EWMA techniques for computer intrusion detection through anomalous changes in event intensity

Nong Ye, Connie Borror, Yebin Zhang

Research output: Contribution to journalArticle

23 Citations (Scopus)

Abstract

Intrusion detection is used to monitor and capture intrusions into computer and network systems, which attempt to compromise the security of computer and network systems. To protect information systems from intrusions and thus assure the reliability and quality of service of information systems, it is highly desirable to develop techniques that detect intrusions into information systems. Many intrusions manifest in dramatic changes in the intensity of events occurring in information systems. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on the their intensity, we apply three EWMA statistics to detect anomalous changes in the events intensity for intrusion detections. They include the EWMA chart for autocorrelated data, the EWMA chart for uncorrelated data and the EWMA chart for monitoring the process standard deviation. The objectives of this paper are to provide design procedures for realizing these control charts and investigate their performance using different parameter settings based on one large dataset. The early detection capability of these EWMA techniques is also examined to provide the guidance about the design capacity of information systems.

Original languageEnglish (US)
Pages (from-to)443-451
Number of pages9
JournalQuality and Reliability Engineering International
Volume18
Issue number6
DOIs
StatePublished - Nov 2002

Fingerprint

Intrusion detection
Information systems
Computer networks
Quality of service
Computer systems
Exponentially weighted moving average
Statistics
Monitoring
Charts
Control charts

Keywords

  • Anomaly detection
  • Computer audit data
  • Exponentially weighted moving average (EWMA)
  • Information assurance
  • Intrusion detection

ASJC Scopus subject areas

  • Management Science and Operations Research
  • Engineering (miscellaneous)

Cite this

EWMA techniques for computer intrusion detection through anomalous changes in event intensity. / Ye, Nong; Borror, Connie; Zhang, Yebin.

In: Quality and Reliability Engineering International, Vol. 18, No. 6, 11.2002, p. 443-451.

Research output: Contribution to journalArticle

@article{5aae587a7770478b8d444e85d1bd35d5,
title = "EWMA techniques for computer intrusion detection through anomalous changes in event intensity",
abstract = "Intrusion detection is used to monitor and capture intrusions into computer and network systems, which attempt to compromise the security of computer and network systems. To protect information systems from intrusions and thus assure the reliability and quality of service of information systems, it is highly desirable to develop techniques that detect intrusions into information systems. Many intrusions manifest in dramatic changes in the intensity of events occurring in information systems. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on the their intensity, we apply three EWMA statistics to detect anomalous changes in the events intensity for intrusion detections. They include the EWMA chart for autocorrelated data, the EWMA chart for uncorrelated data and the EWMA chart for monitoring the process standard deviation. The objectives of this paper are to provide design procedures for realizing these control charts and investigate their performance using different parameter settings based on one large dataset. The early detection capability of these EWMA techniques is also examined to provide the guidance about the design capacity of information systems.",
keywords = "Anomaly detection, Computer audit data, Exponentially weighted moving average (EWMA), Information assurance, Intrusion detection",
author = "Nong Ye and Connie Borror and Yebin Zhang",
year = "2002",
month = "11",
doi = "10.1002/qre.493",
language = "English (US)",
volume = "18",
pages = "443--451",
journal = "Quality and Reliability Engineering International",
issn = "0748-8017",
publisher = "John Wiley and Sons Ltd",
number = "6",

}

TY - JOUR

T1 - EWMA techniques for computer intrusion detection through anomalous changes in event intensity

AU - Ye, Nong

AU - Borror, Connie

AU - Zhang, Yebin

PY - 2002/11

Y1 - 2002/11

N2 - Intrusion detection is used to monitor and capture intrusions into computer and network systems, which attempt to compromise the security of computer and network systems. To protect information systems from intrusions and thus assure the reliability and quality of service of information systems, it is highly desirable to develop techniques that detect intrusions into information systems. Many intrusions manifest in dramatic changes in the intensity of events occurring in information systems. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on the their intensity, we apply three EWMA statistics to detect anomalous changes in the events intensity for intrusion detections. They include the EWMA chart for autocorrelated data, the EWMA chart for uncorrelated data and the EWMA chart for monitoring the process standard deviation. The objectives of this paper are to provide design procedures for realizing these control charts and investigate their performance using different parameter settings based on one large dataset. The early detection capability of these EWMA techniques is also examined to provide the guidance about the design capacity of information systems.

AB - Intrusion detection is used to monitor and capture intrusions into computer and network systems, which attempt to compromise the security of computer and network systems. To protect information systems from intrusions and thus assure the reliability and quality of service of information systems, it is highly desirable to develop techniques that detect intrusions into information systems. Many intrusions manifest in dramatic changes in the intensity of events occurring in information systems. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on the their intensity, we apply three EWMA statistics to detect anomalous changes in the events intensity for intrusion detections. They include the EWMA chart for autocorrelated data, the EWMA chart for uncorrelated data and the EWMA chart for monitoring the process standard deviation. The objectives of this paper are to provide design procedures for realizing these control charts and investigate their performance using different parameter settings based on one large dataset. The early detection capability of these EWMA techniques is also examined to provide the guidance about the design capacity of information systems.

KW - Anomaly detection

KW - Computer audit data

KW - Exponentially weighted moving average (EWMA)

KW - Information assurance

KW - Intrusion detection

UR - http://www.scopus.com/inward/record.url?scp=0036864028&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0036864028&partnerID=8YFLogxK

U2 - 10.1002/qre.493

DO - 10.1002/qre.493

M3 - Article

AN - SCOPUS:0036864028

VL - 18

SP - 443

EP - 451

JO - Quality and Reliability Engineering International

JF - Quality and Reliability Engineering International

SN - 0748-8017

IS - 6

ER -