We consider the problem of efficient on-line anomaly detection in computernetwork traffic. The problem is approached statistically, as that of sequential(quickest) changepoint detection. A multi-cyclic setting of quickest changedetection is a natural fit for this problem. We propose a novel score-basedmulti-cyclic detection algorithm. The algorithm is based on the so-calledShiryaev-Roberts procedure. This procedure is as easy to employ in practice andas computationally inexpensive as the popular Cumulative Sum chart and theExponentially Weighted Moving Average scheme. The likelihood ratio basedShiryaev-Roberts procedure has appealing optimality properties, particularly itis exactly optimal in a multi-cyclic setting geared to detect a changeoccurring at a far time horizon. It is therefore expected that an intrusiondetection algorithm based on the Shiryaev-Roberts procedure will perform betterthan other detection schemes. This is confirmed experimentally for real traces.We also discuss the possibility of complementing our anomaly detectionalgorithm with a spectral-signature intrusion detection system with false alarmfiltering and true attack confirmation capability, so as to obtain asynergistic system.
展开▼
