SpringerLink
Log in

An application of principal component analysis to the detection and visualization of computer network attacks

Application de L’Analyse en Composantes Principales à la Détection et à la Visualisation D’Attaques de Réseaux

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

Network traffic data collected for intrusion analysis is typically high-dimensional making it difficult to both analyze and visualize. Principal Component Analysis is used to reduce the dimensionality of the feature vectors extracted from the data to enable simpler analysis and visualization of the traffic. Principal Component Analysis is applied to selected network attacks from theDarpa 1998 intrusion detection data sets namely: Denial-of-Service and Network Probe attacks. A method for identifying an attack based on the generated statistics is proposed. Visualization of network activity and possible intrusions is achieved using Bi-plots, which provides a summary of the statistics.

Résumé

Les données de trafic que l’on collecte lors d’intrusions dans des réseaux se caractérisent par leur côté multidimensionnel, ce qui les rend difficiles à analyser et à visualiser. L’analyse en composantes principales est ici utilisée pour réduire le nombre de dimensions des vecteurs extraits de ces données, ce qui rend plus simple l’analyse et la visualisation du trafic. Elle est appliquée à des attaques de réseaux prises dans les jeux de données de détection d’intrusion du DARPA 1998 à savoir : attaques par saturation (déni de service) et attaques par sonde. Une méthode d’identification de l’attaque basée sur des statistiques générales est proposée. La visualisation de l’activité du réseau et d’éventuelles intrusions est réalisée en utilisant des « bi-plots », qui fournissent un condensé de ces statistiques.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Germany)

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Axelsson (S.), Intrusion Detection Systems: A Survey and Taxonom.Technical report 99–15, Dept. of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, March 2000.

  2. Cabrera (J.),Ravichandran (B.),Mehra (R.), Statistical Traffic Modeling for Network Intrusion Detection. Proceedings of theEighth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, Aug. 2000.

  3. Uppuluri (P.),Sekar (R.), Experiences with Specification-Based Intrusion Detection. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, 2001, pp. 172–189.

  4. Oppenheimer (D.),Martonosi (M.), Performance Signatures: A Mechanism for Intrusion Detection. Proceedings of the 1997Ieee Information Survivability Workshop, 1997.

  5. Shah (H.),Undercoffer (J.),Joshi (A.), Fuzzy Clustering for Intrusion Detection,Fuzz-ieee, 2003

  6. Darpa Intrusion Detection Evaluation Project: http://www.ll.mit.edu/IST/ideval/.

  7. Allen (J.),Christie (A.),Fithen (W.),Mchugh (J.),Pickel (J.),Stoner (E.), State of the Practice: Intrusion Detection Technologies. Carnegie Mellon,Sei, Tech. ReportCmu/sei-99-Tr-028,Esc-99-028, January 2000

  8. Ye (N.),Li (X.),Chen (Q.),Emran (S.),Xu (M.), Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data.Ieee Transactions on Systems, Man and Cybernetics — Part A: Systems and Humans,31, no 4, July 2001.

  9. Ye (N.),Emran (S.),Chen (Q.),Vilbert (S.), Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection.Ieee Transactions on Computers,51, no 7, July 2002.

  10. Taylor (C),Alves-Foss (J.),Nate: Network Analysis of Anomalous Traffic Events, a low-cost approach.Nspw’01, September 10–13th, 2002, Cloudcroft, New Mexico,U.s.a.

  11. Taylor (C),Alves-Foss (J.), An Empirical Analysis ofNate — Network Analysis of Anomalous Traffic Events.New Security Paradigms Workshop’02, September 23–26, 2002, Virginia Beach, Virginia.

  12. DuMouchel (W.),Schonlau (M.), A Comparison of Test Statistics for Computer Intrusion Detection Based on Principal Component Regression of Transition Probabilities. Proceedings of the30th Symposium on the Interface: Computing Science and Statistics. Fairfax Station,Va, March 6, 2000.

  13. Staniford-Chen (S.),Heberlein (L.T.), Holding Intruders Accountable on the Internet. Proceedings of the SeventhAcm Conference on Computer and Communications Security.

  14. Hotelling (H.), Analysis of a Complex of Statistical Variables into Principal Components.Journal of Educational Psychology,24:417–441, 1933.

    Article  Google Scholar 

  15. Duda (R.),Hart (P.),Stork (D.), Pattern Classification. Second Edition,John Wiley & Sons, Inc., 2001.

  16. Haykin (S.), Neural Networks: A Comprehensive Foundation. Second Edition.Prentice Hall Inc., 1999.

  17. Kohonen (T.), Self-Organizing Maps. New York,Springer-Verlag, 1995.

    Google Scholar 

  18. Skoudis (E.), Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.Prentice Hall Inc., 2002.

  19. McHugh (J.), Testing Intrusion Detection Systems: Critique of the 1998 darpa Intrusion Detection System Evaluations as Performed by Lincoln Laboratory.Acm Transactions on Information and System Security,3, no 4, November 2000, p. 262–294.

    Article  Google Scholar 

  20. http://www.insightful.com/

  21. S-Plus: Guide to Statistics,2.Insightful Corporation, 2001.

Download references

Author information

Authors and Affiliations

  1. Department of Applied Science, University of California, Davis, USA

    Khaled Labib & V. Rao Vemuri

Authors
  1. Khaled Labib
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. Rao Vemuri
    View author publications

    You can also search for this author in PubMed Google Scholar

Additional information

A version of this paper appeared in the proceedings of SAR 2004 (http://www.hds.utc.fr/sar04)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Labib, K., Vemuri, V.R. An application of principal component analysis to the detection and visualization of computer network attacks. Ann. Télécommun. 61, 218–234 (2006). https://doi.org/10.1007/BF03219975

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03219975

Keywords

Mots clés

Search

Navigation