22 quickest changepoint detection computer intrusions

Info icon This preview shows pages 36–38. Sign up to view the full content.

View Full Document Right Arrow Icon
2.2. Quickest Changepoint Detection Computer intrusions produce either abrupt or at least relatively abrupt changes in network traffic. The observations are obtained sequentially and, as long as their behavior is consistent with the “normal state,” one is con- tent to let the process continue. If the state changes, one should detect the change as soon as possible. In other words, the change occurs at an unknown instant, and the practitioners’ goal is to detect it as quickly as possible while avoiding frequent false alarms. Evidently, the desire to detect a change quickly causes one to be trigger-happy, which brings about many false alarms if there is no change. On the other hand, attempting to avoid false alarms too strenuously will lead to a long delay between the time of occurrence of a real change and its detection. Thus, the design of the quickest changepoint detection procedures involves optimizing the tradeoff between two kinds of performance measures, one being a measure of detec- tion delay, the other a measure of the false alarm frequency. A good decision procedure depends on what is known about the stochastic behavior of the observations, both pre- and post-change. These ideas can be used for designing an efficient AbIDS based on changepoint detection schemes. See Section 2.3 for a detailed discussion. We now provide a brief overview of changepoint detection approaches and two main competing detection procedures – CUSUM (Cumulative Sum) and the Shiryaev–Roberts procedure. Suppose a series { X n } n 1 of random variables, not necessarily inde- pendent and identically distributed (i.i.d.), is observed sequentially, in a one-at-a-time manner. At first, the series is “in-control” and each X n is distributed according to conditional density f ( X n | X n 1 1 ), the pre-change density, where we used the notation X 1 = ( X 1 , X 2 , . . . , X ) for the vector of first observations. At an unknown time instant ν something unusual Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 36

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 37 happens and the series “runs out of control” by altering its statistical prop- erties so that beginning from the time moment ν +1 the conditional density of each X n is g ( X n | X n 1 1 ), the post-change density. Note that in general these densities may depend on n , and the post-change density may also depend on the changepoint ν , i.e., f ( X n | X n 1 1 ) = f n ( X n | X n 1 1 ) for n 1 and g ( X n | X n 1 1 ) = g n,ν ( X n | X n 1 1 ) for n > ν . After the change occurs, an alarm should be raised as soon as possible and with few false detections so that an appropriate action is taken.
Image of page 37
Image of page 38
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern