2007
Performance evaluation of a multi-stage network event detection scheme for decreasing the false-positive rate for a large number of simultaneous, unknown events
Proceedings of the Sixth International Conference on Networking, ICN'07
- ,
- ,
- ,
- ,
- First page
- 97
- Last page
- Language
- English
- Publishing type
- Research paper (international conference proceedings)
- DOI
- 10.1109/ICN.2007.71
- Publisher
- IEEE Computer Society
Change-point detection schemes are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. They detect those events as change-points. However, they generally also detect false-positive change-points, those caused by other events such as hardware trouble. A scheme is needed that only detects truepositive change-points, caused by attacks and epidemics. Truepositive change-points tend to occur simultaneously in very large numbers, while false-positive change-points tend to occur sporadically. We can exclude false-positive change-points by excluding change-points that occur sporadically, based on information gathered from the entire network. In this paper, we propose a multi-stage network event detection scheme that aggregates change-point information from distributed IDSs (Intrusion Detection Systems) and detects the true-positive change-points. Simulation results show that, compared to a scheme using only one IDS, our method always yields a smaller false-positive rate under the constraint that the detection rate of the true-positive change-points must exceed 0.99. © 2007 IEEE.
- Link information
- ID information
-
- DOI : 10.1109/ICN.2007.71
- DBLP ID : conf/icn/MuraseFFKY07
- SCOPUS ID : 34948813610