Recent work has proposed the use of a composite hypothesis Hoeffding test forstatistical anomaly detection. Setting an appropriate threshold for the testgiven a desired false alarm probability involves approximating the false alarmprobability. To that end, a large deviations asymptotic is typically usedwhich, however, often results in an inaccurate setting of the threshold,especially for relatively small sample sizes. This, in turn, results in ananomaly detection test that does not control well for false alarms. In thispaper, we develop a tighter approximation using the Central Limit Theorem (CLT)under Markovian assumptions. We apply our result to a network anomaly detectionapplication and demonstrate its advantages over earlier work.
展开▼