EWMA Algorithm in Network Practice

Petar Cisar, Saša Bošnjak, Sanja Maravic Cisar


Intrusion detection is used to monitor and capture intrusions into computer and network systems which attempt to compromise their security. Many intrusions manifest in changes in the intensity of events occuring in computer networks. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on their intensity, this technique is appropriate for implementation in control limits based algorithms. The paper also gives a review of a possible optimization method. The validation check of results will be performed on authentic network samples.


intrusion detection, EWMA, control limits, optimization, autocorrelation

Full Text:



J. Cohen, Statistical power analysis for the behavioral sciences (2nd ed.), Lawrence Erlbaum Associates, Hillsdale, New Jersey, 1998.

J.S. Hunter, The exponentially weighted moving average, Journal of Quality Technology 18: 203- 210, 1986.

J.M. Lucas, M.S. Saccucci, Exponentially weighted moving average control schemes: Properties and enhancements, Technometrics 32, 1-29., 1990.

S.W. Roberts, Control Chart Tests Based on Geometric Moving Averages, Technometrics, 1959.

Ye et al., Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data, IEEE Transactions on Reliability vol. 52, No. 1, 2003.

G. Fengmin, Deciphering Detection Techniques: Part II Anomaly-Based Intrusion Detection, White Paper, McAfee Security, 2003

S. Sorensen, Competitive Overview of Statistical Anomaly Detection, White Paper, Juniper Networks, 2004.

V. A. Mahadik, X. Wu and D. S. Reeves, Detection of Denial-of-QoS Attacks Based on χ2 Statistic And EWMA Control Charts, http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec-diffservattack.pdf

A. S. Neubauer, The EWMA Control Chart: Properties and Comparison with other Quality-Control Procedures by Computer Simulation, Clinical Chemistry, http://www.clinchem.org/cgi/content/full/43/4/594

D. Seibold, Enterprise Campus Security-Addressing the Imploding Perimeter, http://www.itsa.ufl.edu/2003/presentations/IntSec.ppt

A. Vasilios, S. and F. Papagalou, Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks, http://www.ist-scampi.org/publications/papers/siris-globecom2004.pdf

J. Viinikka and H. Debar, Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information, http://viinikka.info/ViiDeb2004.pdf

Y. Zhao, F. Tsung and Z. Wang, Dual CUSUM Control Schemes for Detecting a Range of Mean Shifts, IEEE Transactions, http://qlab.ieem.ust.hk/qlab/download/papers/paper%2035.pdf, 2005

Engineering Statistics Handbook-EWMA Control Charts, http://www.itl.nist.gov/div898/handbook/pmc/section3/pmc324.htm

Engineering Statistics Handbook-Single Exponential Smoothing, http://www.itl.nist.gov/div898/handbook/pmc/section4/pmc431.htm

Savannah State University, Office of Institutional Research & Planning, http://irp.savstate.edu/irp/glossary/correlation.html

P. Cisar, S. Maravic Cisar, A first derivate based algorithm for anomaly detection, International journal of computers, communications & control, 3(S):238-242, 2008

J. Mina, C. Verde, Fault Detection for Large Scale Systems Using Dynamic Principal Components Analysis with Adaptation, International journal of computers, communications & control, 2(2):185- 194, 2007.

DOI: https://doi.org/10.15837/ijccc.2010.2.2471

Copyright (c) 2017 Petar Cisar, Saša Bošnjak, Sanja Maravic Cisar

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

CC-BY-NC  License for Website User

Articles published in IJCCC user license are protected by copyright.

Users can access, download, copy, translate the IJCCC articles for non-commercial purposes provided that users, but cannot redistribute, display or adapt:

  • Cite the article using an appropriate bibliographic citation: author(s), article title, journal, volume, issue, page numbers, year of publication, DOI, and the link to the definitive published version on IJCCC website;
  • Maintain the integrity of the IJCCC article;
  • Retain the copyright notices and links to these terms and conditions so it is clear to other users what can and what cannot be done with the  article;
  • Ensure that, for any content in the IJCCC article that is identified as belonging to a third party, any re-use complies with the copyright policies of that third party;
  • Any translations must prominently display the statement: "This is an unofficial translation of an article that appeared in IJCCC. Agora University  has not endorsed this translation."

This is a non commercial license where the use of published articles for commercial purposes is forbiden. 

Commercial purposes include: 

  • Copying or downloading IJCCC articles, or linking to such postings, for further redistribution, sale or licensing, for a fee;
  • Copying, downloading or posting by a site or service that incorporates advertising with such content;
  • The inclusion or incorporation of article content in other works or services (other than normal quotations with an appropriate citation) that is then available for sale or licensing, for a fee;
  • Use of IJCCC articles or article content (other than normal quotations with appropriate citation) by for-profit organizations for promotional purposes, whether for a fee or otherwise;
  • Use for the purposes of monetary reward by means of sale, resale, license, loan, transfer or other form of commercial exploitation;

    The licensor cannot revoke these freedoms as long as you follow the license terms.

[End of CC-BY-NC  License for Website User]

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL (IJCCC), With Emphasis on the Integration of Three Technologies (C & C & C),  ISSN 1841-9836.

IJCCC was founded in 2006,  at Agora University, by  Ioan DZITAC (Editor-in-Chief),  Florin Gheorghe FILIP (Editor-in-Chief), and  Misu-Jan MANOLESCU (Managing Editor).

Ethics: This journal is a member of, and subscribes to the principles of, the Committee on Publication Ethics (COPE).

Ioan  DZITAC (Editor-in-Chief) at COPE European Seminar, Bruxelles, 2015:

IJCCC is covered/indexed/abstracted in Science Citation Index Expanded (since vol.1(S),  2006); JCR2018: IF=1.585..

IJCCC is indexed in Scopus from 2008 (CiteScore2018 = 1.56):

Nomination by Elsevier for Journal Excellence Award Romania 2015 (SNIP2014 = 1.029): Elsevier/ Scopus

IJCCC was nominated by Elsevier for Journal Excellence Award - "Scopus Awards Romania 2015" (SNIP2014 = 1.029).

IJCCC is in Top 3 of 157 Romanian journals indexed by Scopus (in all fields) and No.1 in Computer Science field by Elsevier/ Scopus.


 Impact Factor in JCR2018 (Clarivate Analytics/SCI Expanded/ISI Web of Science): IF=1.585 (Q3). Scopus: CiteScore2018=1.56 (Q2);

SCImago Journal & Country Rank

Editors-in-Chief: Ioan DZITAC & Florin Gheorghe FILIP.