Statistical Detection of Intruders Within Computer Networks
83
Notation and Likelihood.
At a set of
T
discrete time points we observe
counts
x
= [
x
1
, . . . , x
T
] , with
x
t
∈ {
0
,
1
, . . .
}
for
t
= 1
, . . . , T
. In this
model, the counts are viewed as coming from one of two distributions, as
governed by
Z
= [
Z
1
, . . . , Z
T
] , a latent twostate Markov process. Letting
p
01
= Pr(
Z
n
= 1

Z
n
−
1
= 0) and
p
10
= Pr(
Z
n
= 0

Z
n
−
1
= 1), we denote
the latent transition matrix as
A
=
1
−
p
01
p
01
p
10
1
−
p
10
.
The initial state distribution is denoted
π
= Pr(
Z
1
= 1).
The marginal distribution of the count at time
t
, given that
Z
t
= 0
is degenerate at 0, i.e. Pr(
X
t
=
x
t

Z
t
= 0) =
I
(
X
t
= 0) where
I
(
·
)
is the indicator function. When
Z
t
= 1, we assume that the counts are
distributed according to a negative binomial distribution with mean and
size parameters given by
φ
= [
µ, s
] , i.e.
Pr(
X
t
=
x
t

Z
t
= 1
, φ
) =
Γ(
s
+
x
t
)
Γ(
s
)Γ(
x
t
+ 1)
s
µ
+
s
s
µ
µ
+
s
x
t
.
A useful fact is that the joint probability distribution over both latent
and observed variables can be factored in a way that is useful for compu
tation, since it separates the different parameter types:
Pr(
X
=
x
,
Z
=
z

θ
)
= Pr(
Z
1
=
z
1

π
)
T
t
=2
Pr(
Z
t
=
z
t

Z
t
−
1
=
z
t
−
1
,
A
)
×
T
t
=1
Pr(
X
t
=
x
t

Z
t
=
z
t
, φ
)
where
θ
= (
π,
A
, φ
) . Finally, the likelihood is
Pr(
X
=
x

θ
) =
1
z
1
=0
· · ·
1
z
t
=0
Pr(
X
=
X
,
Z
=
z

θ
)
.
(3.4)
Maximum Likelihood Estimates.
Equation (3.4) involves 2
T
terms,
making it computationally infeasible to work with directly, for even mod
erately large
T
. Hence, we look to expectation maximization (EM) as
Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under
U.S. or applicable copyright law.
EBSCO Publishing : eBook Collection (EBSCOhost)  printed on 2/16/2016 3:37 AM via CGCGROUP OF
COLLEGES (GHARUAN)
AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cybersecurity
Account: ns224671