Efficient Computer Network Anomaly Detection by Changepoint Detection Methods

TL;DR

This paper introduces a computationally efficient, statistically grounded multi-cyclic changepoint detection algorithm based on the Shiryaev-Roberts procedure, optimized for real-time computer network anomaly detection and confirmed by experiments.

Contribution

It proposes a novel score-based multi-cyclic detection algorithm using the Shiryaev-Roberts procedure, enhancing anomaly detection performance in network traffic.

Findings

Algorithm is as easy to implement as CUSUM and EWMA.

The method is exactly optimal in multi-cyclic settings for distant change points.

Experimental results show improved detection performance on real network traces.

Abstract

We consider the problem of efficient on-line anomaly detection in computer network traffic. The problem is approached statistically, as that of sequential (quickest) changepoint detection. A multi-cyclic setting of quickest change detection is a natural fit for this problem. We propose a novel score-based multi-cyclic detection algorithm. The algorithm is based on the so-called Shiryaev-Roberts procedure. This procedure is as easy to employ in practice and as computationally inexpensive as the popular Cumulative Sum chart and the Exponentially Weighted Moving Average scheme. The likelihood ratio based Shiryaev-Roberts procedure has appealing optimality properties, particularly it is exactly optimal in a multi-cyclic setting geared to detect a change occurring at a far time horizon. It is therefore expected that an intrusion detection algorithm based on the Shiryaev-Roberts procedure will perform better than other detection schemes. This is confirmed experimentally for real traces. We also discuss the possibility of complementing our anomaly detection algorithm with a spectral-signature intrusion detection system with false alarm filtering and true attack confirmation capability, so as to obtain a synergistic system.