A Statistical Approach Based on EWMA and CUSUM Control Charts for R2L Intrusion Detection

Abstract

The present work presents an evaluation between two methods of Root to Local (R2L) intrusion detection, by examining changes in mean of the TCP source bytes. Two statistical change detection techniques utilized for this purpose: the Exponential Weighted Moving Average (EWMA) control chart, as well as the tabular Cumulative sum (CUSUM) control chart, while for both detection techniques the experimental dataset used was the NSL-KDD. For the EWMA chart evaluation a sequence of eight attacks took place at specified instances, which were clearly detected by adjusting the parameters L and λ. For the CUSUM chart evaluation, two cases were examined: the first case with one attack at a specified instance and the second case with three attacks. In both cases the detections were succesfuly achieved. A limitation that concerned both detection techniques was that the examined TCP source bytes size was in the range of (0 - 1000). The EWMA chart was evaluated as the more efficient technique as far as the accuracy of the detection is concerned.