The present work presents an evaluation between two methods of Root to Local (R2L) intrusion detection, by examining changes in mean of the TCP source bytes. Two statistical change detection techniques utilized for this purpose: the Exponential Weighted Moving Average (EWMA) control chart, as well as the tabular Cumulative sum (CUSUM) control chart, while for both detection techniques the experimental dataset used was the NSL-KDD. For the EWMA chart evaluation a sequence of eight attacks took place at specified instances, which were clearly detected by adjusting the parameters L and λ. For the CUSUM chart evaluation, two cases were examined: the first case with one attack at a specified instance and the second case with three attacks. In both cases the detections were succesfuly achieved. A limitation that concerned both detection techniques was that the examined TCP source bytes size was in the range of (0 - 1000). The EWMA chart was evaluated as the more efficient technique as far as the accuracy of the detection is concerned.
[1]
D. R. Prajapati.
Effectiveness of Conventional CUSUM Control Chart for Correlated Observations
,
2015
.
[2]
Symeon Papavassiliou,et al.
Network intrusion and fault detection: a statistical anomaly approach
,
2002,
IEEE Commun. Mag..
[3]
Swati Paliwal,et al.
Denial-of-Service, Probing & Remote to User (R2L) Attack Detection using Genetic Algorithm
,
2012
.
[4]
R. Noorossana,et al.
EWMA Control Chart Performance with Estimated Parameters under Non‐normality
,
2016,
Qual. Reliab. Eng. Int..
[5]
Sudhir Kumar Sharma,et al.
Analysis of KDD Dataset Attributes - Class wise for Intrusion Detection
,
2015
.