Distributed PCA-based anomaly detection in telephone networks through legitimate-user profiling

In this paper we present a distributed mechanism based on Principal Component Analysis (PCA) to profile the behavior of the legitimate users in telephone networks. The idea is to take advantage of probes distributed over the network to obtain a compact snapshot of the users they serve. A collector node effectively combines such information to gather the description of the legitimate-user behavior. Eventually, it distributes the profile to the probes, which perform anomaly detection. Experimental results on several weeks of phone data collected by a telecom operator show that our profiling mechanism is stable over time and allows an operator to decentralize the anomaly detection stage directly to its probes. Furthermore, when compared to a centralized-PCA approach, our technique has the advantage of preventing the creation of polluted profiles, since it avoids that widespread anomalies, which are localized within one (or few) probes, enter into the description of the legitimate-user behavior.