Network Anomaly Detection based on Tensor Decomposition
This work addresses network anomaly detection for operators seeking privacy-preserving and computationally efficient alternatives to packet inspection methods.
The authors tackled the problem of detecting anomalies in network time series without packet inspection by proposing a tensor decomposition method that extracts a normal subspace from correlated metrics, achieving interpretable models and efficient online tracking of subspace changes using actual residential router data.
The problem of detecting anomalies in time series from network measurements has been widely studied and is a topic of fundamental importance. Many anomaly detection methods are based on packet inspection collected at the network core routers, with consequent disadvantages in terms of computational cost and privacy. We propose an alternative method in which packet header inspection is not needed. The method is based on the extraction of a normal subspace obtained by the tensor decomposition technique considering the correlation between different metrics. We propose a new approach for online tensor decomposition where changes in the normal subspace can be tracked efficiently. Another advantage of our proposal is the interpretability of the obtained models. The flexibility of the method is illustrated by applying it to two distinct examples, both using actual data collected on residential routers.