Detection of network anomalies using Improved-MSPCA with sketches

Internet has become a battle ground between defenders and attackers. The important and first step for a defender of the network is to detect "indicators" of attack. One of the indicators is traffic anomaly. In this paper, we propose an Improved-MSPCA anomaly detection algorithm which can diminish the impact of normal subspace contamination so as to separate the anomalous data more efficiently. Compared to the conventional-MSPCA, our Improved-MSPCA has less parameter setting and lower time complexity. By evaluating on the DAPFtA 1999 datasets, the results indicate that Improved-MSPCA can alleviate the effect of normal subspace contamination and achieve a great improvement compared to the other related detection algorithms. In addition, we propose a novel feature-based anomaly detection system which combines sketch data structure and Improved-MSPCA detection algorithm to detect anomalous IP source addresses. Through experiments on the more recent MAWI datasets, the results demonstrate that our system outperforms other related anomaly detection systems. (C) 2016 Elsevier Ltd. All rights reserved.