Abstract
Network traffic data collected for intrusion analysis is typically high-dimensional making it difficult to both analyze and visualize. Principal Component Analysis is used to reduce the dimensionality of the feature vectors extracted from the data to enable simpler analysis and visualization of the traffic. Principal Component Analysis is applied to selected network attacks from theDarpa 1998 intrusion detection data sets namely: Denial-of-Service and Network Probe attacks. A method for identifying an attack based on the generated statistics is proposed. Visualization of network activity and possible intrusions is achieved using Bi-plots, which provides a summary of the statistics.
Résumé
Les données de trafic que l’on collecte lors d’intrusions dans des réseaux se caractérisent par leur côté multidimensionnel, ce qui les rend difficiles à analyser et à visualiser. L’analyse en composantes principales est ici utilisée pour réduire le nombre de dimensions des vecteurs extraits de ces données, ce qui rend plus simple l’analyse et la visualisation du trafic. Elle est appliquée à des attaques de réseaux prises dans les jeux de données de détection d’intrusion du DARPA 1998 à savoir : attaques par saturation (déni de service) et attaques par sonde. Une méthode d’identification de l’attaque basée sur des statistiques générales est proposée. La visualisation de l’activité du réseau et d’éventuelles intrusions est réalisée en utilisant des « bi-plots », qui fournissent un condensé de ces statistiques.
Similar content being viewed by others
References
Axelsson (S.), Intrusion Detection Systems: A Survey and Taxonom.Technical report 99–15, Dept. of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, March 2000.
Cabrera (J.),Ravichandran (B.),Mehra (R.), Statistical Traffic Modeling for Network Intrusion Detection. Proceedings of theEighth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, Aug. 2000.
Uppuluri (P.),Sekar (R.), Experiences with Specification-Based Intrusion Detection. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 2001, pp. 172–189.
Oppenheimer (D.),Martonosi (M.), Performance Signatures: A Mechanism for Intrusion Detection. Proceedings of the 1997Ieee Information Survivability Workshop, 1997.
Shah (H.),Undercoffer (J.),Joshi (A.), Fuzzy Clustering for Intrusion Detection,Fuzz-ieee, 2003
Darpa Intrusion Detection Evaluation Project: http://www.ll.mit.edu/IST/ideval/.
Allen (J.),Christie (A.),Fithen (W.),Mchugh (J.),Pickel (J.),Stoner (E.), State of the Practice: Intrusion Detection Technologies. Carnegie Mellon,Sei, Tech. ReportCmu/sei-99-Tr-028,Esc-99-028, January 2000
Ye (N.),Li (X.),Chen (Q.),Emran (S.),Xu (M.), Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data.Ieee Transactions on Systems, Man and Cybernetics — Part A: Systems and Humans,31, no 4, July 2001.
Ye (N.),Emran (S.),Chen (Q.),Vilbert (S.), Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection.Ieee Transactions on Computers,51, no 7, July 2002.
Taylor (C),Alves-Foss (J.),Nate: Network Analysis of Anomalous Traffic Events, a low-cost approach.Nspw’01, September 10–13th, 2002, Cloudcroft, New Mexico,U.s.a.
Taylor (C),Alves-Foss (J.), An Empirical Analysis ofNate — Network Analysis of Anomalous Traffic Events.New Security Paradigms Workshop’02, September 23–26, 2002, Virginia Beach, Virginia.
DuMouchel (W.),Schonlau (M.), A Comparison of Test Statistics for Computer Intrusion Detection Based on Principal Component Regression of Transition Probabilities. Proceedings of the30th Symposium on the Interface: Computing Science and Statistics. Fairfax Station,Va, March 6, 2000.
Staniford-Chen (S.),Heberlein (L.T.), Holding Intruders Accountable on the Internet. Proceedings of the SeventhAcm Conference on Computer and Communications Security.
Hotelling (H.), Analysis of a Complex of Statistical Variables into Principal Components.Journal of Educational Psychology,24:417–441, 1933.
Duda (R.),Hart (P.),Stork (D.), Pattern Classification. Second Edition,John Wiley & Sons, Inc., 2001.
Haykin (S.), Neural Networks: A Comprehensive Foundation. Second Edition.Prentice Hall Inc., 1999.
Kohonen (T.), Self-Organizing Maps. New York,Springer-Verlag, 1995.
Skoudis (E.), Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.Prentice Hall Inc., 2002.
McHugh (J.), Testing Intrusion Detection Systems: Critique of the 1998 darpa Intrusion Detection System Evaluations as Performed by Lincoln Laboratory.Acm Transactions on Information and System Security,3, no 4, November 2000, p. 262–294.
http://www.insightful.com/
S-Plus: Guide to Statistics,2.Insightful Corporation, 2001.
Author information
Authors and Affiliations
Additional information
A version of this paper appeared in the proceedings of SAR 2004 (http://www.hds.utc.fr/sar04)
Rights and permissions
About this article
Cite this article
Labib, K., Vemuri, V.R. An application of principal component analysis to the detection and visualization of computer network attacks. Ann. Télécommun. 61, 218–234 (2006). https://doi.org/10.1007/BF03219975
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF03219975