Embed Size (px)
Citation preview
Research ArticleA Large-Scale Network Data Analysis via Sparse and LowRank Reconstruction
Liang Fu Lu1 Zheng-Hai Huang12 Mohammed A Ambusaidi3 and Kui-Xiang Gou1
1 Department of Mathematics School of Science Tianjin University Tianjin 300072 China2 Center for Applied Mathematics of Tianjin University Tianjin 300072 China3 Faculty of Engineering and IT University of Technology Sydney NSW 2007 Australia
Correspondence should be addressed to Kui-Xiang Gou gkxiangtjueducn
Received 11 April 2014 Accepted 28 April 2014 Published 26 May 2014
Academic Editor Xiang Li
Copyright copy 2014 Liang Fu Lu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
With the rapid growth of data communications in size and complexity the threat of malicious activities and computer crimes hasincreased accordingly as well Thus investigating efficient data processing techniques for network operation and management overlarge-scale network traffic is highly required Some mathematical approaches on flow-level traffic data have been proposed due tothe importance of analyzing the structure and situation of the network Different from the state-of-the-art studies we first propose anew decomposition model based on accelerated proximal gradient method for packet-level traffic data In addition we present theiterative scheme of the algorithm for network anomaly detection problem which is termed as NAD-APG Based on the approachwe carry out the intrusion detection for packet-level network traffic data no matter whether it is polluted by noise or not Finallywe design a prototype system for network anomalies detection such as Probe and R2L attacks The experiments have shown thatour approach is effective in revealing the patterns of network traffic data and detecting attacks from large-scale network trafficMoreover the experiments have demonstrated the robustness of the algorithm as well even when the network traffic is polluted bythe large volume anomalies and noise
1 Introduction
The rapid growth of data communication through theInternet and World Wide Web has led to vast amountsof information available online In addition business andgovernment organizations create large amounts of bothstructured and unstructured information which need to beprocessed analyzed and linked The large-scale networkdata plays a popular and important role in network operationand management Consequently high-dimensional data andmultivariate data are becoming commonplace as the numberof applications increases such as statistical and demographiccomputation and digital libraries Though it can provideflexible and cost-saving IT solutions for the end users itis much easier in causing a great deal of problems such asnetwork and system security issues due to its sharing andcentralizing computing resources
In general network managers consider that the packet-level and flow-level data constitute the traditional network
traffic data On one hand the packet-level data analysisperforms successfully in maintaining simple scalable highlyavailable and robust networks [1] On the other hand flow-level data analysis has become popular in recent studiesbecause the data can describe the network-level status andbehavior of communication networks from origin nodes todestination nodes (OD) effectively [2] However there is noabsolute way to secure the data and data transformations inlarge-scale networking systems The existing techniques andtools of securing a network system still rely heavily on humanexperiences Most of them require human involvement inanalyzing and detecting anomalies and intrusions Moreoverthe existing networked-data analysis techniques are mainlybased on the complete data which limits the applicationof them Unveiling the anomalies is a crucial task espe-cially nowadays as big data acquisition and storage becomeincreasingly difficult with the increasing amount of data dueto the sampling bandwidth and storage space constraints [3]Some approaches have been achieved in flow-level network
Hindawi Publishing CorporationDiscrete Dynamics in Nature and SocietyVolume 2014 Article ID 323764 10 pageshttpdxdoiorg1011552014323764
2 Discrete Dynamics in Nature and Society
data [2 4 5] They reconstructed all origin-destination flowsvia compressive sensing methods by leveraging the lowintrinsic-dimensionality of OD flows and the sparse natureof anomalies Meanwhile due to the difficulties of collectingand processing the large-scale packet-level data to the best ofour knowledge few researchers pay attention to analyzing theincomplete packet-level data for managing and controllingthe whole network
Intrusion detection systems are security managementssystems developed to find inconsistency with expected pat-terns in network traffic data which is termed as well in litera-ture [3] as novelty detection anomaly mining and noisingmining They play an important role in detecting differenttypes of network attacks including Denial of Service (DOS)surveillance and other probing (Probe) unauthorized accessto local super user (root) privilege (U2R) and unauthorizedaccess from a remotemachine (R2L) attacks Intrusion detec-tion approaches can be categorized into two main categoriessignature-based and anomaly-based detection Signature-based or misuse-based detection systems detect on-goinganomalies by looking for a match with any predefined attacksignature [6] Anomaly-based detection on the other handmakes an assumption that intrudersrsquo behaviors are differentfrom that of normal network traffic Therefore any deviationfrom the normal flow can be considered as an attack [7]
To enhance the human perception and understandingof different types of network intrusions and attacks andinspired by the literature [5] approaches on network trafficdata analysis and network anomalies detection based oncompressed sensing in big data are put forth in this paperAs pointed out in literature [2 3] on one hand the numberof normal data instances is much more than the numberof anomaly data ones which exactly meets the sparsityrequirements of compressed sensing theory On the otherhand traffic matrices usually have low effective dimensionsbecause they can be well approximated by a few principalcomponents that correspond to the largest singular valuesof the matrices which are introduced by Lakhina et al [8]by using of Principal Component Analysis (PCA) method totraffic matrix analysis
Therefore at the first stage we propose a new decom-position model for packet-level traffic matrix Then wepresent the iterative algorithm based on accelerated proximalgradient method for network anomaly detection problemwhich is termed as NAD-APG Based on the approach wecarry out the intrusion detection for network traffic data nomatter whether it is polluted by noise or not Finally wedesign a prototype system for network anomalies detectionsuch as Probe and R2L attacks and so on The experimentshave shown that our approach is effective in revealing thepatterns of network traffic data and detecting attacks fromlarge-scale network traffic In addition the experiments havedemonstrated the robustness of the algorithm as well evenwhen the network traffic is polluted by the large volumeanomalies and noise
The rest of the paper is organized as follows Section 2gives an overview of existing methods on structural anal-ysis of network traffic via compressed sensing techniquesSection 3 presents our approach on anomaly detection in
network traffic based on accelerated proximal gradient lineresearchmethod (APGL)The experimental evaluation of ournew approaches is explored in Section 4 Finally conclusionsand future work are presented in Section 5
2 Related Work
It has become popular in recent studies that considering thetraffic matrix analysis as the main flow-level data becausethe traffic matrix can describe the network-level status andbehavior of communication networks from origin nodes todestination nodes (OD) effectively and it is a combination ofdifferent classes of network traffic to represent howmuchdatais transmitted during different time intervals [8]
As one of the most widely used methods to analyze trafficmatrix PCA was put forth in [9] by Lakhina et al Theycalculated the principal component that corresponds to thelargest singular value of the matrix and utilized these prin-cipal components to approximate the original traffic matrixMoreover they improved this method and proposed volumeanomaly detection approach based on PCA-subspace [8] Inthe following approaches researchers improved the classicalPCA method and proposed distributed PCA [10] networkanomography [11] and traffic matrix evaluation from adap-tivity and bias perspectives [12] However as mentioned bythe literatures [5 8 13] there are some limitations when weutilize the PCA method to deal with the traffic matrix inorder to analyze and manage the whole network such as thefluctuation of estimation error with the volume change ofanomalies the sensitivity to the choice of parameters andfailure on exploiting the sparsity of anomalies
Therefore due to the increasing complexity and amountsof internet applications the acquisition and storage of bigdata becomes more and more difficult Moreover to over-come the limitations of PCA researchers have obtained someapproaches for analyzing end-to-end network traffic in recentyears To solve the problem that PCA performs poorly inpolluted traffic matrix by large volume anomalies Lakhinaet al [8] proposed structural analysis by decomposing thenetwork traffic matrix into deterministic traffic anomalytraffic and the noise traffic matrix They analyzed that thedecomposition problem is equivalent to the relaxed principalcomponent pursuitmethodAdistributed estimationmethodto unveil the anomalies presented inODflows using proximalgradient method was proposed by Mardani et al [5] Acentralized solver and the in-network processing of link-loadmeasurements were analyzed in their work as well WhileNie et al found that the size of OD flows obeys the powerlaws [4] By using this characteristic and restricted isometricproperty in compressed sensing theory they reconstructedall OD flows with the help of partial observed samples frombackbone network traffic data
However all the current researches pay too much atten-tion on the network traffic in flow-level network Thereforewe propose a novel approach based on the latest methodfrom compressed sensing to reveal the abnormal patternsby dealing with the packet-level network data Firstly wepropose to apply the most popular accelerated proximal
Discrete Dynamics in Nature and Society 3
gradient line search method (APGL) [14] to recover the lowrank matrices with network traffic data Moreover to geta more accurate and robust approximation to reconstructtraffic matrix motivated partly by the literature [15] wepropose a traffic matrix decomposition method based on theAPGL algorithm Finally the simulation results and analysisdescribe the effectiveness and robustness of our approachesin network traffic data
3 Overall Approach
31 Principal Component Analysis Method Principal com-ponent analysis (PCA) as a widely used method in highdimensional data analysis can be viewed as a coordinatetransformation process which transforms the redundant datapoints to a low dimensional system As pointed out inliterature [2 9] each row vector 119909
119894of the traffic matrix
119883 isin R119898times119899 is considered as a data point PCA is performedby calculating the principal component vectors of 119883 whichare represented as V
119894 119894 = 1 2 119899 The first principal
component vector enjoys the property of the maximumvariance of the original matrix 119883 Similarly the tth principalcomponent vector V
119905 119905 = 2 3 119898 captures the maximum
variance of the residual traffic matrix as follows
V119905= arg maxV=1
1003817100381710038171003817100381710038171003817100381710038171003817
(119883 minus
119905minus1
sum
119894=1
119883V119894V119894
119879) V1003817100381710038171003817100381710038171003817100381710038171003817
(1)
Corresponding to V119894 we denote another unit vector 119906
119894as
119906119894=
119883V119894
1003817100381710038171003817119883V119894
1003817100381710038171003817
119894 = 1 2 3 119898 (2)
It is noted that vectors 119906119894and V
119894(119894 = 1 2 3 119898) form
the orthogonal basis ofR119899 respectively Therefore the trafficmatrix can be decomposed by the following formula
119883 =
119898
sum
119894=1
1003817100381710038171003817119883V119894
1003817100381710038171003817119906119894V119894
119879 (3)
If we denote 120590119894= 119883V
119894 the traditional PCA method can be
recited by the famous singular value decomposition (SVD)method in the research field ofmatrix computation as follows
119883 =
119898
sum
119894=1
120590119894119906119894V119894
119879 (4)
where V119894can be achieved by calculating the eigenvectors of
the matrix 119883119879119883 while 120590119894= radic120582
119894sdot 120582119894is the corresponding
eigenvalue of the matrix119883119879119883 That is to say
119883119879119883V119894= 120582119894V119894= 120590119894
2V119894 (5)
SVD plays an important role for its revealing interestingand attractive algebraic properties and conveys importantgeometrical and theoretical in-sights about transformationsThe entries of each matrix obtained by the SVD algorithmhave their special physical significances According to therationale of Eckart-Young theorem sum119903
119894=1120590119894119906119894V119894
119879(1 le 119903 le 119898)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6times10
6
times104
Figure 1 Visualization for original normal traffic with 97278 dataitems
is considered to be the best rank-r approximation of119883 that issum119903
119894=1120590119894119906119894V119894
119879= arg minrank(119884)le119903119883 minus 119884119865 where sdot 119865 denotes
the Frobenius normTo the matrix expression for the PCA it seeks an optimal
estimate of 119860 via the following constrained optimization
min119860119864
119864119865
subject to rank (119860) le 119903
119883 = 119860 + 119864
(6)
where 119860 119864 isin R119898times119899 119903 ≪ min(119898 119899) In fact the optimalestimate of 119860 is the projection of the columns of 119883 onto thesubspace spanned by the 119903 principal left singular vectors of119883[16]
32 Network Anomaly Detection Algorithm Based on APGThough classical PCA method processes the data with thecorruption of small Gaussian noise effectively it alwaysbreaks down under large corruption [16] Therefore torecover a low-rank matrix 119860 from a corrupted data matrix119883 = 119860 + 119864 where some of the matrix 119864may be of arbitrarilylargemagnitudeWright et al [17] proposed amethod termedas Robust PCA (RPCA) which can exactly recover the low-rank matrix in the presence of gross errors Based on theiranalysis for the above optimization problem the Lagrangianreformulation of it is
min119860119864
rank (119860) + 1205821198640
subject to 119883 = 119860 + 119864
(7)
where 120582 is a positive parameter that balances the two termsUnfortunately the above optimization problem is NP-hardin general due to the nonconvexity and discontinuous natureof the rank function Moreover the nuclear norm sdot
lowast(the
sum of singular values of a matrix) is well known as aconvex surrogate of the nonconvex matrix rank functionTherefore in the literature [17] researchers proposed to solve
4 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 2 (a) Principal components of original data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(b)
Figure 3 (a) Normal traffic in NAD-APG method (b) Visualization for abnormal traffic using NAD-APG
the following convex optimization problem by replacing the1198970-norm with 1198971-norm and rank(119860) with 119860
lowast
min119860119864
119860lowast+ 1205821198641
subject to 119883 = 119860 + 119864
(8)
To develop faster and more scalable algorithms associatedwith the robust PCA one popularmethod among state-of-artresearch approaches [16 18ndash21] dubbed accelerated proximalgradient algorithm (APG) is widely exploited to seek anoptimal solution of a soft constrained version of the convexproblem (8) In this paper we adopt the algorithm partially in
the literature [16]Themainmodel is the following unstrainedminimization optimization problem
min119860119864
120583119860lowast+ 1205821205831198641
+
1
2
119883 minus 119860 minus 1198642
119865 (9)
Moreover they summarized the convergence of the algorithmtheoretically as follows
Theorem 1 (see [16]) Suppose that 119865(119860 119864) = 120583119860lowast+
1205821205831198641+ (12)119883 minus 119860 minus 119864
2
119865 For all 119896 gt log(120583
0120583) log(1120578)
any solution 119883lowast of the problem (9) we have 119865(119883) minus 119865(119883lowast) le41198831198960minus 119883lowast2
119865(119896 minus 119896
0+ 1)2
The APG algorithm solves the optimization problem (9)by iteratively updating 119860 119864 and other parameters At last in
Discrete Dynamics in Nature and Society 5
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(b)
Figure 4 (a) Gaussian white noise matrix (b) Anomaly-free traffic matrix with Gaussian white noise
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 5 (a) Abnormal traffic using NAD-APG (b) Residual matrix with Gaussian white noise in PCA
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
Figure 6 Original normal traffic mixed with 500 Probe attack data
the 119896th iteration we update 119860119896+1
and 119864119896+1
as the followingiterative scheme
119860119896+1
= S1205832(119884119860
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
119864119896+1
= S1205832(119884119864
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
where S1205832 (
119909) =
119909 minus
120583
2
if 119909 gt120583
2
119909 +
120583
2
if 119909 lt120583
2
0 otherwise
(10)
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Discrete Dynamics in Nature and Society
data [2 4 5] They reconstructed all origin-destination flowsvia compressive sensing methods by leveraging the lowintrinsic-dimensionality of OD flows and the sparse natureof anomalies Meanwhile due to the difficulties of collectingand processing the large-scale packet-level data to the best ofour knowledge few researchers pay attention to analyzing theincomplete packet-level data for managing and controllingthe whole network
Intrusion detection systems are security managementssystems developed to find inconsistency with expected pat-terns in network traffic data which is termed as well in litera-ture [3] as novelty detection anomaly mining and noisingmining They play an important role in detecting differenttypes of network attacks including Denial of Service (DOS)surveillance and other probing (Probe) unauthorized accessto local super user (root) privilege (U2R) and unauthorizedaccess from a remotemachine (R2L) attacks Intrusion detec-tion approaches can be categorized into two main categoriessignature-based and anomaly-based detection Signature-based or misuse-based detection systems detect on-goinganomalies by looking for a match with any predefined attacksignature [6] Anomaly-based detection on the other handmakes an assumption that intrudersrsquo behaviors are differentfrom that of normal network traffic Therefore any deviationfrom the normal flow can be considered as an attack [7]
To enhance the human perception and understandingof different types of network intrusions and attacks andinspired by the literature [5] approaches on network trafficdata analysis and network anomalies detection based oncompressed sensing in big data are put forth in this paperAs pointed out in literature [2 3] on one hand the numberof normal data instances is much more than the numberof anomaly data ones which exactly meets the sparsityrequirements of compressed sensing theory On the otherhand traffic matrices usually have low effective dimensionsbecause they can be well approximated by a few principalcomponents that correspond to the largest singular valuesof the matrices which are introduced by Lakhina et al [8]by using of Principal Component Analysis (PCA) method totraffic matrix analysis
Therefore at the first stage we propose a new decom-position model for packet-level traffic matrix Then wepresent the iterative algorithm based on accelerated proximalgradient method for network anomaly detection problemwhich is termed as NAD-APG Based on the approach wecarry out the intrusion detection for network traffic data nomatter whether it is polluted by noise or not Finally wedesign a prototype system for network anomalies detectionsuch as Probe and R2L attacks and so on The experimentshave shown that our approach is effective in revealing thepatterns of network traffic data and detecting attacks fromlarge-scale network traffic In addition the experiments havedemonstrated the robustness of the algorithm as well evenwhen the network traffic is polluted by the large volumeanomalies and noise
The rest of the paper is organized as follows Section 2gives an overview of existing methods on structural anal-ysis of network traffic via compressed sensing techniquesSection 3 presents our approach on anomaly detection in
network traffic based on accelerated proximal gradient lineresearchmethod (APGL)The experimental evaluation of ournew approaches is explored in Section 4 Finally conclusionsand future work are presented in Section 5
2 Related Work
It has become popular in recent studies that considering thetraffic matrix analysis as the main flow-level data becausethe traffic matrix can describe the network-level status andbehavior of communication networks from origin nodes todestination nodes (OD) effectively and it is a combination ofdifferent classes of network traffic to represent howmuchdatais transmitted during different time intervals [8]
As one of the most widely used methods to analyze trafficmatrix PCA was put forth in [9] by Lakhina et al Theycalculated the principal component that corresponds to thelargest singular value of the matrix and utilized these prin-cipal components to approximate the original traffic matrixMoreover they improved this method and proposed volumeanomaly detection approach based on PCA-subspace [8] Inthe following approaches researchers improved the classicalPCA method and proposed distributed PCA [10] networkanomography [11] and traffic matrix evaluation from adap-tivity and bias perspectives [12] However as mentioned bythe literatures [5 8 13] there are some limitations when weutilize the PCA method to deal with the traffic matrix inorder to analyze and manage the whole network such as thefluctuation of estimation error with the volume change ofanomalies the sensitivity to the choice of parameters andfailure on exploiting the sparsity of anomalies
Therefore due to the increasing complexity and amountsof internet applications the acquisition and storage of bigdata becomes more and more difficult Moreover to over-come the limitations of PCA researchers have obtained someapproaches for analyzing end-to-end network traffic in recentyears To solve the problem that PCA performs poorly inpolluted traffic matrix by large volume anomalies Lakhinaet al [8] proposed structural analysis by decomposing thenetwork traffic matrix into deterministic traffic anomalytraffic and the noise traffic matrix They analyzed that thedecomposition problem is equivalent to the relaxed principalcomponent pursuitmethodAdistributed estimationmethodto unveil the anomalies presented inODflows using proximalgradient method was proposed by Mardani et al [5] Acentralized solver and the in-network processing of link-loadmeasurements were analyzed in their work as well WhileNie et al found that the size of OD flows obeys the powerlaws [4] By using this characteristic and restricted isometricproperty in compressed sensing theory they reconstructedall OD flows with the help of partial observed samples frombackbone network traffic data
However all the current researches pay too much atten-tion on the network traffic in flow-level network Thereforewe propose a novel approach based on the latest methodfrom compressed sensing to reveal the abnormal patternsby dealing with the packet-level network data Firstly wepropose to apply the most popular accelerated proximal
Discrete Dynamics in Nature and Society 3
gradient line search method (APGL) [14] to recover the lowrank matrices with network traffic data Moreover to geta more accurate and robust approximation to reconstructtraffic matrix motivated partly by the literature [15] wepropose a traffic matrix decomposition method based on theAPGL algorithm Finally the simulation results and analysisdescribe the effectiveness and robustness of our approachesin network traffic data
3 Overall Approach
31 Principal Component Analysis Method Principal com-ponent analysis (PCA) as a widely used method in highdimensional data analysis can be viewed as a coordinatetransformation process which transforms the redundant datapoints to a low dimensional system As pointed out inliterature [2 9] each row vector 119909
119894of the traffic matrix
119883 isin R119898times119899 is considered as a data point PCA is performedby calculating the principal component vectors of 119883 whichare represented as V
119894 119894 = 1 2 119899 The first principal
component vector enjoys the property of the maximumvariance of the original matrix 119883 Similarly the tth principalcomponent vector V
119905 119905 = 2 3 119898 captures the maximum
variance of the residual traffic matrix as follows
V119905= arg maxV=1
1003817100381710038171003817100381710038171003817100381710038171003817
(119883 minus
119905minus1
sum
119894=1
119883V119894V119894
119879) V1003817100381710038171003817100381710038171003817100381710038171003817
(1)
Corresponding to V119894 we denote another unit vector 119906
119894as
119906119894=
119883V119894
1003817100381710038171003817119883V119894
1003817100381710038171003817
119894 = 1 2 3 119898 (2)
It is noted that vectors 119906119894and V
119894(119894 = 1 2 3 119898) form
the orthogonal basis ofR119899 respectively Therefore the trafficmatrix can be decomposed by the following formula
119883 =
119898
sum
119894=1
1003817100381710038171003817119883V119894
1003817100381710038171003817119906119894V119894
119879 (3)
If we denote 120590119894= 119883V
119894 the traditional PCA method can be
recited by the famous singular value decomposition (SVD)method in the research field ofmatrix computation as follows
119883 =
119898
sum
119894=1
120590119894119906119894V119894
119879 (4)
where V119894can be achieved by calculating the eigenvectors of
the matrix 119883119879119883 while 120590119894= radic120582
119894sdot 120582119894is the corresponding
eigenvalue of the matrix119883119879119883 That is to say
119883119879119883V119894= 120582119894V119894= 120590119894
2V119894 (5)
SVD plays an important role for its revealing interestingand attractive algebraic properties and conveys importantgeometrical and theoretical in-sights about transformationsThe entries of each matrix obtained by the SVD algorithmhave their special physical significances According to therationale of Eckart-Young theorem sum119903
119894=1120590119894119906119894V119894
119879(1 le 119903 le 119898)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6times10
6
times104
Figure 1 Visualization for original normal traffic with 97278 dataitems
is considered to be the best rank-r approximation of119883 that issum119903
119894=1120590119894119906119894V119894
119879= arg minrank(119884)le119903119883 minus 119884119865 where sdot 119865 denotes
the Frobenius normTo the matrix expression for the PCA it seeks an optimal
estimate of 119860 via the following constrained optimization
min119860119864
119864119865
subject to rank (119860) le 119903
119883 = 119860 + 119864
(6)
where 119860 119864 isin R119898times119899 119903 ≪ min(119898 119899) In fact the optimalestimate of 119860 is the projection of the columns of 119883 onto thesubspace spanned by the 119903 principal left singular vectors of119883[16]
32 Network Anomaly Detection Algorithm Based on APGThough classical PCA method processes the data with thecorruption of small Gaussian noise effectively it alwaysbreaks down under large corruption [16] Therefore torecover a low-rank matrix 119860 from a corrupted data matrix119883 = 119860 + 119864 where some of the matrix 119864may be of arbitrarilylargemagnitudeWright et al [17] proposed amethod termedas Robust PCA (RPCA) which can exactly recover the low-rank matrix in the presence of gross errors Based on theiranalysis for the above optimization problem the Lagrangianreformulation of it is
min119860119864
rank (119860) + 1205821198640
subject to 119883 = 119860 + 119864
(7)
where 120582 is a positive parameter that balances the two termsUnfortunately the above optimization problem is NP-hardin general due to the nonconvexity and discontinuous natureof the rank function Moreover the nuclear norm sdot
lowast(the
sum of singular values of a matrix) is well known as aconvex surrogate of the nonconvex matrix rank functionTherefore in the literature [17] researchers proposed to solve
4 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 2 (a) Principal components of original data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(b)
Figure 3 (a) Normal traffic in NAD-APG method (b) Visualization for abnormal traffic using NAD-APG
the following convex optimization problem by replacing the1198970-norm with 1198971-norm and rank(119860) with 119860
lowast
min119860119864
119860lowast+ 1205821198641
subject to 119883 = 119860 + 119864
(8)
To develop faster and more scalable algorithms associatedwith the robust PCA one popularmethod among state-of-artresearch approaches [16 18ndash21] dubbed accelerated proximalgradient algorithm (APG) is widely exploited to seek anoptimal solution of a soft constrained version of the convexproblem (8) In this paper we adopt the algorithm partially in
the literature [16]Themainmodel is the following unstrainedminimization optimization problem
min119860119864
120583119860lowast+ 1205821205831198641
+
1
2
119883 minus 119860 minus 1198642
119865 (9)
Moreover they summarized the convergence of the algorithmtheoretically as follows
Theorem 1 (see [16]) Suppose that 119865(119860 119864) = 120583119860lowast+
1205821205831198641+ (12)119883 minus 119860 minus 119864
2
119865 For all 119896 gt log(120583
0120583) log(1120578)
any solution 119883lowast of the problem (9) we have 119865(119883) minus 119865(119883lowast) le41198831198960minus 119883lowast2
119865(119896 minus 119896
0+ 1)2
The APG algorithm solves the optimization problem (9)by iteratively updating 119860 119864 and other parameters At last in
Discrete Dynamics in Nature and Society 5
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(b)
Figure 4 (a) Gaussian white noise matrix (b) Anomaly-free traffic matrix with Gaussian white noise
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 5 (a) Abnormal traffic using NAD-APG (b) Residual matrix with Gaussian white noise in PCA
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
Figure 6 Original normal traffic mixed with 500 Probe attack data
the 119896th iteration we update 119860119896+1
and 119864119896+1
as the followingiterative scheme
119860119896+1
= S1205832(119884119860
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
119864119896+1
= S1205832(119884119864
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
where S1205832 (
119909) =
119909 minus
120583
2
if 119909 gt120583
2
119909 +
120583
2
if 119909 lt120583
2
0 otherwise
(10)
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Discrete Dynamics in Nature and Society 3
gradient line search method (APGL) [14] to recover the lowrank matrices with network traffic data Moreover to geta more accurate and robust approximation to reconstructtraffic matrix motivated partly by the literature [15] wepropose a traffic matrix decomposition method based on theAPGL algorithm Finally the simulation results and analysisdescribe the effectiveness and robustness of our approachesin network traffic data
3 Overall Approach
31 Principal Component Analysis Method Principal com-ponent analysis (PCA) as a widely used method in highdimensional data analysis can be viewed as a coordinatetransformation process which transforms the redundant datapoints to a low dimensional system As pointed out inliterature [2 9] each row vector 119909
119894of the traffic matrix
119883 isin R119898times119899 is considered as a data point PCA is performedby calculating the principal component vectors of 119883 whichare represented as V
119894 119894 = 1 2 119899 The first principal
component vector enjoys the property of the maximumvariance of the original matrix 119883 Similarly the tth principalcomponent vector V
119905 119905 = 2 3 119898 captures the maximum
variance of the residual traffic matrix as follows
V119905= arg maxV=1
1003817100381710038171003817100381710038171003817100381710038171003817
(119883 minus
119905minus1
sum
119894=1
119883V119894V119894
119879) V1003817100381710038171003817100381710038171003817100381710038171003817
(1)
Corresponding to V119894 we denote another unit vector 119906
119894as
119906119894=
119883V119894
1003817100381710038171003817119883V119894
1003817100381710038171003817
119894 = 1 2 3 119898 (2)
It is noted that vectors 119906119894and V
119894(119894 = 1 2 3 119898) form
the orthogonal basis ofR119899 respectively Therefore the trafficmatrix can be decomposed by the following formula
119883 =
119898
sum
119894=1
1003817100381710038171003817119883V119894
1003817100381710038171003817119906119894V119894
119879 (3)
If we denote 120590119894= 119883V
119894 the traditional PCA method can be
recited by the famous singular value decomposition (SVD)method in the research field ofmatrix computation as follows
119883 =
119898
sum
119894=1
120590119894119906119894V119894
119879 (4)
where V119894can be achieved by calculating the eigenvectors of
the matrix 119883119879119883 while 120590119894= radic120582
119894sdot 120582119894is the corresponding
eigenvalue of the matrix119883119879119883 That is to say
119883119879119883V119894= 120582119894V119894= 120590119894
2V119894 (5)
SVD plays an important role for its revealing interestingand attractive algebraic properties and conveys importantgeometrical and theoretical in-sights about transformationsThe entries of each matrix obtained by the SVD algorithmhave their special physical significances According to therationale of Eckart-Young theorem sum119903
119894=1120590119894119906119894V119894
119879(1 le 119903 le 119898)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6times10
6
times104
Figure 1 Visualization for original normal traffic with 97278 dataitems
is considered to be the best rank-r approximation of119883 that issum119903
119894=1120590119894119906119894V119894
119879= arg minrank(119884)le119903119883 minus 119884119865 where sdot 119865 denotes
the Frobenius normTo the matrix expression for the PCA it seeks an optimal
estimate of 119860 via the following constrained optimization
min119860119864
119864119865
subject to rank (119860) le 119903
119883 = 119860 + 119864
(6)
where 119860 119864 isin R119898times119899 119903 ≪ min(119898 119899) In fact the optimalestimate of 119860 is the projection of the columns of 119883 onto thesubspace spanned by the 119903 principal left singular vectors of119883[16]
32 Network Anomaly Detection Algorithm Based on APGThough classical PCA method processes the data with thecorruption of small Gaussian noise effectively it alwaysbreaks down under large corruption [16] Therefore torecover a low-rank matrix 119860 from a corrupted data matrix119883 = 119860 + 119864 where some of the matrix 119864may be of arbitrarilylargemagnitudeWright et al [17] proposed amethod termedas Robust PCA (RPCA) which can exactly recover the low-rank matrix in the presence of gross errors Based on theiranalysis for the above optimization problem the Lagrangianreformulation of it is
min119860119864
rank (119860) + 1205821198640
subject to 119883 = 119860 + 119864
(7)
where 120582 is a positive parameter that balances the two termsUnfortunately the above optimization problem is NP-hardin general due to the nonconvexity and discontinuous natureof the rank function Moreover the nuclear norm sdot
lowast(the
sum of singular values of a matrix) is well known as aconvex surrogate of the nonconvex matrix rank functionTherefore in the literature [17] researchers proposed to solve
4 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 2 (a) Principal components of original data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(b)
Figure 3 (a) Normal traffic in NAD-APG method (b) Visualization for abnormal traffic using NAD-APG
the following convex optimization problem by replacing the1198970-norm with 1198971-norm and rank(119860) with 119860
lowast
min119860119864
119860lowast+ 1205821198641
subject to 119883 = 119860 + 119864
(8)
To develop faster and more scalable algorithms associatedwith the robust PCA one popularmethod among state-of-artresearch approaches [16 18ndash21] dubbed accelerated proximalgradient algorithm (APG) is widely exploited to seek anoptimal solution of a soft constrained version of the convexproblem (8) In this paper we adopt the algorithm partially in
the literature [16]Themainmodel is the following unstrainedminimization optimization problem
min119860119864
120583119860lowast+ 1205821205831198641
+
1
2
119883 minus 119860 minus 1198642
119865 (9)
Moreover they summarized the convergence of the algorithmtheoretically as follows
Theorem 1 (see [16]) Suppose that 119865(119860 119864) = 120583119860lowast+
1205821205831198641+ (12)119883 minus 119860 minus 119864
2
119865 For all 119896 gt log(120583
0120583) log(1120578)
any solution 119883lowast of the problem (9) we have 119865(119883) minus 119865(119883lowast) le41198831198960minus 119883lowast2
119865(119896 minus 119896
0+ 1)2
The APG algorithm solves the optimization problem (9)by iteratively updating 119860 119864 and other parameters At last in
Discrete Dynamics in Nature and Society 5
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(b)
Figure 4 (a) Gaussian white noise matrix (b) Anomaly-free traffic matrix with Gaussian white noise
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 5 (a) Abnormal traffic using NAD-APG (b) Residual matrix with Gaussian white noise in PCA
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
Figure 6 Original normal traffic mixed with 500 Probe attack data
the 119896th iteration we update 119860119896+1
and 119864119896+1
as the followingiterative scheme
119860119896+1
= S1205832(119884119860
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
119864119896+1
= S1205832(119884119864
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
where S1205832 (
119909) =
119909 minus
120583
2
if 119909 gt120583
2
119909 +
120583
2
if 119909 lt120583
2
0 otherwise
(10)
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 2 (a) Principal components of original data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(b)
Figure 3 (a) Normal traffic in NAD-APG method (b) Visualization for abnormal traffic using NAD-APG
the following convex optimization problem by replacing the1198970-norm with 1198971-norm and rank(119860) with 119860
lowast
min119860119864
119860lowast+ 1205821198641
subject to 119883 = 119860 + 119864
(8)
To develop faster and more scalable algorithms associatedwith the robust PCA one popularmethod among state-of-artresearch approaches [16 18ndash21] dubbed accelerated proximalgradient algorithm (APG) is widely exploited to seek anoptimal solution of a soft constrained version of the convexproblem (8) In this paper we adopt the algorithm partially in
the literature [16]Themainmodel is the following unstrainedminimization optimization problem
min119860119864
120583119860lowast+ 1205821205831198641
+
1
2
119883 minus 119860 minus 1198642
119865 (9)
Moreover they summarized the convergence of the algorithmtheoretically as follows
Theorem 1 (see [16]) Suppose that 119865(119860 119864) = 120583119860lowast+
1205821205831198641+ (12)119883 minus 119860 minus 119864
2
119865 For all 119896 gt log(120583
0120583) log(1120578)
any solution 119883lowast of the problem (9) we have 119865(119883) minus 119865(119883lowast) le41198831198960minus 119883lowast2
119865(119896 minus 119896
0+ 1)2
The APG algorithm solves the optimization problem (9)by iteratively updating 119860 119864 and other parameters At last in
Discrete Dynamics in Nature and Society 5
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(b)
Figure 4 (a) Gaussian white noise matrix (b) Anomaly-free traffic matrix with Gaussian white noise
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 5 (a) Abnormal traffic using NAD-APG (b) Residual matrix with Gaussian white noise in PCA
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
Figure 6 Original normal traffic mixed with 500 Probe attack data
the 119896th iteration we update 119860119896+1
and 119864119896+1
as the followingiterative scheme
119860119896+1
= S1205832(119884119860
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
119864119896+1
= S1205832(119884119864
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
where S1205832 (
119909) =
119909 minus
120583
2
if 119909 gt120583
2
119909 +
120583
2
if 119909 lt120583
2
0 otherwise
(10)
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Discrete Dynamics in Nature and Society 5
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
times104
minus1
(b)
Figure 4 (a) Gaussian white noise matrix (b) Anomaly-free traffic matrix with Gaussian white noise
0 1 2 3 4 5 6 7 8 9 10
0
02
04
06
08
1
times104
minus02
minus04
minus06
minus08
minus1
(a)
0 1 2 3 4 5 6 7 8 9 10
0
5
10
15
20
25
30
times104
minus5
minus10
(b)
Figure 5 (a) Abnormal traffic using NAD-APG (b) Residual matrix with Gaussian white noise in PCA
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
Figure 6 Original normal traffic mixed with 500 Probe attack data
the 119896th iteration we update 119860119896+1
and 119864119896+1
as the followingiterative scheme
119860119896+1
= S1205832(119884119860
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
119864119896+1
= S1205832(119884119864
119896+
119883 minus 119884119860
119896minus 119884119864
119896
2
)
where S1205832 (
119909) =
119909 minus
120583
2
if 119909 gt120583
2
119909 +
120583
2
if 119909 lt120583
2
0 otherwise
(10)
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Discrete Dynamics in Nature and Society
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6
7
minus1
times108
times104
(a)
0 1 2 3 4 5 6 7 8 9 10
0
1000
2000
3000
4000
5000
6000
7000
8000
times104
minus1000
(b)
Figure 7 (a) Principal components of hybrid data in PCA (b) Residual matrix visualization in PCA
0 1 2 3 4 5 6 7 8 9 10
0
1
2
3
4
5
6times10
6
minus1
times104
(a)
0 1 2 3 4 5 6 7 8 9 100
1
2
3
4
5
6
7times10
8
times104
(b)
Figure 8 (a) Normal traffic in NAD-APG method (b) Abnormal patterns shown in NAD-APG
119884119860
119896+1 119884119864119896+1
and 119905119896+1
are updated in the same way as [16] asfollows
119884119860
119896+1= 119860119896+1
+
119905119896minus 1
119905119896+1
(119860119896+1
minus 119860119896)
119884119864
119896+1= 119864119896+1
+
119905119896minus 1
119905119896+1
(119864119896+1
minus 119864119896)
119905119896+1
=
1 + radic1 + 41199052
119896
2
(11)
Here we summarize the main procedure for solving ournetwork anomaly detection problem by APG algorithm
which is called NAD-APG (see Algorithm 1) As pointed outin [19] the algorithm has a convergence rate of 119874(11198962)
4 Experiments and Results
In this section we conduct several experiments on differentattack types to show the effectiveness of our proposedapproach
41TheData Set Currently there are only fewpublic datasetsfor intrusion detection evaluation According to the literaturereview by Tsai et al [22] the majority of the IDS experiments
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Discrete Dynamics in Nature and Society 7
0 100 200 300 400 500 6000
1
2
3
4
5
6times10
6
Figure 9 Visualization for 500 normal and 100 R2L network traffic
are performed on the KDD Cup 99 datasets It is the mostcomprehensive dataset that is still widely applied to compareand measure the performance of IDSs Therefore in orderto facilitate fair and rational comparisons with other state-of-the-art detection approaches we select the KDD Cup99 dataset to evaluate the performance of our approachfor detection This dataset was derived from the DARPA1998 datset It contains training data with approximately fivemillion connection records and test data with about twomillion connection records Each record in this dataset isuniquewith 41 features KDDCup 99 dataset includes normaltraffic and our different types of attacks namely ProbeDenial of Service (DOS) User o Root (U2R) and Remote toUser (R2U)More details about these attacks are given by [23]
During our experiments we use 10 KDD Cup 99 fortraining and testing Literature review shows that a significantnumber of state-of-the-art IDSs such as [23 24] wereevaluated using 10 KDD Cup 99 data Therefore trainingand testing our system on the 10KDDCup 99 data can helpto provide a fair comparison with those approaches The 10KDD Cup 99 consists of 494021 TCPIP connection recordssimulated in a military network environment US Air ForceLAN Each record is labeled as either normal or an attack andit has 41 different quantitative and qualitative features Thesefeatures are generally categorized into threemain groupsThefirst group is the basic features (ie attributes 1 to 9) that canbe extracted from a TCPIP connection The second grouprefers to features 10 to 22 that are named as content-basedfeatures presenting the information derived from networkpacket payloads The third group corresponds to the traffic-based features which are carried by the features 23 to 41 ofeach record A complete list of the set of features and thedetailed description is available in [25]
42 Experimental Results To demonstrate our method formanaging the internet network especially detecting theabnormal behaviors from the normal network traffic weconduct PCA and NAD-APG methods for normal trafficmixed with some attacks in our experiments
Firstly we randomly choose some normal traffic datawhich consists of 97278 data items (see Figure 1) In thispaper we consider these data as the normally-free traffic totest the performance of ourmethod After using PCA we can
find that the principal components almost enjoy the wholeproperty of the original normal traffic Here the sum of thevariances of the first ten principal components is near 100of the total variance of the original data Figure 2 shows us thedetails of two matrices after decomposing the original matrixusing PCA where Figure 2(a) shows the visualization formatrix which is composed of top ten principal componentsandFigure 2(b) shows the details of residualmatrixHoweverit is very difficult for us to find any pattern from themMoreover there are still some data characteristics left inresidual matrix after we apply PCA to the original normaldata which confuse the network analysts greatly If we use ourproposed method to the above normal traffic two matriceswith low-rank and sparse properties can be obtained toshow the normal and abnormal traffic respectively Figure 3visualizes the details of the two matrices where Figure 3(a)represents the low-rank matrix with main properties of theoriginal normal traffic In our paper we term this matrix asnormal traffic matrix While Figure 3(b) displays the matrixwith all zero elements which is termed as abnormal trafficmatrixTherefore if we decompose the unique normal trafficinto two matrices we can obtain normal matrix uniquelyTo sum up Figure 3 shows the correctness and effectivenessof our proposed NAD-APG Furthermore if the traffic waspolluted by noise (in this paper we refer the noise to beGaussianwhite noisewith 0mean and 1 variance) NAD-APGcan identify the anomaly-free traffic accurately
Figures 4 and 5 show the robust property of our proposedNAD-APGmethod where (a) is the visualization of Gaussianwhite noise added to the normal traffic and (b) is the recoveryof anomaly-free traffic In fact we obtained the all zeromatrixas well in this decomposition which means the traffic isanomaly-free Figure 5 compares the effectiveness of NAD-APG method with PCA In the visualization of residualmatrix of PCA it is obvious that we cannot find any patternof attacks
To evaluate the effectiveness of our method for detectingattacks in the whole internet we add 500 ldquoProberdquo data itemsto the normal traffic which means that the amount of thetotal data items is 97778 (see Figure 6) As we all know Probeattacks refer to attackers that typically probe the victimrsquosnetwork or host by searching through the network or hostfor open ports before they launch an attack on a given host[26] Therefore there may be a large volume of traffic in ashort time interval Figure 6 displays the details of hybridtraffic Firstly we try to use PCA to detect the Probe attackFigure 7(a) shows us the principal components of the hybridtraffic data which occupy the 99 contribution to the wholedata Though only 1 of energy of the whole data is leftin the residual matrix we find that there are still someintrinsic properties of the original data set which does notshow any valuable pattern for attacks However if we testthe hybrid data using NAD-APG method the sparse trafficmatrix obtained from the algorithm shows the attack patternapparently This enables the network manager to identify theanomalous packets from the normal traffic and can improvethe accuracy of attacks detection Figures 8(a) and 8(b) showthe patterns of normal and abnormal traffic decomposed bythe NAD-APG scheme
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
8 Discrete Dynamics in Nature and Society
InputNetwork traffic matrix119883 isin R119898times119899 120582 and tolerance 120576Initialize 119860
0larr 0 119864
0larr 0 119905
0larr 1
RepeatStep 1 Update 119860
119896+1 119864119896+1
as 119860119896+1
= S1205832(119884119860
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2)) and 119864
119896+1= S1205832(119884119864
119896+ ((119883 minus 119884
119860
119896minus 119884119864
119896)2))
Step 2 Let 119905119896+1
= (1 + radic1 + 41199052
119896)2
Step 3 Update 119884119860119896+1
and 119884119864119896+1
119884119860119896+1
= 119860119896+1+ ((119905119896minus 1)(119905
119896+1))(119860119896+1minus 119860119896) 119884119864119896+1
= 119864119896+1+ ((119905119896minus 1) (119905
119896+1))(119864119896+1minus 119864119896)
Until 119860119896+1minus 119860119896 le 120576 119864
119896+1minus 119864119896 le 120576 119860 larr 119860
119896+1 119864 larr 119864
119896+1
Analyze normal traffic pattern matrix 119860 abnormal traffic matrix 119864Output Is there any abnormal activity or not in the whole traffic
Algorithm 1 Anomaly detection using APG
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 600
0
100
200
300
400
500
600
700
minus100
(b)
Figure 10 (a) Principal components of NR data in PCA (b) Residual matrix of NR data in PCA
0 100 200 300 400 500 600
0
1
2
3
4
5
6times10
6
minus1
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 11 (a) Normal traffic of NR in NAD-APG method (b) Abnormal patterns of NR in NAD-APG
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Discrete Dynamics in Nature and Society 9
0 100 200 300 400 500 600
0
1
2
3
4
5
6
minus1
times106
(a)
0 100 200 300 400 500 6000
05
1
15
2
25
3
35
4
(b)
Figure 12 (a) Normal traffic of NRN in NAD-APG method (b) Abnormal patterns of NRN in NAD-APG
Table 1 Rank of low-rank matrix in the decomposition of NAD-APG method for attacks detection
Different sampling data Data items Rank (sampling data) Rank (low-rank matrix)Normal traffic 97378 38 10Normal traffic + Probe 97778 38 4500 Normal traffic + 100 R2L traffic 600 36 4Normal traffic + 100 R2L traffic 97478 38 4
To further demonstrate the advantages of our proposedscheme in small sampling data we randomly choose 500normal data items and 100 R2L attacks traffic as our testdata set (here we term this data set as NR) R2L attacksalways reveal the unauthorized local access from a remotemachine Moreover the data values in R2L attacks are alwaysmuch larger than the common data traffic Therefore wecan find that the fluctuation in the scale of the data valuesoccurs fromFigure 9 Figures 10 and 11 represent the details ofthe normal and abnormal traffic matrices obtained from thetwo different decomposition algorithms where the residualmatrix in PCA is still confusing Therefore it is very difficultfor network analysts to find the R2L attacks pattern fromit On the contrary the attack pattern can apparently befound from the sparse matrix as shown in Figure 11(b) Evensometimes the real network traffic data are polluted by thenoise (here we term this data set as NRN) especially theGaussian white noise the NAD-APG method can separatethe normal and R2L attack patterns apparently Figures 12(a)and 12(b) reveal the different patterns hidden in the networktraffic respectively
To sum up the experiments implemented above showthat the low-rank matrix represents the normal traffic andthe sparse matrix can always reveal the patterns of differentattacks when we use our proposed NAD-APG scheme todetect anomalies Table 1 describes the different ranks of thenormal traffic matrix in detecting different attacks There isno doubt that the low-rank matrices in processing different
sampling data have much lower ranks than the original onesHowever the rank of low-rank matrix is ten when we dealwith the pure normal network traffic which may be causedby the pure type of data
5 Conclusion
This paper introduced a new decomposition model forpacket-level network traffic data no matter whether it waspolluted by large-scale anomalies and noise or not We pre-sented the iterative algorithm based on accelerated proximalgradientmethod whichwas termed asNAD-APGMoreoverwe designed a prototype system for network anomaliesdetection such as Probe and R2L attacks and so on Theexperiments have shown that our approach is effective inrevealing the patterns of network traffic data and detectingattacks from a variety of networking patterns In additionthe experiments have demonstrated the robustness of thealgorithm as well when the network traffic is polluted by thelarge volume anomalies and noise
Though it is effective in detecting the attacks fromthe large-volume network traffic it is difficult to classifythe abnormal activities Therefore leveraging some featureselection and classification methods to our approaches toenhance the efficiency of intrusion detection is considered asour near future work On the other hand we will do moreresearches on APG algorithm itself and make our methodmore powerful and practical
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
10 Discrete Dynamics in Nature and Society
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National NaturalScience Foundation of China (no 11171252 and no 61202379)and theDoctoral Fund ofMinistry of Education of China (no20120032120041)
References
[1] C Fraleigh S Moon B Lyles et al ldquoPacket-level trafficmeasurements from the sprint IP backbonerdquo IEEENetwork vol17 no 6 pp 6ndash16 2003
[2] ZWang K Hu K Xu B Yin and X Dong ldquoStructural analysisof network traffic matrix via relaxed principal componentpursuitrdquoComputer Networks vol 56 no 7 pp 2049ndash2067 2012
[3] W Wang D Lu X Zhou B Zhang and J Mu ldquoStatisticalwavelet-based anomaly detection in big data with compressivesensingrdquo EURASIP Journal on Wireless Communications ampNetworking vol 2013 no 1 article 269 pp 1ndash6 2013
[4] L Nie D Jiang and L Guo ldquoA power laws-based reconstruc-tion approach to end-to-endnetwork trafficrdquo Journal of Networkand Computer Applications vol 36 no 2 pp 898ndash907 2012
[5] M Mardani G Mateos and G B Giannakis ldquoUnveilinganomalies in large-scale networks via sparsity and low rankrdquoin Proceedings of the Conference Record of the 45th AsilomarConference on Signals Systems and Computers (ASILOMAR rsquo11)pp 403ndash407 November 2011
[6] G Vigna and R A Kemmerer ldquoNetSTAT a network-basedintrusion detection approachrdquo in Proceedings of the 14th AnnualComputer Security Applications Conference pp 25ndash34 1998
[7] A Hassanzadeh and B Sadeghian ldquoIntrusion detection withdata correlation relation graphrdquo in Proceedings of the 3rdInternational Conference on Availability Security and Reliability(ARES rsquo08) pp 982ndash989 March 2008
[8] A Lakhina K Papagiannaki M Crovella C Diot E DKolaczyk and N Taft ldquoStructural analysis of network trafficflowsrdquoACMSIGMETRICS Performance Evaluation Review vol32 no 1 pp 61ndash72 2004
[9] A Lakhina M Crovella and C Diot ldquoDiagnosing network-wide traffic anomaliesrdquo ACM SIGCOMM Computer Communi-cation Review vol 34 no 4 pp 219ndash230 2004
[10] L Huang M I Jordan A Joseph M Garofalakis and NTaft ldquoIn-network PCA and anomaly detectionrdquo in Advances inNeural Information Processing Systems pp 617ndash624 2006
[11] Y Zhang Z Ge A Greenberg and M Roughan ldquoNetworkanomographyrdquo in Proceedings of the 5th ACM SIGCOMMConference on Internet Measurement (IMC rsquo05) p 30 2005
[12] A Soule A Lakhina N Taft et al ldquoTraffic matrices balancingmeasurements inference and modelingrdquo ACM SIGMETRICSPerformance Evaluation Review vol 33 no 1 pp 362ndash373 2005
[13] H Ringberg A Soule J Rexford and C Diot ldquoSensitivityof PCA for traffic anomaly detectionrdquo ACM SIGMETRICSPerformance Evaluation Review vol 35 no 1 pp 109ndash120 2007
[14] K-C Toh and S Yun ldquoAn accelerated proximal gradientalgorithm for nuclear norm regularized linear least squares
problemsrdquo Pacific Journal of Optimization vol 6 no 3 pp 615ndash640 2010
[15] H Yao D Zhang J Ye X Li and X He ldquoFast and accuratematrix completion via truncated nuclear norm regularizationrdquoIEEE Transactions on Pattern Analysis andMachine Intelligencevol 35 no 9 pp 2117ndash2130 2013
[16] A Ganesh Z Lin J Wright L Wu M Chen and Y MaldquoFast algorithms for recovering a corrupted low-rank matrixrdquoin Proceedings of the 2009 3rd IEEE International Workshop onComputational Advances in Multi-Sensor Adaptive Processing(CAMSAP rsquo09) pp 213ndash216 December 2009
[17] J Wright A Ganesh S Rao Y Peng and Y Ma ldquoRobustprincipal component analysis exact recovery of corrupted low-rank matrices by convex optimizationrdquo in Proceedings of theNeural Information Processing Systems 2009
[18] R He W S Zheng T Tan and Z Sun ldquoHalf-quadratic basediterative minimization for robust sparse representationrdquo IEEETransactions on Pattern Analysis and Machine Intelligence vol36 no 2 pp 261ndash275 2014
[19] A Beck and M Teboulle ldquoA fast iterative shrinkage-thresholding algorithm for linear inverse problemsrdquo SIAMJournal on Imaging Sciences vol 2 no 1 pp 183ndash202 2009
[20] Y-F Li Y-J Zhang and Z-H Huang ldquoA reweighted nuclearnorm minimization algorithm for low rank matrix recoveryrdquoJournal of Computational andAppliedMathematics vol 263 pp338ndash350 2014
[21] M Zhang Z-H Huang and Y Zhang ldquoRestricted 119901-isometryproperties of nonconvexmatrix recoveryrdquo IEEE Transactions onInformation Theory vol 59 no 7 pp 4316ndash4323 2013
[22] C-F Tsai Y-F Hsu C-Y Lin and W-Y Lin ldquoIntrusiondetection by machine learning a reviewrdquo Expert Systems withApplications vol 36 no 10 pp 11994ndash12000 2009
[23] S Mukkamala A H Sung and A Abraham ldquoIntrusiondetection using an ensemble of intelligent paradigmsrdquo Journalof Network and Computer Applications vol 28 no 2 pp 167ndash182 2005
[24] A Mitrokotsa M Tsagkaris and C Douligeris ldquoIntrusiondetection in mobile Ad Hoc Networks using classificationalgorithmsrdquo IFIP International Federation for Information Pro-cessing vol 265 pp 133ndash144 2008
[25] F Amiri M Rezaei Yousefi C Lucas A Shakery and NYazdani ldquoMutual information-based feature selection for intru-sion detection systemsrdquo Journal of Network and ComputerApplications vol 34 no 4 pp 1184ndash1199 2011
[26] K Labib andV RVemuri ldquoDetecting and visualizing denial-of-service and network probe attacks using principal componentanalysisrdquo in Proceedings of 3rd Conference on Security andNetwork Architectures (SAR rsquo04) La Londe France June 2004
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
