EWMA Algorithm in Network Practice
Keywords:
intrusion detection, EWMA, control limits, optimization, autocorrelationAbstract
Intrusion detection is used to monitor and capture intrusions into computer and network systems which attempt to compromise their security. Many intrusions manifest in changes in the intensity of events occuring in computer networks. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on their intensity, this technique is appropriate for implementation in control limits based algorithms. The paper also gives a review of a possible optimization method. The validation check of results will be performed on authentic network samples.References
J. Cohen, Statistical power analysis for the behavioral sciences (2nd ed.), Lawrence Erlbaum Associates, Hillsdale, New Jersey, 1998.
J.S. Hunter, The exponentially weighted moving average, Journal of Quality Technology 18: 203- 210, 1986.
J.M. Lucas, M.S. Saccucci, Exponentially weighted moving average control schemes: Properties and enhancements, Technometrics 32, 1-29., 1990. http://dx.doi.org/10.1080/00401706.1990.10484583
S.W. Roberts, Control Chart Tests Based on Geometric Moving Averages, Technometrics, 1959. http://dx.doi.org/10.1080/00401706.1959.10489860
Ye et al., Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data, IEEE Transactions on Reliability vol. 52, No. 1, 2003.
G. Fengmin, Deciphering Detection Techniques: Part II Anomaly-Based Intrusion Detection, White Paper, McAfee Security, 2003
S. Sorensen, Competitive Overview of Statistical Anomaly Detection, White Paper, Juniper Networks, 2004.
V. A. Mahadik, X. Wu and D. S. Reeves, Detection of Denial-of-QoS Attacks Based on χ2 Statistic And EWMA Control Charts, http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec-diffservattack.pdf
A. S. Neubauer, The EWMA Control Chart: Properties and Comparison with other Quality-Control Procedures by Computer Simulation, Clinical Chemistry, http://www.clinchem.org/cgi/content/full/43/4/594
D. Seibold, Enterprise Campus Security-Addressing the Imploding Perimeter, http://www.itsa.ufl.edu/2003/presentations/IntSec.ppt
A. Vasilios, S. and F. Papagalou, Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks, http://www.ist-scampi.org/publications/papers/siris-globecom2004.pdf
J. Viinikka and H. Debar, Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information, http://viinikka.info/ViiDeb2004.pdf
Y. Zhao, F. Tsung and Z. Wang, Dual CUSUM Control Schemes for Detecting a Range of Mean Shifts, IEEE Transactions, http://qlab.ieem.ust.hk/qlab/download/papers/paper%2035.pdf, 2005
Engineering Statistics Handbook-EWMA Control Charts, http://www.itl.nist.gov/div898/handbook/pmc/section3/pmc324.htm
Engineering Statistics Handbook-Single Exponential Smoothing, http://www.itl.nist.gov/div898/handbook/pmc/section4/pmc431.htm
Savannah State University, Office of Institutional Research & Planning, http://irp.savstate.edu/irp/glossary/correlation.html
P. Cisar, S. Maravic Cisar, A first derivate based algorithm for anomaly detection, International journal of computers, communications & control, 3(S):238-242, 2008
J. Mina, C. Verde, Fault Detection for Large Scale Systems Using Dynamic Principal Components Analysis with Adaptation, International journal of computers, communications & control, 2(2):185- 194, 2007. http://dx.doi.org/10.15837/ijccc.2007.2.2351
Published
Issue
Section
License
ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.
You are free to:
-Share: copy and redistribute the material in any medium or format;
-Adapt: remix, transform, and build upon the material.
The licensor cannot revoke these freedoms as long as you follow the license terms.
DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.
