TY - GEN
T1 - Performance evaluation of multi-stage change-point detection scheme with alert weighting
AU - Nakagawa, Mari
AU - Fukushima, Yukinobu
AU - Murase, Tutomu
AU - Fujimaki, Ryohei
AU - Hirose, Shunsuke
AU - Yokohira, Tokumi
PY - 2010/12/1
Y1 - 2010/12/1
N2 - As a detection method of large-scale simultaneous events (e.g., DDoS attack), a multi-stage change-point detection scheme with alert weighting was proposed. In the scheme, local detectors (LDs), which are deployed on each monitored subnet, try to detect an event by change-point detection. If they do, they send an alert to global detector (GD). Then GD judges whether an event is occurring by comparing the weight sum of the received alerts with an predetermined threshold value. The weight of an alert is set lower for LDs with higher false-positive rate (FPR). Conventional evaluation results only showed that alert weighting improves the performance for particular combination of two kinds of LDs with different FPRs. In this paper, we investigate the effectiveness of alert weighting for various combinations of two kinds of LDs with different FPRs in detail. We first consider the situation where detection rates (DRs) of all LDs are identical. Then, we consider the situation where high-FPR LDs show higher DR than low-FPR LDs, which is more realistic. Simulation results show that 1) alert weighting does not lead to degradation of detection performance and 2) alert weighting is most effective when event scale is moderate in our numerical examples.
AB - As a detection method of large-scale simultaneous events (e.g., DDoS attack), a multi-stage change-point detection scheme with alert weighting was proposed. In the scheme, local detectors (LDs), which are deployed on each monitored subnet, try to detect an event by change-point detection. If they do, they send an alert to global detector (GD). Then GD judges whether an event is occurring by comparing the weight sum of the received alerts with an predetermined threshold value. The weight of an alert is set lower for LDs with higher false-positive rate (FPR). Conventional evaluation results only showed that alert weighting improves the performance for particular combination of two kinds of LDs with different FPRs. In this paper, we investigate the effectiveness of alert weighting for various combinations of two kinds of LDs with different FPRs in detail. We first consider the situation where detection rates (DRs) of all LDs are identical. Then, we consider the situation where high-FPR LDs show higher DR than low-FPR LDs, which is more realistic. Simulation results show that 1) alert weighting does not lead to degradation of detection performance and 2) alert weighting is most effective when event scale is moderate in our numerical examples.
UR - http://www.scopus.com/inward/record.url?scp=79951651579&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79951651579&partnerID=8YFLogxK
U2 - 10.1109/TENCON.2010.5686586
DO - 10.1109/TENCON.2010.5686586
M3 - Conference contribution
AN - SCOPUS:79951651579
SN - 9781424468904
T3 - IEEE Region 10 Annual International Conference, Proceedings/TENCON
SP - 785
EP - 790
BT - TENCON 2010 - 2010 IEEE Region 10 Conference
T2 - 2010 IEEE Region 10 Conference, TENCON 2010
Y2 - 21 November 2010 through 24 November 2010
ER -