Nearly Optimal Change-Point Detection with an Application to Cybersecurity

We address the sequential change-point detection problem for the Gaussian model where baseline distribution is Gaussian with variance 2 and mean such that 2 = a , where a > 0 is a known constant; the change is in from one known value to another. First, we carry out a comparative performance analysis of four detection procedures: the Cumulative Sum (CUSUM) procedure, the Shiryaev–Roberts (SR) procedure, and two its modifications—the Shiryaev–Roberts–Pollak and Shiryaev–Roberts–r procedures. The performance is benchmarked via Pollak’s maximal average delay to detection and Shiryaev’s stationary average delay to detection, each subject to a fixed average run length to false alarm. The analysis shows that in practically interesting cases the accuracy of asymptotic approximations is “reasonable” to “excellent”. We also consider an application of changepoint detection to cybersecurity for rapid anomaly detection in computer networks. Using real network data we show that statistically traffic’s intensity can be well described by the proposed Gaussian model with 2 = a instead of the traditional Poisson model, which requires 2 = . By successively devising the SR and CUSUM procedures to “catch” a low-contrast network anomaly (caused by an Internet Control Message Protocol reflector attack), we then show that the SR rule is quicker. We conclude that the SR procedure is a better cyber “watch dog” than the popular CUSUM procedure.