P3CA: Private Anomaly Detection Across ISP Networks

  • Shishir Nagaraja
  • Virajith Jalaparti
  • Matthew Caesar
  • Nikita Borisov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6794)


Detection of malicious traffic in the Internet would be much easier if ISP networks shared their traffic traces. Unfortunately, state-of-the-art anomaly detection algorithms require detailed traffic information which is considered extremely private by operators. To address this, we propose an algorithm that allows ISPs to cooperatively detect anomalies without requiring them to reveal private traffic information. We leverage secure multiparty computation to design a privacy-preserving variant of principal component analysis (PCA) that limits information propagation across domains. PCA is a well-proven technique for isolating anomalies on network traffic and we target a design that retains its scalability and accuracy. To validate our approach, we evaluate an implementation of our design against traces from the Abilene Internet2 IP backbone network as well as synthetic traces, show that it performs efficiently to support an online anomaly detection system and and conclude that privacy-preserving anomaly detection shows promise as a key element of a wider network anomaly detection framework. In the presence of increasingly serious threats from modern networked malware, our work provides a first step towards enabling larger-scale cooperation across ISPs in the presence of privacy concerns.


Principal Component Analysis Anomaly Detection Privacy Preserve Homomorphic Encryption Border Gateway Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    A Border Gateway Protocol 4 (BGP-4). RFC 4271Google Scholar
  4. 4.
    Private communication, employee of tier-1 ISP (2006)Google Scholar
  5. 5.
    Aggarwal, G., Mishra, N., Pinkas, B.: Secure computation of the kth-ranked element. In: Eurocyrpt (2004)Google Scholar
  6. 6.
    Beaver, D., Goldwasser, S.: Multiparty computation with faulty majority. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Chen, H., Cramer, R.: Algebraic geometric secret sharing schemes and secure multi-party computations over small fields. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 521–536. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9, RFC 3954 (October 2004)Google Scholar
  9. 9.
    Croux, C., Filzmoser, P., Oliveira, M.: Algorithms for projection-pursuit robust principal component analysis. In: Chemometrics and Intelligent Laboratory Systems (2007)Google Scholar
  10. 10.
    Croux, C., Haesbroeck, G.: Principal component analysis based on robust estimators of the covariance or correlation matrix: Influence functions and efficiencies. In: BIOMETRIKA (2000)Google Scholar
  11. 11.
    Damgård, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)Google Scholar
  12. 12.
    Damgard, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Public Key Cryptography, Springer, Heidelberg (2001)Google Scholar
  13. 13.
    Duan, Y., Youdao, N., Canny, J., Zhan, J.: P4P: Practical large-scale privacy-preserving distributed computation robust against malicious usersGoogle Scholar
  14. 14.
    Goldreich, O.: Secure multi-party computation. Theory of Cryptography Library (1999),
  15. 15.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: ACM Symposium on Theory of Computing (1987)Google Scholar
  16. 16.
    Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576. Springer, Heidelberg (1992)Google Scholar
  17. 17.
    Huang, Y., Feamster, N., Lakhina, A., Xu, J.: Diagnosing network disruptions with network-wide analysis. SIGMETRICS (2007)Google Scholar
  18. 18.
    Edward Jackson, J., Mudholkar, G.S.: Control procedures for residuals associated with principal component analysis. Technometrics 21, 341–349 (1979)zbMATHCrossRefGoogle Scholar
  19. 19.
    Kiltz, E., Mohassel, P., Weinreb, E., Franklin, M.K.: Secure linear algebra using linearly recurrent sequences. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 291–310. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. ACM SIGCOMM, pp. 219–230 (2004)Google Scholar
  21. 21.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. ACM SIGCOMM, pp. 217–228 (2005)Google Scholar
  22. 22.
    Lehoucq, R.B., Sorensen, D.C.: Deflation techniques for an implicitly restarted arnoldi iteration. SIAM J. Matrix Anal. Appl. (1996)Google Scholar
  23. 23.
    Lindell, Y., Pinkas, B.: Secure multiparty computation for privacy-preserving data mining (2008),
  24. 24.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 223–238. Springer, Heidelberg (1997)Google Scholar
  25. 25.
    Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of pca for traffic anomaly detection. SIGMETRICS (June 2007)Google Scholar
  26. 26.
    Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Foundations of Secure Computation (1978)Google Scholar
  27. 27.
    Rubenstein, B., Nelson, B., Huang, L., Joseph, A., Lau, S., Rao, S., Taft, N., Tygar, D.: Antidote: Understanding and defending against poisoning of anomaly detectors. In: Tavangarian, D., Kirste, T., Timmermann, D., Lucke, U., Versick, D. (eds.) IMC 2009. Communications in Computer and Information Science, vol. 53, Springer, Heidelberg (2009)Google Scholar
  28. 28.
    Silveira, F., Diot, C.: Urca: pulling out anomalies by their root causes. INFOCOM (March 2010)Google Scholar
  29. 29.
    Sleijpen, G.L.G., der Vorst, H.A.V.: A jacobi–davidson iteration method for linear eigenvalue problems. SIAM Rev. (2000)Google Scholar
  30. 30.
    Soule, A., Ringberg, H., Silveira, F., Rexford, J., Diot, C.: Detectability of traffic anomalies in two adjacent networks (2007)Google Scholar
  31. 31.
    Vasudevan, R., Mao, Z., Spatscheck, O., Van der Merwe, J.: Reval: A tool for real-time evaluation of DDoS mitigation strategies. In: USENIX ATC (2006)Google Scholar
  32. 32.
    Weng, J., Zhang, Y., Hwang, W.: Candid covariance-free incremental principal component analysis. IEEE Trans. on Pattern Analysis and Machine Intelligence (2003)Google Scholar
  33. 33.
    Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Detecting large-scale system problems by mining console logs. In: SOSP (2009)Google Scholar
  34. 34.
    Yao, A.: Protocols for secure computations (extended abstract). In: FOCS (1982)Google Scholar
  35. 35.
    Zhang, Y., Ge, Z., Greenberg, A., Roughan, M.: Network animography. In: IMC (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Shishir Nagaraja
    • 1
  • Virajith Jalaparti
    • 2
  • Matthew Caesar
    • 2
  • Nikita Borisov
    • 2
  1. 1.IIIT DelhiIndia
  2. 2.University of Illinois at Urbana-ChampaignUSA

Personalised recommendations