An Improved Composite Hypothesis Test for Markov Models with Applications in Network Anomaly Detection

TL;DR

This paper introduces a more accurate threshold approximation for Markov-based composite hypothesis tests in network anomaly detection, improving false alarm control especially with small sample sizes.

Contribution

It develops a tighter threshold approximation using the CLT under Markov assumptions, enhancing anomaly detection accuracy over previous large deviations methods.

Findings

Tighter threshold approximation improves false alarm control.

Application to network anomaly detection demonstrates practical benefits.

Outperforms earlier large deviations-based methods.

Abstract

Recent work has proposed the use of a composite hypothesis Hoeffding test for statistical anomaly detection. Setting an appropriate threshold for the test given a desired false alarm probability involves approximating the false alarm probability. To that end, a large deviations asymptotic is typically used which, however, often results in an inaccurate setting of the threshold, especially for relatively small sample sizes. This, in turn, results in an anomaly detection test that does not control well for false alarms. In this paper, we develop a tighter approximation using the Central Limit Theorem (CLT) under Markovian assumptions. We apply our result to a network anomaly detection application and demonstrate its advantages over earlier work.