'Institute of Electrical and Electronics Engineers (IEEE)'
Doi
Abstract
Intrusion detection is a relevant layer of cybersecurity to prevent hacking and illegal activities
from happening on the assets of corporations. Anomaly-based Intrusion Detection Systems perform an
unsupervised analysis on data collected from the network and end systems, in order to identify singular
events. While this approach may produce many false alarms, it is also capable of identifying new (zeroday)
security threats. In this context, the use of multivariate approaches such as Principal Component
Analysis (PCA) provided promising results in the past. PCA can be used in exploratory mode or in learning
mode. Here, we propose an exploratory intrusion detection that replaces PCA with Group-wise PCA
(GPCA), a recently proposed data analysis technique with additional exploratory characteristics. A main
advantage of GPCA over PCA is that the former yields simple models, easy to understand by security
professionals not trained in multivariate tools. Besides, the workflow in the intrusion detection with GPCA
is more coherent with dominant strategies in intrusion detection. We illustrate the application of GPCA in
two case studies.This work was supported in part by the Spanish Government-MINECO (Ministerio de Economía y Competitividad), using the Fondo
Europeo de Desarrollo Regional (FEDER), under Projects TIN2014-60346-R and Project TIN2017-83494-R
