An enhanced CUSUM algorithm for anomaly detection

Abstract

Anomaly detection has been extensively studied in the last two decades. Features are usually selected or created at first for characterizing behaviours of networks, users or systems, and then anomaly detection algorithms are developed and applied. However, such traditional network anomaly detection systems detect a limited number of attack types and report a huge number of false alarms due to lack of proper features and inherent weakness of anomaly detection algorithms. In order to minimize the number of false alerts and maximize the detection accuracy, we propose in this chapter an enhanced CUSUM algorithm for network anomaly detection, modelling various features from different sources and reporting alerts according to some decision strategies. The experimental evaluation with the 1999 DARPA intrusion detection evaluation dataset shows an empirical study of applying the proposed enhanced CUSUM algorithm for detecting successfully some network attacks.