Ebsco publishing ebook collection ebscohost printed

Info icon This preview shows pages 49–51. Sign up to view the full content.

View Full Document Right Arrow Icon
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 49

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
50 A. G. Tartakovsky can be usually reduced to detecting changes in mean values or in variance or in both mean and variance. In Tartakovsky et al. (2006a,b), a linear memoryless score was proposed for detecting changes in the mean, and in Tartakovsky et al. (2013) this score was generalized to linear-quadratic to simultaneously handle changes in both mean and variance. Specifically, let µ = E X n , σ 2 = var [ X n ] and µ = E 0 X n , σ 2 = var 0 [ X n ] denote the pre- and post-anomaly mean values and variances, respectively. Write Y n = ( X n µ ) for the centered and scaled observa- tion at time n . In the real-world applications, the pre-change parameters µ and σ 2 are estimated from the training data and periodically re-estimated due to the non-stationarity of network traffic; they can therefore be assumed known. Introduce the following memoryless linear-quadratic score S n ( Y n ) = C 1 Y n + C 2 Y 2 n C 3 , (2.15) where C 1 , C 2 and C 3 are non-negative design numbers, assuming for con- creteness that the change leads to an increase in both mean and variance. In the case where the variance either does not change or changes relatively insignificantly compared to the change in the mean, the coefficient C 2 may be set to zero. In the opposite case where the mean changes only slightly compared to the variance, we may take C 1 = 0. The first linear case is typical for many cyber-security applications such as internet control mes- sage protocol (ICMP) and UDP DDoS attacks. However, in certain cases, such as the TCP SYN attacks considered in Polunchenko et al. (2012) and Tartakovsky et al. (2013), both the mean and variance change significantly. Note that the score given by (2.15) with C 1 = δq 2 , C 2 = (1 q 2 ) / 2 , C 3 = δ 2 q 2 / 2 log q, (2.16) where q = σ , δ = ( µ µ ) , is optimal if pre- and post-change distributions are Gaussian with known putative values µ and σ 2 . This is true because in the latter case S n is the log-likelihood ratio for the n th observation. If one accepts the Gaussian model (which is sometimes the case), it follows from the discussion in Section 2.2 that selecting q = q 0 and δ = δ 0 with some design values q 0 and δ 0 provides reasonable operating characteristics for q < q 0 and δ > δ 0 and optimal characteristics for q = q 0 and δ = δ 0 . However, it is important to emphasize that the proposed score- based CUSUM and SR procedures do not assume that the observations have Gaussian (or any other) pre- and post-change distributions. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Image of page 50
Image of page 51
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern