A discussion on ‘Detection of intrusions in information systems by sequential change-point methods’ by Tartakovsky, Rozovskii, Blažek, and Kim

Detection of intrusions is a high priority security issue. It is certainly high time that state-ofthe-art methods are applied in this area, and the authors are to be commended for their efforts in this direction. The authors propose three approaches: one is parametric, another that they refer to as nonparametric and one that is based on binary quantized data. I would first like to refer to each of these separately, and then make a general comment. The parametric approach requires knowledge of the pre-intrusion distribution, and, in addition, either knowing the post-intrusion distribution or at least being able to represent it reasonably. The study in the paper of this context gives a good picture of the best one can attain. Of course, the premise of this approach is rarely realized, and the authors appropriately turn to other methods, using the results for the parametric case for comparison purposes only. The authors construct a nonparametric scheme by specifying a score function whose form does not depend on any distributional assumptions. However, the constants involved in the score function influence the operating characteristics of the scheme (false alarm rate and average delay to detection). It is hard to say much about the operating characteristics of the proposed scheme without having some knowledge of the underlying distributions. Although the authors arrive at a general form for the false alarm rate (see Eq. (27)), the constants have a non-negligible impact on the false alarm rate, and ignoring them in applications is tantamount to saying no more than that there exists an exponential relationship between the average delay to detection and the false alarm rate. Without knowing more about the pre-intrusion regime one does not really have an