Distributed PCA and Network Anomaly Detection

Ling Huang and Xuanlong Nguyen and Minos Garofalakis and Michael Jordan and Anthony D. Joseph and Nina Taft

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2006-99

July 14, 2006

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-99.pdf

We consider the problem of network anomaly detection given the data collected and processed over large distributed systems. Our algorithmic framework can be seen as an approximate, distributed version of the well-known Principal Component Analysis (PCA) method, which is concerned with continuously tracking the behavior of the data projected onto the residual subspace of the principal components within error bound guarantees. Our approach consists of a protocol for local processing at individual monitoring devices, and global decision-making and monitoring feedback at a coordinator. A key ingredient of our framework is an analytical method based on stochastic matrix perturbation theory for balancing the tradeoff between the accuracy of our approximate network anomaly detection, and the amount of data communication over the network.

BibTeX citation:

@techreport{Huang:EECS-2006-99,
    Author= {Huang, Ling and Nguyen, Xuanlong and Garofalakis, Minos and Jordan, Michael and Joseph, Anthony D. and Taft, Nina},
    Title= {Distributed PCA and Network Anomaly Detection},
    Year= {2006},
    Month= {Jul},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-99.html},
    Number= {UCB/EECS-2006-99},
    Abstract= {We consider the problem of network anomaly detection given
the data collected and processed over large distributed systems.
Our algorithmic framework can be seen as an approximate, 
distributed version of the well-known Principal Component Analysis (PCA)
method, which is concerned with continuously tracking the behavior 
of the data projected onto the residual subspace of the principal 
components within error bound guarantees. 
Our approach consists of a protocol for local processing at 
individual monitoring devices, and global decision-making and 
monitoring feedback at a coordinator.
A key ingredient of our framework is an analytical
method based on stochastic matrix perturbation theory for
balancing the tradeoff between the accuracy of our approximate 
network anomaly detection, and the amount of data communication 
over the network.},
}

EndNote citation:

%0 Report
%A Huang, Ling 
%A Nguyen, Xuanlong 
%A Garofalakis, Minos 
%A Jordan, Michael 
%A Joseph, Anthony D. 
%A Taft, Nina 
%T Distributed PCA and Network Anomaly Detection
%I EECS Department, University of California, Berkeley
%D 2006
%8 July 14
%@ UCB/EECS-2006-99
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-99.html
%F Huang:EECS-2006-99