Neglecting the constants yields sadd t cs sadd t sr

Info icon This preview shows pages 45–47. Sign up to view the full content.

View Full Document Right Arrow Icon
Neglecting the constants yields SADD ( T CS ) SADD ( T SR ) STADD ( T CS ) STADD ( T SR ) log γ I . The latter approximation is not especially accurate but can still be used as a preliminary estimate for average detection delays. It is worth mentioning that the i.i.d. assumption is rather restrictive for intrusion detection applications where the observed data is usually cor- related and non-stationary, even “bursty” due to substantial temporal vari- ability. Recent advances in general changepoint detection theory imply that the CUSUM and SR procedures are asymptotically optimal for general non- i.i.d. statistical models when the FAR is low ( γ → ∞ ) (Fuh, 2003, 2004; Lai, 1998; Tartakovsky and Veeravalli, 2004, 2005). Specifically, if we assume that lim n →∞ 1 n E k [log Λ k k + n ] = I for all k 0 , where I is a positive and finite number (a prototype of the KL number), and the strong law of large numbers (SLLN) holds for the LLR, i.e., 1 n log Λ k k + n P k a.s. −−−−−→ n →∞ I for all k 0 and additionally will require a certain rate of convergence in the SLLN (cf. Tartakovsky et al. , 2014), then both detection procedures, CUSUM and SR, with thresholds h γ = log γ and A γ = γ are asymptotically first-order minimax: inf T C γ SADD ( T ) SADD ( T CS ) SADD ( T SR ) log γ I as γ → ∞ . (cf. Theorem 1 in Tartakovsky et al. , 2006a). The same asymptotic opti- mality result holds for the stationary average delay to detection, i.e., inf T C γ STADD ( T ) STADD ( T CS ) STADD ( T SR ) log γ I as γ → ∞ . Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 45

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
46 A. G. Tartakovsky Finally, note that typically the post-change distribution is known only up to some unknown parameter θ Θ (at best), that is g ( X n | X n 1 ) = g θ ( X n | X n 1 ). For example, the attack intensity is never known exactly. In this case, SADD θ ( T ) = sup ν 1 E ν,θ ( T ν | T > ν ) depends on this param- eter, and the same is true for STADD θ ( T ). Here E ν,θ is the corresponding expectation operator when the parameter value is θ . Then, the CUSUM and SR procedures tuned to a putative value θ = θ 1 are optimal or asymp- totically optimal only if the true parameter value is θ 1 , but they are not optimal for other parameter values. The two conventional methods of overcoming this parametric uncer- tainty are either the generalized likelihood ratio (GLR) approach based on the GLR statistic sup θ Θ Λ k n ( θ ) or the mixture-based approach based on the weighted LR Θ Λ k n ( θ )d π ( θ ), where π ( θ ) is some positive weight (prior distribution) and Λ k n ( θ ) = n i = k +1 g θ ( X n | X n 1 ) f ( X n | X n 1 ) , k < n.
Image of page 46
Image of page 47
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern