Attack-norm separation for detecting attack-induced quality problems on computers and networks

Cyber attacks on computer and network systems induce system quality and reliability problems, and present a significant threat to the computer and network systems that we are heavily dependent on. Cyber attack detection involves monitoring system data and detecting the attack-induced quality and reliability problems of computer and network systems caused by cyber attacks. Usually there are ongoing normal user activities on computer and network systems when an attack occurs. As a result, the observed system data may be a mixture of attack data and normal use data (norm data). We have established a novel attack–norm separation approach to cyber attack detection that includes norm data cancelation to improve the data quality as an important part of this approach. Aiming at demonstrating the importance of norm data cancelation, this paper presents a set of data modeling and analysis techniques developed to perform norm data cancelation before applying an existing technique of anomaly detection, the chi-square distance monitoring (CSDM), to residual data obtained after norm data cancelation for cyber attack detection. Specifically, a Markov chain model of norm data and an artificial neural network (ANN) of norm data cancelation are developed and tested. This set of techniques is compared with using CSDM alone for cyber attack detection. The results show a significant improvement of detection performance by CSDM with norm data cancelation over CSDM alone. Copyright c © 2006 John Wiley & Sons, Ltd.