Were afraid of approaching the detection threshold h

Info icon This preview shows pages 48–50. Sign up to view the full content.

were “afraid” of approaching the detection threshold h , although W n could cross the threshold sooner or later, raising a false alarm. However, as soon as X ν +1 , the first “out-of-control” measurement, is observed, the behavior of W n makes a complete 180 turn – now it eagerly tries to hit the level h . Figures 2.2 and 2.3 illustrate this typical behavior, guaranteed by the fact that E Z n < 0, i.e., the detection statistic has a negative drift in the Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 48

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Rapid Detection of Attacks by Quickest Changepoint Detection Methods 49 normal regime, while E ν Z n > 0 for ν < n , i.e., the drift is positive in the abnormal regime. That said, consider the following score-based modification of the CUSUM and SR algorithms W sc n = max { 0 , W sc n 1 + S n } , T sc CS = min { n 1 : W sc n h } (2.12) and R sc n = (1 + R sc n 1 ) e S n , T sc SR = min { n 1 : R sc n A } , (2.13) where W sc 0 = 0 = R sc 0 and h, A > 0 are a priori chosen detection thresh- olds which determine FAR. Here S n ( X n 1 ) is a score function sensitive to a change. Clearly, as long as the score function has negative pre-change mean E S n < 0 and positive post-change mean E ν S n > 0, the resulting score- based (semiparametric or nonparametric) CUSUM and SR algorithms will work, though they are no longer guaranteed to be optimal. Let Q be a positive and finite number and assume that lim n →∞ 1 n E ν ν + n i = ν +1 S i = Q for all ν 0 . Further, assume that the SLLN holds for the score S n : 1 n ν + n i = ν +1 S i P ν a.s. −−−−−→ n →∞ Q for all ν 0 . If, in addition, we postulate a certain rate of convergence in the SLLN, it can be shown that SADD ( T sc CS ) STADD ( T sc CS ) h/Q as h → ∞ , (2.14) and similar asymptotic approximations hold for the score-based SR proce- dure with h replaced by log A . See Theorem 3 in Tartakovsky et al. (2006a). In general, however, it is impossible to approximate ARL2FA unless S n is connected to the LLR. So it is unclear how to select thresholds h and A to guarantee the given FAR level. In general, Monte Carlo simulations seem to be the only way. The score function S n can be chosen in a number of ways, each particu- lar choice depending crucially on the expected type of change. For example, detecting a shift in the mean value and a change in the variance requires con- sidering different score functions. In the applications of interest, the problem Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law.
Image of page 49
Image of page 50
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern