Network anomaly detection based on tensor decomposition

The problem of detecting anomalies in time series from network measurements has been widely studied and is a topic of fundamental importance. Many anomaly detection methods are based on the inspection of packets collected at the network core routers, with consequent disadvantages in terms of computational cost and privacy. We propose an alternative method in which packet header inspection is not needed. The method is based on the extraction of a normal subspace obtained by the tensor decomposition technique considering the correlation among metrics. In its online version, the proposed approach for tensor decomposition allows efficient tracking of changes in the normal subspace. The flexibility of the method is illustrated by applying it to distinct examples that include supervised and unsupervised anomaly detection. The examples use actual data collected at residential routers.