Comparison of anomaly signal quality in common detection metrics

Authors:
Daniela Brauckhoff;Martin May;Bernhard Plattner
Affiliations:
ETH Zurich, Zurich, Switzerland;ETH Zurich, Zurich, Switzerland;ETH Zurich, Zurich, Switzerland
Venue:
Proceedings of the 3rd annual ACM workshop on Mining network data
Year:
2007

Citing 2
Cited 0

Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The use of the area under the ROC curve in the evaluation of machine learning algorithms

Pattern Recognition

Quantified Score

Hi-index	0.00

Visualization

Abstract

Problems involving classification and pattern recognition can often be profitably viewed from the perspective of signal detection theory. We present ANEX (ANomaly EXposure), a simple and intuitive measure for comparing anomaly detection metrics regarding their capability to expose certain types of anomalies. ANEX is based on signal detection theory and determines the anomaly signal quality with the help of the intersection area of the metric's probability density functions in the normal and anomalous case. We illustrate the applicability of our measure by comparing 15 frequently-used detection metrics for the Blaster worm and discuss some early results by comparing NetFlow data from four different border gateway routers of a medium-sized ISP network.