Group-Wise Principal Component Analysis for Exploratory Intrusion Detection
MetadataShow full item record
AuthorCamacho Páez, José; Therón, Roberto; García Giménez, José M.; Macía Fernández, Gabriel; Macía Fernández, Gabriel; García Teodoro, Pedro
IEEE-INST Electrical Electronics Engineers INC
Principal Component AnalysisGroup-wise principalComponent analysisAnomaly DetectionIntrusion Detection
Camacho, J., Therón, R., García-Giménez, J. M., Maciá-Fernández, G., & García-Teodoro, P. (2019). Group-wise principal component analysis for exploratory intrusion detection. IEEE Access, 7, 113081-113093. [doi:10.1109/ACCESS.2019.2935154]
Intrusion detection is a relevant layer of cybersecurity to prevent hacking and illegal activities from happening on the assets of corporations. Anomaly-based Intrusion Detection Systems perform an unsupervised analysis on data collected from the network and end systems, in order to identify singular events. While this approach may produce many false alarms, it is also capable of identifying new (zeroday) security threats. In this context, the use of multivariate approaches such as Principal Component Analysis (PCA) provided promising results in the past. PCA can be used in exploratory mode or in learning mode. Here, we propose an exploratory intrusion detection that replaces PCA with Group-wise PCA (GPCA), a recently proposed data analysis technique with additional exploratory characteristics. A main advantage of GPCA over PCA is that the former yields simple models, easy to understand by security professionals not trained in multivariate tools. Besides, the work ow in the intrusion detection with GPCA is more coherent with dominant strategies in intrusion detection. We illustrate the application of GPCA in two case studies.