Accuracy improvement of multi-stage change-point detection scheme by weighting alerts based on false-positive rate

Abstract

One promising approach for large-scale simultaneous events (e.g., DDoS attacks and worm epidemics) is to use a multi-stage change-point detection scheme. The scheme adopts two-stage detection. In the first stage, local detectors (LDs), which are deployed on each monitored subnet, detects a change point in a monitored metric such as outgoing traffic rate. If an LD detects a change-point, it sends an alert to global detector (GD). In the second stage, GD checks whether the proportion of LDs that send alerts simultaneously is greater than or equal to a threshold value. If so, it judges that large-scale simultaneous events are occurring. In previous studies for the multi-stage change-point detection scheme, it is assumed that weight of each alert is identical. Under this assumption, false-positive rate of the scheme tends to be high when some LDs sends false-positive alerts frequently. In this paper, we weight alerts based on false-positive rate of each LD in order to decrease false-positive rate of the multi-stage change-point detection scheme. In our scheme, GD infers false-positive rate of each LD and gives lower weight to LDs with higher false-positive rate. Simulation results show that our proposed scheme can achieve lower false-positive rate than the scheme without alert weighting under the constraint that detection rate must be 1.0.