Detecting anomalous network hosts by means of PCA

Abstract

This paper focuses on the identification of anomalous hosts within a computer network with the motivation to detect attacks and/or other unwanted and suspicious traffic. The proposed detection method does not use content of packets, which enables the method to be used on encrypted networks. Moreover, the method has very low computational complexity allowing fast detection and response important for limitation of potential damages. The proposed method uses entropies of IP addresses and ports to build two complementary models of host's traffic based on principal component analysis. These two models are coupled with two orthogonal anomaly definitions, which gives four different detectors. The methods are evaluated and compared to prior art on one week long capture of traffic on university network. The experiments reveals that no single detector can detect all types of anomalies, which is expected and stresses the importance of ensemble approach towards intrusion detection.