52
A. G. Tartakovsky
h
N
should be increased roughly by log
N
compared with the threshold
h
in the single-channel system to have about the same FAR (see Lemma 1 in
Tartakovsky
et al.
(2006a)). We thus obtain the estimate
SADD
i
(
T
max
)
≈
(
h
+ log
N
)
/Q
i
,
i
= 1
, . . . , N.
(2.19)
For the sake of concreteness, consider the Gaussian model with a change in
the mean
µ
∞
→
µ
i
in the
i
th channel and constant variance
σ
2
∞
=
σ
2
, in
which case the linear score
S
(
i
)
n
=
µ
i
X
(
i
)
n
−
δ
2
i
/
2 is optimal, where
δ
i
=
µ
i
/σ
.
Then
Q
i
=
δ
2
i
/
2. Now, for a single-channel system where all packets are
mixed in a single statistic but the attack is only visible in the
i
th bin, we
have
SADD
i
(
T
sc
CS
)
≈
h/
(
δ
2
i
/
2
N
)
.
(2.20)
Therefore, for large enough
h
, which in this case can be taken
h
= log
γ
,
using (2.19) and (2.20), we obtain
SADD
i
(
T
sc
CS
)
SADD
i
(
T
max
)
≈
N.
This estimate is very approximate but shows how poorly a single-channel
procedure may perform.
Assuming the attack is visible in many channels, the following “SUM”
decision statistic that combines scores from all the channels will be eﬃcient:
W
n
= max
0
,
W
n
−
1
+
N
i
=1
S
(
i
)
n
+
,
W
0
= 0
.
The detection procedure
T
SUM
= min
{
n
:
W
n
≥
h
}
outperforms the previ-
ous one when the anomaly due to the attack occurs in many channels.
However, the most general case is where the number of affected chan-
nels is
a priori
unknown and may vary from small to large. In this
case, the reasonable detection statistic is
W
c
n
=
∑
N
i
=1
W
(
i
)
n
, or if the
maximal percentage,
p
, of the affected channels is
a priori
known, then
W
c,p
n
=
∑
pN
i
=1
W
(
i
)
n
, where
W
(
i
)
n
,
i
= 1
, . . . , N
are ordered versions, i.e.,
W
(1)
n
≤
W
(2)
n
≤ · · · ≤
W
(
N
)
n
. Such an LR-based algorithm was considered
in Mei (2010). A similar approach can be used to form SR-type multichannel
detection procedures (Siegmund, 2013).
Monte Carlo simulations and experiments with real data show that the
multichannel score-based CUSUM and SR procedures defined above are
very eﬃcient at detecting anomalies of arbitrary nature and structure.
Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under
U.S. or applicable copyright law.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF
COLLEGES (GHARUAN)
AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security
Account: ns224671