TY - GEN
T1 - Accuracy improvement of multi-stage change-point detection scheme by weighting alerts based on false-positive rate
AU - Fukushima, Yukinobu
AU - Murase, Tutomu
AU - Fujimaki, Ryohei
AU - Hirose, Syunsuke
AU - Yokohira, Tokumi
PY - 2009
Y1 - 2009
N2 - One promising approach for large-scale simultaneous events (e.g., DDoS attacks and worm epidemics) is to use a multi-stage change-point detection scheme. The scheme adopts twostage detection. In the first stage, local detectors (LDs), which are deployed on each monitored subnet, detects a change point in a monitored metric such as outgoing traffic rate. If an LD detects a change-point, it sends an alert to global detector (GD). In the second stage, GD checks whether the proportion of LDs that send alerts simultaneously is greater than or equal to a threshold value. If so, it judges that large-scale simultaneous events are occurring. In previous studies for the multi-stage change-point detection scheme, it is assumed that weight of each alert is identical. Under this assumption, false-positive rate of the scheme tends to be high when some LDs sends false-positive alerts frequently. In this paper, we weight alerts based on false-positive rate of each LD in order to decrease false-positive rate of the multi-stage changepoint detection scheme. In our scheme, GD infers false-positive rate of each LD and gives lower weight to LDs with higher false-positive rate. Simulation results show that our proposed scheme can achieve lower false-positive rate than the scheme without alert weighting under the constraint that detection rate must be 1.0.
AB - One promising approach for large-scale simultaneous events (e.g., DDoS attacks and worm epidemics) is to use a multi-stage change-point detection scheme. The scheme adopts twostage detection. In the first stage, local detectors (LDs), which are deployed on each monitored subnet, detects a change point in a monitored metric such as outgoing traffic rate. If an LD detects a change-point, it sends an alert to global detector (GD). In the second stage, GD checks whether the proportion of LDs that send alerts simultaneously is greater than or equal to a threshold value. If so, it judges that large-scale simultaneous events are occurring. In previous studies for the multi-stage change-point detection scheme, it is assumed that weight of each alert is identical. Under this assumption, false-positive rate of the scheme tends to be high when some LDs sends false-positive alerts frequently. In this paper, we weight alerts based on false-positive rate of each LD in order to decrease false-positive rate of the multi-stage changepoint detection scheme. In our scheme, GD infers false-positive rate of each LD and gives lower weight to LDs with higher false-positive rate. Simulation results show that our proposed scheme can achieve lower false-positive rate than the scheme without alert weighting under the constraint that detection rate must be 1.0.
KW - Alert weighting
KW - Large-scale simultaneous events
KW - Multi-stage change-point detection scheme
UR - http://www.scopus.com/inward/record.url?scp=70349994400&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70349994400&partnerID=8YFLogxK
U2 - 10.1109/CQR.2009.5137356
DO - 10.1109/CQR.2009.5137356
M3 - Conference contribution
AN - SCOPUS:70349994400
SN - 9781424442898
T3 - 2009 IEEE International Workshop Technical Committee on Communications Quality and Reliability, CQR 2009
BT - 2009 IEEE International Workshop Technical Committee on Communications Quality and Reliability, CQR 2009
T2 - 2009 IEEE International Workshop Technical Committee on Communications Quality and Reliability, CQR 2009
Y2 - 12 May 2009 through 14 May 2009
ER -