There are various formulations of the optimum

Info icon This preview shows pages 38–40. Sign up to view the full content.

There are various formulations of the optimum tradeoff problem, which differ in the way the terms “detection delay” and “false alarm rate” are defined (see Polunchenko and Tartakovsky (2012) for a detailed overview). We now outline two optimality approaches that are of greatest interest for our purposes. A minimax formulation was proposed by Lorden’s (1971) and later by Pollak (1985), who suggested a different measure of detection speed. This formulation regards the changepoint ν as unknown , but not random . The Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 38

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Rapid Detection of Attacks by Quickest Changepoint Detection Methods 39 goal is to minimize the worst-case average delay to detection, subject to a lower bound on the mean time to false alarm. The second is a Bayesian formulation , introduced by Shiryaev (1963). In contrast to the minimax formulation, the Bayesian formulation assumes that the changepoint ν is a random variable with a known (prior) distribution. The objective is to min- imize the expected delay, subject to an upper bound on the weighted false alarm probability. Since the prior distribution of the point of occurrence of network traffic anomaly is not feasible to model, we will assume that the changepoint has improper uniform distribution on the positive line, leading to a generalized Bayesian solution (also related to a more practical setting of detecting changes occurring in a distant future (Pollak and Tartakovsky, 2009)). Hereafter, let P k and P denote the probability measures when a change takes place at 0 ν = k < and when no change ever occurs and let E k and E be the corresponding expectations. Lorden’s (1971) minimax changepoint detection theory measures the false alarm rate in terms of E T , the average run length (ARL) to false alarm (ARL2FA). Specifically, define C γ = { T : E T γ } the class of procedures for which the ARL2FA is no less than the desired chosen level γ > 1. To measure the detection speed, Lorden’s (1971) suggested the following “worst-worst-case” essential supremum average detection delay (ESADD) ESADD ( T ) = sup 0 ν< ess sup E ν [( T ν ) + | X 1 , . . . , X ν ] , (2.2) where x + = max { 0 , x } . In other words, the detection delay is maximized over both the changepoint and the trajectory of observations. A more suitable for practical purposes measure of detection delay was proposed by Pollak (1985), who instead suggested to use SADD ( T ) = sup 0 ν< E ν ( T ν | T > ν ) , (2.3) i.e., the maximal (supremum) conditional average detection delay (SADD), provided a false alarm has not sounded. In the following this detection speed measure will be used along with the stationary average detection delay (ADD) ( STADD ( T )) introduced below.
Image of page 39
Image of page 40
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern