Detection of intrusions in information systems by sequential change-point methods

Alexander G. Tartakovsky, Boris L. Rozovskii, Rudolf B. Blažek, Hongjoong Kim

Research output: Contribution to journalArticle

119 Citations (Scopus)

Abstract

Sequential multi-chart detection procedures for detecting changes in multichannel sensor systems are developed. In the case of complete information on pre-change and post-change distributions, the detection algorithm represents a likelihood ratio-based multichannel generalization of Page's cumulative sum (CUSUM) test that is applied to general stochastic models that may include correlated and nonstationary observations. There are many potential application areas where it is necessary to consider multichannel generalizations and general statistical models. In this paper our main motivation for doing so is network security: rapid anomaly detection for an early detection of attacks in computer networks that lead to changes in network traffic. Moreover, this kind of application encourages the development of a nonparametric multichannel detection test that does not use exact pre-change (legitimate) and post-change (attack) traffic models. The proposed nonparametric method can be effectively applied to detect a wide variety of attacks such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. In addition, we propose a multichannel CUSUM procedure that is based on binary quantized data; this procedure turns out to be more efficient than the previous two algorithms in certain scenarios. All proposed detection algorithms are based on the change-point detection theory. They utilize the thresholding of test statistics to achieve a fixed rate of false alarms, while allowing changes in statistical models to be detected "as soon as possible". Theoretical frameworks for the performance analysis of detection procedures, as well as results of Monte Carlo simulations for a Poisson example and results of detecting real flooding attacks, are presented.

Original languageEnglish
Pages (from-to)252-293
Number of pages42
JournalStatistical Methodology
Volume3
Issue number3
DOIs
Publication statusPublished - 2006 Jul 1

Fingerprint

Change Point
Information Systems
Attack
Cumulative Sum
Statistical Model
Change-point Detection
Denial of Service
Traffic Model
Network Security
Worm
Nonparametric Methods
Anomaly Detection
Flooding
Likelihood Ratio
False Alarm
Computer Networks
Network Traffic
Thresholding
Chart
Test Statistic

Keywords

  • Change-point detection
  • Cumulative sum
  • Denial of service
  • Intrusion detection
  • Multichannel information systems
  • Page's test
  • Rapid detection
  • Sequential tests

ASJC Scopus subject areas

  • Statistics and Probability

Cite this

Detection of intrusions in information systems by sequential change-point methods. / Tartakovsky, Alexander G.; Rozovskii, Boris L.; Blažek, Rudolf B.; Kim, Hongjoong.

In: Statistical Methodology, Vol. 3, No. 3, 01.07.2006, p. 252-293.

Research output: Contribution to journalArticle

Tartakovsky, Alexander G. ; Rozovskii, Boris L. ; Blažek, Rudolf B. ; Kim, Hongjoong. / Detection of intrusions in information systems by sequential change-point methods. In: Statistical Methodology. 2006 ; Vol. 3, No. 3. pp. 252-293.
@article{52068c8abfc847ce88051f481e97bb64,
title = "Detection of intrusions in information systems by sequential change-point methods",
abstract = "Sequential multi-chart detection procedures for detecting changes in multichannel sensor systems are developed. In the case of complete information on pre-change and post-change distributions, the detection algorithm represents a likelihood ratio-based multichannel generalization of Page's cumulative sum (CUSUM) test that is applied to general stochastic models that may include correlated and nonstationary observations. There are many potential application areas where it is necessary to consider multichannel generalizations and general statistical models. In this paper our main motivation for doing so is network security: rapid anomaly detection for an early detection of attacks in computer networks that lead to changes in network traffic. Moreover, this kind of application encourages the development of a nonparametric multichannel detection test that does not use exact pre-change (legitimate) and post-change (attack) traffic models. The proposed nonparametric method can be effectively applied to detect a wide variety of attacks such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. In addition, we propose a multichannel CUSUM procedure that is based on binary quantized data; this procedure turns out to be more efficient than the previous two algorithms in certain scenarios. All proposed detection algorithms are based on the change-point detection theory. They utilize the thresholding of test statistics to achieve a fixed rate of false alarms, while allowing changes in statistical models to be detected {"}as soon as possible{"}. Theoretical frameworks for the performance analysis of detection procedures, as well as results of Monte Carlo simulations for a Poisson example and results of detecting real flooding attacks, are presented.",
keywords = "Change-point detection, Cumulative sum, Denial of service, Intrusion detection, Multichannel information systems, Page's test, Rapid detection, Sequential tests",
author = "Tartakovsky, {Alexander G.} and Rozovskii, {Boris L.} and Blažek, {Rudolf B.} and Hongjoong Kim",
year = "2006",
month = "7",
day = "1",
doi = "10.1016/j.stamet.2005.05.003",
language = "English",
volume = "3",
pages = "252--293",
journal = "Statistical Methodology",
issn = "1572-3127",
publisher = "Elsevier",
number = "3",

}

TY - JOUR

T1 - Detection of intrusions in information systems by sequential change-point methods

AU - Tartakovsky, Alexander G.

AU - Rozovskii, Boris L.

AU - Blažek, Rudolf B.

AU - Kim, Hongjoong

PY - 2006/7/1

Y1 - 2006/7/1

N2 - Sequential multi-chart detection procedures for detecting changes in multichannel sensor systems are developed. In the case of complete information on pre-change and post-change distributions, the detection algorithm represents a likelihood ratio-based multichannel generalization of Page's cumulative sum (CUSUM) test that is applied to general stochastic models that may include correlated and nonstationary observations. There are many potential application areas where it is necessary to consider multichannel generalizations and general statistical models. In this paper our main motivation for doing so is network security: rapid anomaly detection for an early detection of attacks in computer networks that lead to changes in network traffic. Moreover, this kind of application encourages the development of a nonparametric multichannel detection test that does not use exact pre-change (legitimate) and post-change (attack) traffic models. The proposed nonparametric method can be effectively applied to detect a wide variety of attacks such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. In addition, we propose a multichannel CUSUM procedure that is based on binary quantized data; this procedure turns out to be more efficient than the previous two algorithms in certain scenarios. All proposed detection algorithms are based on the change-point detection theory. They utilize the thresholding of test statistics to achieve a fixed rate of false alarms, while allowing changes in statistical models to be detected "as soon as possible". Theoretical frameworks for the performance analysis of detection procedures, as well as results of Monte Carlo simulations for a Poisson example and results of detecting real flooding attacks, are presented.

AB - Sequential multi-chart detection procedures for detecting changes in multichannel sensor systems are developed. In the case of complete information on pre-change and post-change distributions, the detection algorithm represents a likelihood ratio-based multichannel generalization of Page's cumulative sum (CUSUM) test that is applied to general stochastic models that may include correlated and nonstationary observations. There are many potential application areas where it is necessary to consider multichannel generalizations and general statistical models. In this paper our main motivation for doing so is network security: rapid anomaly detection for an early detection of attacks in computer networks that lead to changes in network traffic. Moreover, this kind of application encourages the development of a nonparametric multichannel detection test that does not use exact pre-change (legitimate) and post-change (attack) traffic models. The proposed nonparametric method can be effectively applied to detect a wide variety of attacks such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. In addition, we propose a multichannel CUSUM procedure that is based on binary quantized data; this procedure turns out to be more efficient than the previous two algorithms in certain scenarios. All proposed detection algorithms are based on the change-point detection theory. They utilize the thresholding of test statistics to achieve a fixed rate of false alarms, while allowing changes in statistical models to be detected "as soon as possible". Theoretical frameworks for the performance analysis of detection procedures, as well as results of Monte Carlo simulations for a Poisson example and results of detecting real flooding attacks, are presented.

KW - Change-point detection

KW - Cumulative sum

KW - Denial of service

KW - Intrusion detection

KW - Multichannel information systems

KW - Page's test

KW - Rapid detection

KW - Sequential tests

UR - http://www.scopus.com/inward/record.url?scp=33746983029&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33746983029&partnerID=8YFLogxK

U2 - 10.1016/j.stamet.2005.05.003

DO - 10.1016/j.stamet.2005.05.003

M3 - Article

AN - SCOPUS:33746983029

VL - 3

SP - 252

EP - 293

JO - Statistical Methodology

JF - Statistical Methodology

SN - 1572-3127

IS - 3

ER -