Comparison of anomaly signal quality in common detection metrics

Abstract

Problems involving classification and pattern recognition can often be profitably viewed from the perspective of signal detection theory. We present ANEX (ANomaly EXposure), a simple and intuitive measure for comparing anomaly detection metrics regarding their capability to expose certain types of anomalies. ANEX is based on signal detection theory and determines the anomaly signal quality with the help of the intersection area of the metric's probability density functions in the normal and anomalous case. We illustrate the applicability of our measure by comparing 15 frequently-used detection metrics for the Blaster worm and discuss some early results by comparing NetFlow data from four different border gateway routers of a medium-sized ISP network.