Inference_for_Graphs_and_Networks.pdf

# Once the edge models are fitted we have all of the

• 99

This preview shows pages 90–92. Sign up to view the full content.

Once the edge models are fitted, we have all of the information we need to calculate path p -values. Let Λ p = e path B e X e . The 3-path exceedance p -value is the mixture exceedance given by P p > λ p ) = 1 b 1 =0 1 b 2 =0 1 b 3 =0 P ( B 1 = b 1 ) P ( B 2 = b 2 ) P ( B 3 = b 3 ) P p > λ p | b 1 , b 2 , b 3 ) = 1 b 1 =0 1 b 2 =0 1 b 3 =0 3 i =1 (1 ˆ p i ) 1 b i ˆ p b i i 1 F Γ λ p | 3 j =1 b i ˆ τ i , ˆ η where we used the fact that the sum of Gamma random variables with common scale parameters is again Gamma. 3.4.6. Threshold determination To obtain thresholds, we simulate ten days of per-minute counts for each edge with no anomalies introduced. We then slide 30-minute windows, offset by ten minutes, over the ten days, calculating the minimum p -value in each window, just as would be done in the full scanning procedure. See the scanning procedure discussion in Section 3.5 for a brief discussion of the time-window choices. To achieve a false discovery rate of one alarm per day, we might take the tenth smallest p -value in the resulting list of p -values. But since the windows overlap, we choose to be less conservative, by counting minimum p -values resulting from consecutive windows on the same path as a single p -value, and find the tenth-smallest minimum p -value associated with non-consecutive windows. In this way, alarms over several overlapping Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671

This preview has intentionally blurred sections. Sign up to view the full version.

Statistical Detection of Intruders Within Computer Networks 91 windows only contribute one alarm to the threshold determination, which is exactly the way an analyst would view a series of consecutive alarms. 3.5. Simulation Study In this section we describe a series of simulations. We use both star and path shapes to scan. Using both shapes allows us to directly compare paths with the method of Priebe et al. (2005), since the scan shape used in that work is the out-star. We will describe three anomaly shapes introduced into the simulation: the star anomaly, the path anomaly, and the caterpillar anomaly. The interplay between the shape of the true anomaly and the scan shape is significant. Not surprisingly, we will see that a path scan shape is better at detecting a path anomaly, and a star scan shape is better at detecting a star anomaly. On a mixed star/path shape, the caterpillar, stars tend to only identify parts of the anomaly, and paths generally discover the more complete anomalous shape, while both shapes tend to produce additional false edges.
This is the end of the preview. Sign up to access the rest of the document.
• Spring '12
• Kushal Kanwar
• Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern