf ) = I.
On the other hand, if Xf is generated by a differentmodel then all or some of the diagonal elements of (n −1)cov(XfV Γ−1) will be larger than unity. It is possible thatsome of the diagonal elements of (n − 1)cov(XfV Γ−1) areless affected or not affected at all. In this situation, it ismore sensible to evaluate the standard deviations of thecolumns of
√n− 1Uf , say suj (the diagonal elements of
(n − 1)cov(XfV Γ−1)), and consider those dimensions forwhich the corresponding suj ’s deviate from unity.
In our monitoring system, we exploit the above fact andconsider only those components that are affected by theanomalies, thereby making the system more sensitive to thedeviations from the normal activities model. Let ruj be thestandard deviation of the jth column of
√n− 1U . To ac-
count for sampling variation in each suj , we use a thresholdδ(1−α)j obtained as the (1 − α)th quantile of the bootstrap
distribution of ruj . The jth component is considered affectedif suj exceeds δ(1−α)j and is thus considered towards thefinal score tfi of the newly observed data. To identify theanomalous connection, we use another threshold θ(1−α)
obtained as the (1 − α)th quantile of χ2q , where q is the
number of suj that exceed δ(1−α)j . Our system is then based
on the anomaly affected components.We call this proposal AAD and formalize it in the fol-
lowing algorithm:
1) Obtain X by standardizing the normal activitiesdataset Y that is xij = (yij − yj)/sj .
2) Estimate V and Λ based on X using singular valuedecomposition.
3) Obtain δ(1−α)j based on the bootstrap distribution ofruj .
4) Obtain Uf using the newly observed dataset that isUf = XfV Γ−1, where xfij = (yfij − yj)/sj .
5) Calculate suj ’s, the standard deviations of thecolumns of
√n− 1Uf . In the absence of intrusion,
we expect all suj ’s to be unity. If suj > δ(1−α)j for any
j, then declare the possible presence of anomalousconnections in Y f .
6) To identify the anomalous connections, calculatetfi using the expression in (4) that is tfi = (n −1)
∑qj=1(ufij)
2, where the sum is performed over theq affected columns of Uf .
7) For the ith connection, if tfi > θ(1−α), where θ(1−α)
is the (1 − α)th quantile of χ2q , then declare it
anomalous.
It is important to reiterate here that AAD relies on theassumption of multivariate normality for its threshold θα.As noted above, this assumption is often violated in networkdata and may render AAD unreliable. One solution is toconsider the bootstrap distribution of ti which requires
IEEE TRANSACTIONS ON CYBERNETICS 5
upfront knowledge of the components whose suj exceedsδ(1−α). In our use of AAD, we rely on the bootstrap distri-bution of θ(1−α) unless otherwise stated. Making available acomputationally cumbersome bootstrap distribution of ti inreal time — after knowing the important components thatneed to be evaluated — may impede the real time detectionin large-scale networks. In such situations, one could use theempirical distribution of ti as this is computationally fasterto evaluate.
Another possibility is to use
tfwi = (n− 1)
q∑j=1
wju2ij , (7)
where wj = suj . In the absence of any intrusion or anomaly,we have suj = ruj = 1; therefore, both ti and tfi follow thesame distribution. However, some of the suj ’s will be largerthan unity in the presence of unusual connections in Xf .Giving more importance to the components that are affectedby weighting them with corresponding suj ’s will make theanomalies more pronounced and will result in a shift in tfwirelative to ti for all anomalous connections in Xf . In the restof this paper, we refer to a detection system based on (7) asWAAD and describe it via the following algorithm:
1) Obtain X by standardizing the normal activitiesdataset Y that is xij = (yij − yj)/sj .
2) Estimate V and Λ based on X using singular valuedecomposition.
3) Obtain Uf using the future activities dataset that isUf = XfV Γ−1, where xfij = (yfij − yj)/sj .
4) Calculate suj ’s, the standard deviations of thecolumns of
√n− 1Uf . In the absence of intrusion,
we expect all suj ’s to be unity. If suj > δ(1−α)j for any
j, then declare the possible presence of anomalousconnections in Y f .
5) To identify the anomalous connections, calculatetfwi using the expression in (7) that is tfwi = (n −1)
∑pj=1 wj(u
fij)
2.6) For the ith connection, if tfwi > θ(1−α), where
θ(1−α) is the (1 − α)th quantile of the bootstrapdistribution of twi = (n − 1)
∑qj=1 wj(uij)
2, thendeclare it anomalous.
Like AAD, WAAD requires the bootstrap distribution of twi ,which in turn requires the upfront knowledge of the suj . TheWAAD also consider the unaffected components (althoughwith lower weights) in the calculation of twi and tfwi , whichmakes it noisier; therefore, it may not be as effective inidentifying anomalies as the AAD.
3 SIMULATION STUDY
The goal of this section is to numerically evaluate the per-formance of our proposed methods for detecting anomalies.We also demonstrated the effectiveness of the proposedmethods in comparison to the WBPCA while considering anumber of factors that might be affecting the performance ofthe methods. In the presence of true mean µ and covarianceΣ, we included a Mahalanobis distance approach [18] basedon µ and Σ as a gold standard. The squared Mahalanobis
distance between a sample xfi and µ given a true covariancematrix Σ is given by
D2i = (xfi − µ)Σ−1(xfi − µ)T .
In the absence of anomalous observations and under theassumption of normality and independence of observations,the quantity D2 follows an exact chi-square distributionwith p degrees of freedom; that is, D2
i ∼ χ2(p) [25]. In the
rest of the paper we will refer to this approach as TRUE.We generated a clean dataset Y of size n from a p-
dimensional multivariate normal distribution with meanvector µ and a covariance matrix Σ. For the clean dataset,without loss of generality, we set µ = 0 and consideredΣ = Σρ having a first-order autoregressive correlationstructure, AR(1); that is, the elements of Σρ are given by
σij = ρ|i−j| for 1 ≤ i, j ≤ p,
where ρ ∈ [0, 1) is a parameter that determines Σ. A smallervalue of ρ shifts variance towards minor components. Forexample, Σ0 equals an identity matrix in which case thevariance is uniformly distributed over p components. Onthe other hand, a larger value of ρ shifts more variancetowards the principal components in which case the firstfew eigenvalues will explain most of the variation.
To generate a set of anomalous observations, we fol-lowed the simulation setup provided in [26], which allows ashift along a set of chosen eigenvectors. We chose a smallerset of observations from n normal observations and madethem anomalous by adding a constant of size η = c
√λj ,
where c ∈ {1, 2, 3}, along a few chosen eigenvectors fromV . This set of anomalous observations was then used tocontaminate another set of m normal observations Y f
randomly chosen from training dataset. For example, anobservation yfi was anomalous if it was reconstructed aftera shift is created along some of the vj ’s (the columns of V )by adding a constant η to the corresponding zij (the ijthelement of Z).
We used the AAD and WAAD as detailed in Section2.1 in comparison to WBPCA and TRUE to detect andidentify the m anomalous observations. For WBPCA, wecalculated the eigenvalues of correlation matrix and retainedcomponents using “eigenvalue greater than one rule”. Weused the Receiver Operating Characteristic (ROC) curve, aplot of the true positive rate against the false positive rate,as a metric to evaluate the performance of the methods [8].
For the experiments, the results of which are shownhere, we set p = 30, ρ = 0.9, and created anomalousobservations by choosing 100 normal observations at ran-dom and shifted them along three chosen eigenvectors. Wethen contaminated m = 4900 + 100 = 5000 observationschosen randomly from n = 10, 000 normal observationswith the 100 anomalous observations. The average ROCcurves for 1000 independent experiments are presented inFigures 1, 2 and 3. The three eigenvectors along which theshifts were created were randomly selected in each of the1000 independent experiments (see results in Figure 1), werefixed to the last three eigenvectors (see results in Figure 2)and were fixed to the first three eigenvectors (see results inFigure 3).
Overall, the detection rate increased with increasing sizeof the shift and the results clearly indicated the superior
IEEE TRANSACTIONS ON CYBERNETICS 6
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(a)
False Positive Rate
True
Pos
itive
Rat
e
TrueAADWAADWBPCA
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(b)
False Positive Rate
True
Pos
itive
Rat
e
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(c)
False Positive Rate
True
Pos
itive
Rat
e
Fig. 1. ROC curves. A sample of size n = 10, 000 is drawn from a 30-dimensional normal distribution with µ = 0 and Σ0.9 to train a PCAmodel. A set of 100 anomalous observations are created to contaminateanother set of m = 5000 normal observations by adding a constant ofsize η = c
√λj : (a) c = 1, (b) c = 2 and (c) c = 3, to shift them along
a random set of three distinct eigenvectors. The results are averagedover 1000 independent experiments. In each experiment the set of threeeigenvectors along which the shifts are created is allowed to vary.
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(a)
False Positive Rate
True
Pos
itive
Rat
e
TrueAADWAADWBPCA
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(b)
False Positive Rate
True
Pos
itive
Rat
e
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(c)
False Positive Rate
True
Pos
itive
Rat
e
Fig. 2. ROC curves. A sample of size n = 10, 000 is drawn from a30-dimensional normal distribution with µ = 0 and Σ0.9 to train PCAmodel. A set of 100 anomalous observations are created to contaminateanother set of m = 5000 normal observations by adding a constant ofsize η = c
√λj : (a) c = 1, (b) c = 2 and (c) c = 3, to shift them
along the last three eigenvectors. The results are averaged over 1000independent experiments.
performance of AAD in terms of achieving higher detec-tion rate with much lower false alarm rate. Further, AADperformed consistently well regardless of the dimension ofthe created shift. Its performance was even better than theTRUE. The reason is that the Mahalanobis distance also ag-gregates across all variables including irrelevant variables,hence masking the outlying effect. Similar to AAD, theperformance of WAAD was also consistent across the threesimulation scenarios; however, it was still polluted by theaggregated noise in tfwi due to the unaffected dimensions.
The effectiveness of WBPCA varied depending on thechosen dimension along which the shift was created. The
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(a)
False Positive Rate
True
Pos
itive
Rat
e
TrueAADWAADWBPCA
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(b)
False Positive Rate
True
Pos
itive
Rat
e
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
(c)
False Positive Rate
True
Pos
itive
Rat
e
Fig. 3. ROC curves. A sample of size n = 10, 000 is drawn from a30-dimensional normal distribution with µ = 0 and Σ0.9 to train PCAmodel.A set of 100 anomalous observations are created to contaminateanother set of m = 5000 normal observations by adding a constantof size η = c
√λj : (a) c = 1, (b) c = 2 and (c) c = 3, to shift them
along the first three eigenvectors. The results are averaged over 1000independent experiments.
WBPCA detection rate was lower if the shift was along theprincipal components (see Figure 3). However, its perfor-mance improved when the shift was created along the minorcomponents (see Figure 2). This is because most of the errorvariation lies along the dominant eigenvectors when ρ isclose to one which makes it difficult to detect anomalousobservations.
4 REAL DATA ANALYSIS
In this section, we demonstrate the performance of ourproposed methods and those from the literature through theanalysis of two real network datasets, namely the UNSW-NB15 dataset and KDD’99 dataset.
4.1 UNSW-NB15 datasetA real UNSW-NB15 dataset was recently released by theAustralian Centre for Cyber Security. The dataset is de-scribed in [27] and analyzed (using a variety of methods)in [28] and [29]. It is publicly available for research pur-poses5. This dataset has 49 features and a total of 2,540,044connection records including a variety of attacks. The 49features also include 12 features that are derived from therest of 35 directly measured features and the two attributesthat represent class labels. We do not use the 12 derivedfeatures and also exclude seven nominal features (SourceIP address, Destination IP address, Source port number,Destination port number, transaction protocol, service andstate). All the records are labelled as normal records orattacks using the IXIA PerfectStorm tool6 that contains thesignatures of naive attacks and is continuously updatedfrom a CVE site7. The attacks are further categorized into
5. https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-NB15-Datasets/
6. https://www.ixiacom.com/products/perfectstorm7. https://cve.mitre.org/
IEEE TRANSACTIONS ON CYBERNETICS 7
their types: Fuzzers, Analysis, Backdoors, DoS, Exploits,Generic, Reconnaissance, Shellcode, Worms [see 27, for thedescription of each type of attack]. Some of the above men-tioned nominal variables could be included in the analysisin the form of binary indicator variables since they have asmall number of categories in the available data (transactionprotocol has 135 categories, service has 16 categories andstate 13 categories). However, the number of categories mayvary in practical applications.
As mentioned earlier, the key requirement of an un-supervised NIDS is the availability of a normal activitiesdataset. In the UNSW-NB15 dataset, the abnormal trafficis introduced synthetically at particular time points, so wehave a large portion of the data that is not affected by the ab-normal traffic (i.e. observations 186,789 to 1,087,248, whichwe will refer to as clean data). We used the observationsfrom 300,001 to 900,000 of the clean data to train the PCAmodel and to estimate δ
(1−α)j . The data observed before
300,001 and after 900,000 are used as a test set of data.
We used 5,000 bootstrap samples of size 10,000 to con-struct the distributions of ruj ’s (see Figure 4). The bootstrapdistributions of ruj ’s were expected to be centered at one.At this point it is important to notice that the networkconnections data are usually skewed which may make thebootstrap distributions of ruj ’s slightly off from the expectedcenter of one. However, misplacement of the entire distri-bution of ruj is an indication of the presence of outliersin the data. The presence of large outliers in the trainingdata has the potential to make a NIDS less sensitive. Wenoticed peculiarities in the distributions of some of the ruj ’s,particularly the distributions of ru8 , ru9 and ru20 were far-off from the expected center. This indicated the presenceof some unusually large observations of the variables in thetraining data that were loading heavily on PC-8, PC-9 andPC-20. The PC-8 had loadings of 0.91 and 0.19, respectively,for ‘source bits per second’ and ‘destination bits per second’,PC-9 had loadings of 0.21 and 0.97, respectively for ‘sourcebits per second’ and ‘record total duration’ (loading forall other variable were less than 0.1) and the PC-20 hada large loading of -0.70 and 0.71, respectively, for ‘sourcejitter’ and ‘destination jitter’. By further inspection we foundsix unusually large values of the ‘record total duration’, 39unusually large values of the ‘source bits per second’, 3unusually large values of the ‘destination bits per second’,and 31 unusually large values of the ‘source jitter’. Most ofthe 31 connections that had unusually large values for the‘source jitter’ had also unusual values for the ‘destinationjitter’. The removal of these 79 unusual observations con-siderably alleviated the peculiarities in the distributions ofruj (see Figure 5).
We used the AAD, WAAD and WBPCA as detailed inSection 2.1 to try to detect and identify the attack connec-tions. For the WBPCA, we calculated the eigenvalues usingthe correlation scale and retained components using theKaiser’s rule also referred to as “eigenvalue greater thanone rule” [30]. We projected the entire test data onto theeigenspace obtained using the training data and found thatsome of the suj ’s are strongly affected (for example, see thelargest four suj ’s with indices 6, 11, 21, 26 in Figure 6).The plots for the score statistic tfi based on the methods
Fig. 4. Plot of the values of ruj ’s obtained using 5000 bootstrap samplesof size 10000 from the training set of the UNSW-NB15 dataset. Thehorizontal gray line indicates the expected value of ruj in the absence ofanomalous activities.
Fig. 5. Plot of the values of ruj ’s obtained using 5000 bootstrap samplesof size 10000 from the training set of the UNSW-NB15 dataset afterremoval of 79 unusual connections. The horizontal gray line indicatesthe expected value of ruj in the absence of anomalous activities.
Fig. 6. Plot of suj ’s for UNSW-NB15 dataset. The whole UNSW-NB15dataset was examined at once.
AAD, WAAD and WBPCA are portrayed in Figure 7. Tosee the patterns in the test set of data in comparison tothe training set of data, we also plot our training datatogether with the test set of data, where the training setof the data is shaded in light-blue in each plot of thefigure. Overall, the methods are able to detect and identifyattacks equally well (AAD, WAAD and WBPCA detect andidentify, respectively, 99.836%, 99.876% and 99.830% of the
IEEE TRANSACTIONS ON CYBERNETICS 8
Fig. 7. Plots of the score statistic tfi for the UNSW-NB15 dataset: (a)AAD, (b) AAD based on the four most affected dimensions (see Figure6), (c) WAAD and (d) WBPCA. The horizontal green line indicates thethreshold value θα=0.0001. The training dataset is shaded in light-blue.
Fig. 8. ROC curves for all categories of attacks in UNSW-NB15 dataset.
anomalous connections). Figure 7 reveals that the normalactivities observations of the test data observed during theattack periods also exhibit some peculiar patterns that in-dicate anomalous connections (in that the corresponding tfiexceeds the threshold θ(1−.0001)). The normal activities dataobserved during attack periods also show some anomalousblock-like patterns that cannot be seen in the period whenclean data were observed. The false alarm rate is high forall methods due to these anomalous patterns of normalactivities data happening during the attack periods (seeFigure 7 and Figure 8). Although no concrete conclusioncould be drawn, it could be that the normal activities aredisturbed by the attacks or that some anomalous connec-tions are mislabeled as normal. We also calculated the scorestatistic tfi based on the four most affected dimensions (seethe largest suj ’s with indices 6, 11, 21, and 26 in Figure 6) andplot the results in Figure 7(b). Considering only these four
Fig. 9. Plots of the UNSW-NB15 dataset. A random sample of size9900 from training dataset is contaminated with 100 attack connectionsrandomly chosen from all categories of attacks. In (a) is the distributionof the number of components found relevant, in (b) are the componentsfound effected and in (c) are the average ROC curves. The experimentis repeated 1000 times.
Fig. 10. Plots of the UNSW-NB15 dataset. A random sample of size9900 from training dataset is contaminated with 100 attack connectionsrandomly chosen from ‘DoS’ attacks. In (a) is the distribution of thenumber of components found relevant, in (b) are the components foundeffected and in (c) are the average ROC curves. The experiment isrepeated 1000 times.
IEEE TRANSACTIONS ON CYBERNETICS 9
Fig. 11. Plots of the UNSW-NB15 dataset. A random sample of size9900 from training dataset is contaminated with 100 attack connectionsrandomly chosen from ‘Fuzzers’ attacks. In (a) is the distribution of thenumber of components found relevant, in (b) are the components foundeffected and in (c) are the average ROC curves. The experiment isrepeated 1000 times.
Fig. 12. Plots of the UNSW-NB15 dataset. A random sample of size9900 from training dataset is contaminated with 100 attack connectionsrandomly chosen from ‘Generic’ attacks. In (a) is the distribution of thenumber of components found relevant, in (b) are the components foundeffected and in (c) are the average ROC curves. The experiment isrepeated 1000 times.
components in the final score tfi was almost as good in termsof detection and identification of anomalous connectionsand other anomalous patterns, since it further pushed theblock like anomalous structures across the threshold ofnormal activities data.
Often the attacks do not happen all at once, in which caseit may be more natural to try to detect and identify a smallernumber of anomalous connections in a large batch of normalconnections. We therefore contaminated a large sample ofsize 9900 randomly drawn from the training data with 100connections randomly drawn from the set of anomalousconnections (m = 9900 + 100) and used all three methods(AAD, WAAD and WBPCA) to detect and identify the 100attack connections. We repeated the experiment 1000 timesand show the results in Figure 9. The results indicated that22 components out of 26 were affected by the anomalies(see Figure 9 (a)) and they were not necessarily only amongthe first few components (see Figure 9 (b)). Taking only theaffected components into account made the NIDS slightlymore effective both in terms of detection rate and false posi-tive rate (see Figure 9 (c)). We also repeated the experimentsseparately for each type of attack and show the resultsfor ‘DoS’, ‘Fuzzers’ and ‘Generic’ attacks , respectively, inFigures 10, 11 and 12. The performance of the proposedmethods was found to be superior in detecting individualtypes of attacks. Note that that most of the attacks affectedthe same components both in combination and separately,which may be due to similar patterns across different typesof attacks as exhibited in Figure 7.
4.2 KDD’99 datasetThe KDD’99 dataset8 is perhaps the most well-known andwildly used reference network dataset for the evaluation ofNIDS [31]. It was released by MIT Lincoln Lab for a 1998DARPA evaluation program that was aimed to survey andevaluate research in intrusion detection.
The training dataset consists of 4,898,431 connections,which was prepared from 4 gigabytes of compressed rawtcpdump data of 7 weeks of network traffic by [32]. It con-tains 972,781 normal connections and 3,925,650 anomalousconnections. The anomalous connections are due to 23 typesof attacks listed in Table 1 and each of which falls into oneof 4 categories: denial-of-service, unauthorized access froma remote machine, unauthorized access to local superuserprivileges by a local unprivileged user, and surveillance andprobing [17]. Some of these 23 types of attacks are rare; forexample, ‘spy’ happens two times and ‘perl’ happens threetimes in the whole dataset. Others happen frequently in thedataset; for example, there are 2,807,886 ‘smurf’ connections.
Similarly, around two million connection records wereobtained separately from the two weeks of test data. How-ever, following [14], we used only the training set and dropthe original test data completely.
The dataset has 41 features excluding the one thatrepresents class labels [17]. Among these 41 features, 34 arenumeric and 7 are nominal. We include only 23 numericfeatures in our experiments and exclude all nominal featuresand 11 numeric features (‘wrong fragment’, ‘urgent’, ‘hot’,‘num failed logins’, ‘num compromised’, ‘root shell’,
8. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
IEEE TRANSACTIONS ON CYBERNETICS 10
!tbTABLE 1
Attack types in KDD’99 dataset.
Attack type Frequencyback 2203
buffer overflow 30ftp write 8
guess passwd 53imap. 12
ipsweep 12481land. 21
loadmodule 9multihop 7neptune 1072017
nmap 2316normal 972781
perl 3phf 4pod 264
portsweep 10413rootkit 10
satan 15892smurf 2807886
spy 2teardrop 979
warezclient 1020warezmaster 20
‘su attempted’, ‘num root’ and ‘num file creations’) sincethese feature have a small number of non-zero values in thetraining set of data (the values for ‘wrong fragment’ and‘num outbound cmds’ are zero for all connections).
We used n = 972, 781 normal connections data fortraining the PCA model. As in the previous application,we constructed the distributions of ruj ’s based on 5,000bootstrap samples of size 10,000 (see Figure 13). The dis-tributions of some of the ruj ’s were centered away from one(see the box-plots for ru6 , ru7 and ru11), indicating the possiblepresence of some unusual observations of the variables thathave large coefficients for PC-6, PC-7 and PC-11. The PC-6, PC-7 and PC-11 all had large coefficients for ‘src bytes’and ‘dst bytes’ (PC-6 had loadings of -0.51 and -0.58, PC-7had loadings of -0.46 and -0.39, and PC-11 had loadings of-0.70 and 0.70, respectively for ‘src bytes’ and ‘dst bytes’.Further inspection revealed eight unusually large valuesof the ‘src bytes’ and eight unusually large values of the‘dst bytes’. The removal of these 16 unusual observationsre-centered the distributions of ru6 , ru7 and ru11 closer to one(see Figure 14).
For the test data, we contaminated a large sample ofsize 9900 randomly drawn from normal activities data with100 anomalous connections randomly drawn from the setof anomalous connections (m = 9900 + 100) and used theAAD, WAAD and WBPCA to detect and identify the 100attack connections. We repeated the experiment 1000 timesand show the results in Figure 15. The results indicated thatthere were indeed a few components out of 32 that wereaffected by the anomalies and they were not necessarilyonly among the first few components (see Figure 15 (a)and (b)). Taking only the affected components into accountmade the NIDS much more effective both in terms of de-tection rate and false positive rate (see Figure 15 (c)). Wealso repeated the experiments separately for the three mostfrequent attacks, namely ‘smurf’, ‘neptune’ and ‘satan’, andshow the results, respectively, in Figures 16, 17 and 18.
Fig. 13. Plot of the values of ruj ’s obtained using 5000 bootstrap samplesof size 10000 from the training set of the KDD’99 dataset. The horizontalgray line indicates the expected value of ruj in the absence of anomalousactivities.
Fig. 14. Plot of the values of ruj ’s obtained using 5000 bootstrap samplesof size 10000 from the training set of the KDD’99 dataset after removalof eight unusual observations. The horizontal gray line indicates theexpected value of ruj in the absence of anomalous activities.
The performance of the proposed methods was found tobe superior in detecting individual type of attacks.
As mentioned earlier, some of the attacks were rare andthe probability for them to be included in a random sampleof sized 100 was negligible. Therefore, we repeated theexperiment with all attacks which occurred less than 1,000times. The results are presented in Figure 19. The numberof affected components was less stable due to the mixtureof varieties of rare attacks each of which altered a varyingnumber of components (see Figure 19 (a) and (b)) comparedto the case when individual type of attacks were confronted.The detection rate was low and comparable for all methods.This indicates that the proposed methods AAD and WAADperform similarly to WBPCA when varieties of attacks areintroduced at the same time and improve the detection ratewhen normal connections are contaminated with a singletype of attack at a time.
5 DISCUSSION AND CONCLUSION
The use of PCA for network anomaly detection has beencriticized due to its limited effectiveness in detecting andidentifying anomalous activities [8]. One reason for this isthat the anomaly scores are calculated by aggregation across
IEEE TRANSACTIONS ON CYBERNETICS 11
Fig. 15. Plots of the KDD’99 dataset. A random sample of size 9900 fromnormal activities dataset is contaminated with 100 attack connectionsrandomly chosen from all categories of attacks. In (a) is the distributionof the number of components found relevant, in (b) are the componentsfound effected and in (c) are the average ROC curves. The experimentis repeated 1000 times.
Fig. 16. Plots of the KDD’99 dataset. A random sample of size 9900 fromnormal activities dataset is contaminated with 100 attack connectionsrandomly chosen from ‘smurf’ attacks. In (a) is the distribution of thenumber of components found relevant, in (b) are the components foundeffected and in (c) are the average ROC curves. The experiment isrepeated 1000 times.
the major principal components (the first few componentsthat explain most of the variation in the data), which oftenincludes components that are relatively unaffected by the
Fig. 17. Plots of the KDD’99 dataset. A random sample of size 9900 fromnormal activities dataset is contaminated with 100 attack connectionsrandomly chosen from ‘neptune’ attacks. In (a) is the distribution ofthe number of components found relevant, in (b) are the componentsfound effected and in (c) are the average ROC curves. The experimentis repeated 1000 times.
Fig. 18. Plots of the KDD’99 dataset. A random sample of size 9900 fromnormal activities dataset is contaminated with 100 attack connectionsrandomly chosen from ‘satan’ attacks. In (a) is the distribution of thenumber of components found relevant, in (b) are the components foundeffected and in (c) are the average ROC curves. The experiment isrepeated 1000 times.
anomalies, or the alterations caused by anomalies alongthese components are less pronounced because of greatervariation along these components. Moreover, the existing
IEEE TRANSACTIONS ON CYBERNETICS 12
Fig. 19. Plots of the KDD’99 dataset. A random sample of size 9900 fromnormal activities dataset is contaminated with 100 attack connectionsrandomly chosen from all less frequent attacks. In (a) is the distributionof the number of components found relevant, in (b) are the componentsfound effected and in (c) are the average ROC curves. The experimentis repeated 1000 times.
methods exclude some of the minor components from theaggregation that could be more strongly affected, or thealterations caused by anomalies along these components aremore pronounced because of lower variation along thesecomponents. In this paper, we highlight this shortcomingof previous studies and propose to calculate scores byaggregating across only those components that are affectedby the anomalies or give more weight to the componentsthat are more affected.
To support our findings, we have conducted a simulationstudy which showed that the identification rate could beconsiderably increased if the scores were aggregated onlyacross affected components while leaving out the unaffectedcomponents. Anomaly identification was higher when themost affected components were weighted more highly.Through the analysis of real datasets we showed that theattacks created shifts only along the direction of a fewcomponents (a mix of principal and minor components) andthat most of the components are relatively unaffected, sowhen excluded from the calculation of anomaly scores, thedetection rate improves.
Although, our simulation study is limited to the mul-tivariate normal distribution, the applications to real dataindicated that that the proposed methods can performwell even if the data is non-normal. However, furthersimulations—simulations from heavy-tailed and skeweddistributions—would strengthen this assertion.
REFERENCES
[1] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita,“Network anomaly detection: methods, systems and
tools,” IEEE communications surveys & tutorials, vol. 16,no. 1, pp. 303–336, 2014.
[2] A. L. Buczak and E. Guven, “A survey of data min-ing and machine learning methods for cyber securityintrusion detection,” IEEE Communications Surveys &Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016.
[3] D. Sahoo, C. Liu, and S. C. Hoi, “Malicious url detec-tion using machine learning: A survey,” arXiv preprintarXiv:1701.07179, 2017.
[4] M.-L. Shyu, K. Sarinnapakorn, I. Kuruppu-Appuhamilage, S.-C. Chen, L. Chang, and T. Goldring,“Handling nominal features in anomaly intrusiondetection problems,” in 15th International Workshop onResearch Issues in Data Engineering: Stream Data Miningand Applications. RIDE-SDMA 2005. IEEE, 2005, pp.55–62.
[5] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez, “Anomaly-basednetwork intrusion detection: Techniques, systemsand challenges,” computers & security, vol. 28, no. 1-2,pp. 18–28, 2009.
[6] H. Om and T. Hazra, “Statistical techniques in anomalyintrusion detection system,” International Journal of Ad-vances in Engineering & Technology, vol. 5, no. 1, pp. 387–398, 2012.
[7] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta,“Phishnet: predictive blacklisting to detect phishingattacks,” in INFOCOM 2010: Proceedings of the IEEEConference on Computer Communications. Citeseer, 2010,pp. 1–5.
[8] H. Ringberg, A. Soule, J. Rexford, and C. Diot, “Sen-sitivity of pca for traffic anomaly detection,” ACMSigmetrics Performance Evaluation Review, vol. 35, no. 1,pp. 109–120, 2007.
[9] R. Perdisci, G. Gu, and W. Lee, “Using an ensembleof one-class svm classifiers to harden payload-basedanomaly detection systems,” in Sixth International Con-ference on Data Mining, 2006 (ICDM 2006). IEEE, 2006,pp. 488–498.
[10] Z. Muda, W. Yassin, M. Sulaiman, and N. Udzir, “Intru-sion detection based on k-means clustering and naıvebayes classification,” in 7th International Conference onInformation Technology in Asia CITA 2011. IEEE, 2011,pp. 1–6.
[11] S.-J. Horng, M.-Y. Su, Y.-H. Chen, T.-W. Kao, R.-J. Chen,J.-L. Lai, and C. D. Perkasa, “A novel intrusion detec-tion system based on hierarchical clustering and sup-port vector machines,” Expert systems with Applications,vol. 38, no. 1, pp. 306–313, 2011.
[12] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, andL. Chang, “A novel anomaly detection scheme basedon principal component classifier,” Miami UniversityDepartment of Electrical and Computer Engineering,Tech. Rep., 2003.
[13] A. Lakhina, M. Crovella, and C. Diot, “Characterizationof network-wide anomalies in traffic flows,” in Proceed-ings of the 4th ACM SIGCOMM conference on Internetmeasurement. ACM, 2004, pp. 201–206.
[14] W. Wang and R. Battiti, “Identifying intrusions in com-puter networks with principal component analysis,” inThe First International Conference on Availability, Reliabil-
IEEE TRANSACTIONS ON CYBERNETICS 13
ity and Security (ARES 2006). IEEE, 2006, pp. 270–279.[15] C. Callegari, L. Gazzarrini, S. Giordano, M. Pagano,
and T. Pepe, “A novel PCA-based network anomalydetection,” in IEEE International Conference on Commu-nications (ICC). IEEE, 2011, pp. 1–5.
[16] R. Kwitt and U. Hofmann, “Unsupervised anomalydetection in network traffic by means of robust PCA,”in International Multi-Conference on Computing in theGlobal Information Technology, 2007 (ICCGI 2007). IEEE,2007, pp. 37–41.
[17] W. Lee and S. J. Stolfo, “A framework for constructingfeatures and models for intrusion detection systems,”ACM transactions on Information and system security TiS-SEC, vol. 3, no. 4, pp. 227–261, 2000.
[18] M. Koeman, J. Engel, J. Jansen, and L. Buydens, “Crit-ical comparison of methods for fault diagnosis inmetabolomics data,” Scientific reports, vol. 9, no. 1, p.1123, 2019.
[19] H. Zou, T. Hastie, and R. Tibshirani, “Sparse principalcomponent analysis,” Journal of computational and graph-ical statistics, vol. 15, no. 2, pp. 265–286, 2006.
[20] I. Jolliffe, Principal component analysis, 3rd ed. SpringerSeries in Statistics. New York: Springer Verlag, 2002.
[21] O. Alter, P. O. Brown, and D. Botstein, “Singularvalue decomposition for genome-wide expression dataprocessing and modeling,” Proceedings of the NationalAcademy of Sciences, vol. 97, no. 18, pp. 10 101–10 106,2000.
[22] E. J. McTavish, J. E. Decker, R. D. Schnabel, J. F. Taylor,and D. M. Hillis, “New world cattle show ancestryfrom multiple independent domestication events,” Pro-ceedings of the National Academy of Sciences, vol. 110,no. 15, pp. E1398–E1406, 2013.
[23] G. Saporta and N. Niang, “Principal component anal-ysis: application to statistical process control,” Dataanalysis, pp. 1–23, 2009.
[24] S. Valle, W. Li, and S. J. Qin, “Selection of the numberof principal components: the variance of the recon-struction error criterion with a comparison to othermethods,” Industrial & Engineering Chemistry Research,vol. 38, no. 11, pp. 4389–4401, 1999.
[25] R. A. Johnson, D. W. Wichern et al., Applied multivariatestatistical analysis. Prentice hall Upper Saddle River,NJ, 2002, vol. 5, no. 8.
[26] D. I. Warton, “Penalized normal likelihood and ridgeregularization of correlation and covariance matrices,”Journal of the American Statistical Association, vol. 103,no. 481, pp. 340–349, 2008.
[27] N. Moustafa and J. Slay, “UNSW-NB15: a comprehen-sive data set for network intrusion detection systems(unsw-nb15 network data set),” in Military Communi-cations and Information Systems Conference MilCIS, 2015.IEEE, 2015, pp. 1–6.
[28] ——, “The evaluation of network anomaly detectionsystems: Statistical analysis of the UNSW-NB15 dataset and the comparison with the KDD99 data set,”Information Security Journal: A Global Perspective, vol. 25,no. 1-3, pp. 18–31, 2016.
[29] N. Moustafa, J. Slay, and G. Creech, “Novel geometricarea analysis technique for anomaly detection usingtrapezoidal area estimation on large-scale networks,”
IEEE Transactions on Big Data, 2017.[30] H. F. Kaiser, “The application of electronic computers to
factor analysis,” Educational and psychological measure-ment, vol. 20, no. 1, pp. 141–151, 1960.
[31] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “Adetailed analysis of the KDD CUP 99 data set,” in IEEESymposium on Computational Intelligence for Security andDefense Applications (CISDA 2009). IEEE, 2009, pp. 1–6.
[32] S. J. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. K.Chan, “Cost-based modeling for fraud and intrusiondetection: Results from the jam project,” in Proceedingsof the DARPA Information Survivability Conference & Ex-position, 2000, pp. 130–144.