Figure 26 shows the number of attempted connections

Info icon This preview shows pages 55–57. Sign up to view the full content.

View Full Document Right Arrow Icon
550 seconds into the trace and lasts for ten minutes. Figure 2.6 shows the number of attempted connections (the connections birth rate) as a function of time. While the attack can be seen to the naked eye, it is not completely clear when it starts. In fact, there is fluctuation (a spike) in the data before the attack. The observations { X n } n 1 represent the number of connections dur- ing 20 msec batches. The estimated values of the connections birth rate mean and standard deviation for legitimate and attack traffic are: µ 1669 , σ 114 and µ 1888 , σ 218 (connections per 20 msec). There- fore, this attack leads to a considerable increase in both the mean and standard deviation of the connections birth rate. Statistical analysis of this data set shows that the distribution of the number of attempted connections for legitimate traffic is very close to Gaussian, but for attack traffic it is not (see Tartakovsky et al. (2013) for Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 55

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
56 A. G. Tartakovsky 0 200 400 600 800 1000 1200 0 500 1000 1500 2000 2500 3000 Time (seconds) Number of Attempted Connections Changepoint Fig. 2.6. The connections birth rate for LANDER data. details). We implement the score-based multi-cyclic SR and CUSUM pro- cedures with the linear-quadratic memoryless score (2.15). When choosing the design parameters C 1 , C 2 , C 3 we assume the Gaussian pre-attack model, i.e., the parameters C 1 , C 2 , and C 3 are chosen according to formulas (2.16) with q 0 = q 0 . 52 and to allow for detection of dimmer attacks δ 0 1 . 5 (versus the estimated attack value δ 1 . 9). We set the detection thresholds A 1 . 9 × 10 3 and h 6 . 68 so as to ensure the same level of ARL2FA , which in the multi-cyclic setup characterizes the mean time between false alarms, at approximately 500 samples (i.e., 10 sec) for both procedures. The thresh- olds are estimated using Monte Carlo simulations assuming the empirical pre-change distribution learned from the data. The results are illustrated in Figures 2.7 and 2.8. Figure 2.7 shows a relatively long run of the SR statistic with several false alarms and then the true detection of the attack with a very small detection delay (at the expense of raising many false alarms prior to the correct detection). Recall that the idea of minimizing the STADD is to set the detection thresholds low enough in order to detect attacks very quickly, which unavoidably leads to multiple false alarms prior to the attack starts. These false alarms should Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Image of page 56
Image of page 57
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern