Event detection from time series data
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
A unifying framework for detecting outliers and change points from non-stationary time series data
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
A Unifying Framework for Detecting Outliers and Change Points from Time Series
IEEE Transactions on Knowledge and Data Engineering
Inferring Internet denial-of-service activity
ACM Transactions on Computer Systems (TOCS)
A practical and robust inter-domain marking scheme for IP traceback
Computer Networks: The International Journal of Computer and Telecommunications Networking
On deterministic packet marking
Computer Networks: The International Journal of Computer and Telecommunications Networking
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A router-based technique to mitigate reduction of quality (RoQ) attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Description logics for an autonomic IDS event analysis system
Computer Communications
Is it congestion or a DDoS attack?
IEEE Communications Letters
Defending against flooding-based distributed denial-of-service attacks: a tutorial
IEEE Communications Magazine
IEEE Communications Magazine
Hi-index | 0.24 |
Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, the schemes generally also detect false-positive change-points caused by other events, such as improper parameter setting of detectors. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. Therefore, we expect that the multi-stage change-point detection scheme, which performs change-point detection in a distributed manner and takes account of the correlation among multiple change-points, can exclude false-positive change-points by neglecting those that occur independently. In this paper, we propose the multi-stage change-point detection scheme and introduce a weighting function that gives smaller weight to LDs with higher false-positive rate inferred by GD in order to avoid a set of false-positive alerts generated by the low-accuracy detectors from causing high false-positive rate of the scheme. We evaluate the performance of the scheme by a simulation using the parameter values obtained in an experiment using real random scan worms. In the evaluation, we modify AAWP (Analytical Active Worm Propagation) model so that it can derive the number of infected hosts (i.e., attack hosts) more accurately by considering a failure of infection behavior by random scan worms. The simulation results show that our scheme can achieve an optimal performance (detection rate of 1.0 and false-positive rate of 0) while the stand-alone change-point detection scheme, which does not use the correlation among multiple change-points, cannot attain such optimal performance, and our scheme with alert weighting always shows better detection performance than the scheme without alert weighting.