DETECTION OF ANOMALY IN NETWORK FLOW DATA

摘要

Disclosed is a method 101 to be used on collected network data flow 116 associated with a network 100; the method 101 includes: an anomaly-detection operation 103 including: (A) obtaining the collected network data flow 116; and (B) performing an iterative principal component analysis on the collected network data flow 116 to detect an anomaly associated with the collected network data flow 116. The method may be used in a server and a network, and may also be implemented as a non-transitory computer-readable media. A corresponding system for detecting the anomaly in the network flow data is also provided.

主权项

1. A method for detecting an anomaly in a network flow data, comprising:
using a processor for:
(a) collecting a network flow data within a time interval divided into multiple time-bins, and generating network flow features from the collected network data flow for each time-bin;(b) generating input network traffic matrix containing information for the network flow features for respective time-bins;(c) generating a statistical matrix from the input traffic matrix;(d) applying a principal component analysis to the statistical matrix to determine one or more principal components of the statistical matrix;(e) determining an anomaly score for each time-bin using the principal components;(f) identifying one or more time-bins of the input network traffic matrix having highest anomaly scores;(g) determining mean values for network flow features across all time-bins, excluding the identified time-bins;(h) replacing values of the network flow features in the identified time-bins with respective determined mean values of said network flow features to form a modified input network traffic matrix;(i) replacing the input network traffic matrix with the modified input network traffic matrix, and repeating the steps (c) to (f).