Maximum likelihood estimation of the above model is

Info icon This preview shows pages 88–90. Sign up to view the full content.

Maximum likelihood estimation of the above model is computation- ally expensive. Instead, we use the method of moments estimation (Casella and Berger, 2001), significantly reducing estimation complexity. On large networks, method of moments provides high-quality estimation, since the sample size will be very large. In practice, the estimation requires that we have two graphs, an established graph that provides the existing edges, and another graph, disjoint in time, that allows us to estimate the rate at which new edges (those not in the established graph, but in the second graph) appear. The new edge model above was not used in the simulation study in Section 3.5, but was used in the real-data section (3.6). 3.4.4. Alternative hypotheses In order to obtain a GLRT, we need to restrict our overall parameter space to allow for alternatives that reflect the types of attacker behavior we wish to detect. These are intentionally kept general, in order to catch a variety of behaviors. We postulate that attacker behavior causes increases to the MLEs of parameters governing the models. This is due to the fact that the attacker must act in addition to the normal behavior on that edge. Specif- ically, referring to the OMM, we propose that attacker behavior causes an increase in the probability of transitioning from the inactive to the active state: H 0 : p 01 = ˜ p 01 versus H P : p 01 > ˜ p 01 , (3.11) where ˜ p 01 is the historic parameter value. In the HMM setting, we have more options. We will test three combi- nations of parameter changes: H P : p 01 > ˜ p 01 , H M : µ > ˜ µ, H B : p 01 > ˜ p 01 and µ > ˜ µ. (3.12) In each case, the null hypothesis is that the parameter or two-parameter pair is equal to its historic parameter value. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 88

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Statistical Detection of Intruders Within Computer Networks 89 3.4.5. P-value calculation We seek a p -value for the observed GLRT statistic, λ γ . Under mild regu- larity conditions, the GLRT is asymptotically χ 2 with degrees of freedom equal to the number of free parameters in Θ . However, this does not hold when the true parameters are not on the boundary of Θ (see Casella and Berger, 2001, p. 516). If the true parameters are on the boundary, as in the restricted tests we perform (see Section 3.4.4), we will obtain a point mass at zero in the distribution of λ γ . Star p -values. We start with the simpler of the two shapes, the star. The number of stars in a graph is just the number of nodes, and therefore, for each node v , we can afford to model the distribution of the GLRT λ v = e outedges ( v ) λ e for the star around v (see [3.2]).
Image of page 89
Image of page 90
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern