A Nonparametric Multichart CUSUM Test for Rapid Intrusion Detection

An efficient sequential nonparametric multichart (multichannel) CUSUM-type detection test for detecting changes in multichannel sensor systems is proposed. While there is a wide spectrum of applications where it is necessary to consider multichannel generalizations and general statistical models in change-point detection problems, the study in this paper is motivated by network security. Many kinds of intrusions in computer networks lead to abrupt changes in network traffic. These changes have to be detected as rapidly as possible while maintaining a false alarm rate at a low level. Computer intrusion detection encourages the development of a nonparametric multichannel change-point detection test that does not use exact legitimate (pre-change) and attack (post-change) traffic models. The proposed nonparametric detection procedure can be effectively applied to detect a wide variety of attacks such as external denial of service attacks, worm based attacks, port scanning, and insider man-in-the-middle attacks. Operating characteristics of the proposed multichannel CUSUM test are evaluated for real denial of service attacks using traces recently collected by CAIDA. The results of a comparison with a conventional singlechannel CUSUM algorithm show that the multichannel test has much better performance.