A robust principal component analysis approach to DoS-related network anomaly detection

2020 
Many denial of service attacks target flaws and ill-specified features of network protocol designs and implementations. To most effectively mitigate such DoS attacks, a defense system should be able to detect an anomaly and attribute its root cause to the traffic protocols, features, and source associated with it. The Adaptive Resource Management Enabling Deception (ARMED) approach to these issues, described in previous work, is to push the measurement and analysis of traffic away from service endpoints - and into the network - to facilitate transparent anomaly detection of network protocols before the endpoint is affected. But what tools are available to do the heavy-lifting of analyzing traffic and pinpointing anomalies? This paper describes one such option - Robust Principal Component Analysis (RPCA). We adopted RPCA for use in an ARMED prototype to detect anomalies in real time for a variety of attack vectors. We found such an analysis can be performed within typical CPU and memory constraints of modern servers, and the anomaly detection is general enough to be able to detect both well-known attacks and, in theory, zero-day vulnerabilities in common network protocols.
    • Correction
    • Source
    • Cite
    • Save
    • Machine Reading By IdeaReader
    0
    References
    0
    Citations
    NaN
    KQI
    []