Ebsco publishing ebook collection ebscohost printed

Info icon This preview shows pages 41–44. Sign up to view the full content.

View Full Document Right Arrow Icon
EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 41

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
42 A. G. Tartakovsky regime), assuming the detection procedure is applied anew after each time the detection statistic exceeds the threshold. Pollak and Tartakovsky (2009) showed that if a change takes place after many successive re-runs of a stop- ping time T , the expected delay is minimized asymptotically as ν → ∞ over all multi-cyclic procedures with E T γ for every γ > 1 by the original (multi-cyclic) SR procedure. In other words, the SR procedure is strictly optimal in the i.i.d. case with respect to the stationary average delay to detection (STADD) given by STADD ( T ) = lim ν →∞ E ν ( N 1 + N 2 + · · · + N J ν ν ) (2.9) for every γ > 1. Since computer intrusions most likely start long after surveillance begins, the SR type statistics are preferable to CUSUM. Figure 2.2 illustrates this multi-cyclic scenario, where N 1 , N 2 , . . . are sequential independent repetitions of a stopping time T , e.g., the CUSUM or SR detection algorithm. There are multiple false alarms and the detection statistic is renewed from scratch each time. Note also that recent research shows that the difference in performance between SR and CUSUM is visi- ble only when detecting dim changes (Tartakovsky et al. , 2012), as we also verified in our experiments with real attacks. For the purpose of illustration, Figure 2.3 compares the behavior of the CUSUM and SR statistics for a simulated trajectory from the Gaussian i.i.d. model with a change in the mean from 0 to 1 and standard deviation 1. The thresholds in both procedures were selected to guarantee the same ARL2FA. The change occurs at ν = 200, i.e., relatively far from the beginning. In this particular case, the CUSUM statistic exits over the threshold a little later than the SR statistic, as expected from our previous discussion. We plot log( R n ) to be on the same scale with CUSUM W n . The plots of the conditional average delay to detection ADD ν ( T ) = E ν ( T ν | T > ν ) versus the changepoint ν for several detection procedures described above are shown in Figure 2.4. These plots were obtained solving Fig. 2.2. Illustration of the typical multi-cyclic surveillance scenario. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 42
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 43 20 40 60 80 100 120 140 160 180 200 220 Time Observed Data 20 40 60 80 100 120 140 160 180 200 220 Time Detection Statistic Shiryaev-Roberts Cusum Shiryaev-Roberts Threshold Cusum Threshold False Alarm Shiryaev-Roberts Detection Cusum Detection Change Point Fig. 2.3.
Image of page 43

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 44
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern