Neglecting the constants yields sadd t cs sadd t sr

Info icon This preview shows pages 45–47. Sign up to view the full content.

Neglecting the constants yields SADD ( T CS ) SADD ( T SR ) STADD ( T CS ) STADD ( T SR ) log γ I . The latter approximation is not especially accurate but can still be used as a preliminary estimate for average detection delays. It is worth mentioning that the i.i.d. assumption is rather restrictive for intrusion detection applications where the observed data is usually cor- related and non-stationary, even “bursty” due to substantial temporal vari- ability. Recent advances in general changepoint detection theory imply that the CUSUM and SR procedures are asymptotically optimal for general non- i.i.d. statistical models when the FAR is low ( γ → ∞ ) (Fuh, 2003, 2004; Lai, 1998; Tartakovsky and Veeravalli, 2004, 2005). Specifically, if we assume that lim n →∞ 1 n E k [log Λ k k + n ] = I for all k 0 , where I is a positive and finite number (a prototype of the KL number), and the strong law of large numbers (SLLN) holds for the LLR, i.e., 1 n log Λ k k + n P k a.s. −−−−−→ n →∞ I for all k 0 and additionally will require a certain rate of convergence in the SLLN (cf. Tartakovsky et al. , 2014), then both detection procedures, CUSUM and SR, with thresholds h γ = log γ and A γ = γ are asymptotically first-order minimax: inf T C γ SADD ( T ) SADD ( T CS ) SADD ( T SR ) log γ I as γ → ∞ . (cf. Theorem 1 in Tartakovsky et al. , 2006a). The same asymptotic opti- mality result holds for the stationary average delay to detection, i.e., inf T C γ STADD ( T ) STADD ( T CS ) STADD ( T SR ) log γ I as γ → ∞ . Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 45

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

46 A. G. Tartakovsky Finally, note that typically the post-change distribution is known only up to some unknown parameter θ Θ (at best), that is g ( X n | X n 1 ) = g θ ( X n | X n 1 ). For example, the attack intensity is never known exactly. In this case, SADD θ ( T ) = sup ν 1 E ν,θ ( T ν | T > ν ) depends on this param- eter, and the same is true for STADD θ ( T ). Here E ν,θ is the corresponding expectation operator when the parameter value is θ . Then, the CUSUM and SR procedures tuned to a putative value θ = θ 1 are optimal or asymp- totically optimal only if the true parameter value is θ 1 , but they are not optimal for other parameter values. The two conventional methods of overcoming this parametric uncer- tainty are either the generalized likelihood ratio (GLR) approach based on the GLR statistic sup θ Θ Λ k n ( θ ) or the mixture-based approach based on the weighted LR Θ Λ k n ( θ )d π ( θ ), where π ( θ ) is some positive weight (prior distribution) and Λ k n ( θ ) = n i = k +1 g θ ( X n | X n 1 ) f ( X n | X n 1 ) , k < n.
Image of page 46
Image of page 47
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern