{"title":"基于EWMA和CUSUM控制图的R2L入侵检测统计方法","authors":"D. Sklavounos, Aloysius Edoh, Markos Plytas","doi":"10.1109/CCC.2017.15","DOIUrl":null,"url":null,"abstract":"The present work presents an evaluation between two methods of Root to Local (R2L) intrusion detection, by examining changes in mean of the TCP source bytes. Two statistical change detection techniques utilized for this purpose: the Exponential Weighted Moving Average (EWMA) control chart, as well as the tabular Cumulative sum (CUSUM) control chart, while for both detection techniques the experimental dataset used was the NSL-KDD. For the EWMA chart evaluation a sequence of eight attacks took place at specified instances, which were clearly detected by adjusting the parameters L and λ. For the CUSUM chart evaluation, two cases were examined: the first case with one attack at a specified instance and the second case with three attacks. In both cases the detections were succesfuly achieved. A limitation that concerned both detection techniques was that the examined TCP source bytes size was in the range of (0 - 1000). The EWMA chart was evaluated as the more efficient technique as far as the accuracy of the detection is concerned.","PeriodicalId":367472,"journal":{"name":"2017 Cybersecurity and Cyberforensics Conference (CCC)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"A Statistical Approach Based on EWMA and CUSUM Control Charts for R2L Intrusion Detection\",\"authors\":\"D. Sklavounos, Aloysius Edoh, Markos Plytas\",\"doi\":\"10.1109/CCC.2017.15\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The present work presents an evaluation between two methods of Root to Local (R2L) intrusion detection, by examining changes in mean of the TCP source bytes. Two statistical change detection techniques utilized for this purpose: the Exponential Weighted Moving Average (EWMA) control chart, as well as the tabular Cumulative sum (CUSUM) control chart, while for both detection techniques the experimental dataset used was the NSL-KDD. For the EWMA chart evaluation a sequence of eight attacks took place at specified instances, which were clearly detected by adjusting the parameters L and λ. For the CUSUM chart evaluation, two cases were examined: the first case with one attack at a specified instance and the second case with three attacks. In both cases the detections were succesfuly achieved. A limitation that concerned both detection techniques was that the examined TCP source bytes size was in the range of (0 - 1000). The EWMA chart was evaluated as the more efficient technique as far as the accuracy of the detection is concerned.\",\"PeriodicalId\":367472,\"journal\":{\"name\":\"2017 Cybersecurity and Cyberforensics Conference (CCC)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 Cybersecurity and Cyberforensics Conference (CCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CCC.2017.15\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 Cybersecurity and Cyberforensics Conference (CCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCC.2017.15","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Statistical Approach Based on EWMA and CUSUM Control Charts for R2L Intrusion Detection
The present work presents an evaluation between two methods of Root to Local (R2L) intrusion detection, by examining changes in mean of the TCP source bytes. Two statistical change detection techniques utilized for this purpose: the Exponential Weighted Moving Average (EWMA) control chart, as well as the tabular Cumulative sum (CUSUM) control chart, while for both detection techniques the experimental dataset used was the NSL-KDD. For the EWMA chart evaluation a sequence of eight attacks took place at specified instances, which were clearly detected by adjusting the parameters L and λ. For the CUSUM chart evaluation, two cases were examined: the first case with one attack at a specified instance and the second case with three attacks. In both cases the detections were succesfuly achieved. A limitation that concerned both detection techniques was that the examined TCP source bytes size was in the range of (0 - 1000). The EWMA chart was evaluated as the more efficient technique as far as the accuracy of the detection is concerned.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
