Ebsco publishing ebook collection ebscohost printed

Info icon This preview shows pages 51–54. Sign up to view the full content.

View Full Document Right Arrow Icon
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 51

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
52 A. G. Tartakovsky h N should be increased roughly by log N compared with the threshold h in the single-channel system to have about the same FAR (see Lemma 1 in Tartakovsky et al. (2006a)). We thus obtain the estimate SADD i ( T max ) ( h + log N ) /Q i , i = 1 , . . . , N. (2.19) For the sake of concreteness, consider the Gaussian model with a change in the mean µ µ i in the i th channel and constant variance σ 2 = σ 2 , in which case the linear score S ( i ) n = µ i X ( i ) n δ 2 i / 2 is optimal, where δ i = µ i . Then Q i = δ 2 i / 2. Now, for a single-channel system where all packets are mixed in a single statistic but the attack is only visible in the i th bin, we have SADD i ( T sc CS ) h/ ( δ 2 i / 2 N ) . (2.20) Therefore, for large enough h , which in this case can be taken h = log γ , using (2.19) and (2.20), we obtain SADD i ( T sc CS ) SADD i ( T max ) N. This estimate is very approximate but shows how poorly a single-channel procedure may perform. Assuming the attack is visible in many channels, the following “SUM” decision statistic that combines scores from all the channels will be efficient: W n = max 0 , W n 1 + N i =1 S ( i ) n + , W 0 = 0 . The detection procedure T SUM = min { n : W n h } outperforms the previ- ous one when the anomaly due to the attack occurs in many channels. However, the most general case is where the number of affected chan- nels is a priori unknown and may vary from small to large. In this case, the reasonable detection statistic is W c n = N i =1 W ( i ) n , or if the maximal percentage, p , of the affected channels is a priori known, then W c,p n = pN i =1 W ( i ) n , where W ( i ) n , i = 1 , . . . , N are ordered versions, i.e., W (1) n W (2) n ≤ · · · ≤ W ( N ) n . Such an LR-based algorithm was considered in Mei (2010). A similar approach can be used to form SR-type multichannel detection procedures (Siegmund, 2013). Monte Carlo simulations and experiments with real data show that the multichannel score-based CUSUM and SR procedures defined above are very efficient at detecting anomalies of arbitrary nature and structure. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 52
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 53 Yet another approach is to exploit a nonparametric algorithm with binary quantization and optimization of the quantization threshold. In this case, it is possible to implement optimal binary quantized CUSUM and SR algorithms that are based on true likelihood ratios for Bernoulli sequences at the output of quantizers. Specifically, the observations X n , n 1 are quantized as follows: V n = 1 if X n
Image of page 53

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 54
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern