Journal
IEEE JOURNAL OF SELECTED TOPICS IN SIGNAL PROCESSING
Volume 7, Issue 1, Pages 4-11Publisher
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/JSTSP.2012.2233713
Keywords
Changepoint detection; cybersecurity; CUSUM; distributed denial-of-service attacks; intrusion detection; network traffic; Shiryaev-Roberts Procedure; TCP SYN attacks
Categories
Funding
- U.S. National Science Foundation [CCF-0830419]
- U.S. Defense Threat Reduction Agency at the University of Southern California, Department of Mathematics [HDTRA1-10-1-0086]
Ask authors/readers for more resources
We consider the problem of efficient on-line anomaly detection in computer network traffic. The problem is approached statistically, as that of sequential (quickest) changepoint detection. A multi-cyclic setting of quickest change detection is a natural fit for this problem. We propose a novel score-based multi-cyclic detection algorithm. The algorithm is based on the so-called Shiryaev-Roberts procedure. This procedure is as easy to employ in practice and as computationally inexpensive as the popular Cumulative Sum chart and the Exponentially Weighted Moving Average scheme. The likelihood ratio based Shiryaev-Roberts procedure has appealing optimality properties, particularly it is exactly optimal in a multi-cyclic setting geared to detect a change occurring at a far time horizon. It is therefore expected that an intrusion detection algorithm based on the Shiryaev-Roberts procedure will perform better than other detection schemes. This is confirmed experimentally for real traces. We also discuss the possibility of complementing our anomaly detection algorithm with a spectral-signature intrusion detection system with false alarm filtering and true attack confirmation capability, so as to obtain a synergistic system.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available