Once the edge models are fitted we have all of the

Info icon This preview shows pages 90–92. Sign up to view the full content.

View Full Document Right Arrow Icon
Once the edge models are fitted, we have all of the information we need to calculate path p -values. Let Λ p = e path B e X e . The 3-path exceedance p -value is the mixture exceedance given by P p > λ p ) = 1 b 1 =0 1 b 2 =0 1 b 3 =0 P ( B 1 = b 1 ) P ( B 2 = b 2 ) P ( B 3 = b 3 ) P p > λ p | b 1 , b 2 , b 3 ) = 1 b 1 =0 1 b 2 =0 1 b 3 =0 3 i =1 (1 ˆ p i ) 1 b i ˆ p b i i 1 F Γ λ p | 3 j =1 b i ˆ τ i , ˆ η where we used the fact that the sum of Gamma random variables with common scale parameters is again Gamma. 3.4.6. Threshold determination To obtain thresholds, we simulate ten days of per-minute counts for each edge with no anomalies introduced. We then slide 30-minute windows, offset by ten minutes, over the ten days, calculating the minimum p -value in each window, just as would be done in the full scanning procedure. See the scanning procedure discussion in Section 3.5 for a brief discussion of the time-window choices. To achieve a false discovery rate of one alarm per day, we might take the tenth smallest p -value in the resulting list of p -values. But since the windows overlap, we choose to be less conservative, by counting minimum p -values resulting from consecutive windows on the same path as a single p -value, and find the tenth-smallest minimum p -value associated with non-consecutive windows. In this way, alarms over several overlapping Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 90

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Statistical Detection of Intruders Within Computer Networks 91 windows only contribute one alarm to the threshold determination, which is exactly the way an analyst would view a series of consecutive alarms. 3.5. Simulation Study In this section we describe a series of simulations. We use both star and path shapes to scan. Using both shapes allows us to directly compare paths with the method of Priebe et al. (2005), since the scan shape used in that work is the out-star. We will describe three anomaly shapes introduced into the simulation: the star anomaly, the path anomaly, and the caterpillar anomaly. The interplay between the shape of the true anomaly and the scan shape is significant. Not surprisingly, we will see that a path scan shape is better at detecting a path anomaly, and a star scan shape is better at detecting a star anomaly. On a mixed star/path shape, the caterpillar, stars tend to only identify parts of the anomaly, and paths generally discover the more complete anomalous shape, while both shapes tend to produce additional false edges.
Image of page 91
Image of page 92
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern