Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, the schemes generally also detect false-positive change-points caused by other events, such as improper parameter setting of detectors. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. Therefore, we expect that the multi-stage change-point detection scheme, which performs change-point detection in a distributed manner and takes account of the correlation among multiple change-points, can exclude false-positive change-points by neglecting those that occur independently. In this paper, we propose the multi-stage change-point detection scheme and introduce a weighting function that gives smaller weight to LDs with higher false-positive rate inferred by GD in order to avoid a set of false-positive alerts generated by the low-accuracy detectors from causing high false-positive rate of the scheme. We evaluate the performance of the scheme by a simulation using the parameter values obtained in an experiment using real random scan worms. In the evaluation, we modify AAWP (Analytical Active Worm Propagation) model so that it can derive the number of infected hosts (i.e., attack hosts) more accurately by considering a failure of infection behavior by random scan worms. The simulation results show that our scheme can achieve an optimal performance (detection rate of 1.0 and false-positive rate of 0) while the stand-alone change-point detection scheme, which does not use the correlation among multiple change-points, cannot attain such optimal performance, and our scheme with alert weighting always shows better detection performance than the scheme without alert weighting.
- Anomaly detection
- Change-point detection
- Distributed denial of services (DDoS) attack
ASJC Scopus subject areas
- Computer Networks and Communications