Location of Repository

Abstract — We consider the problem of quickest localization of anomaly in a resource-constrained cyber network consisting of multiple components. Due to resource constraints, only one component can be probed at each time. The observations are random realizations drawn from two different distributions depending on whether the component is normal or anomalous. Components are assigned priorities. Components with higher priorities in an abnormal state should be fixed before components with lower priorities to reduce the overall damage to the network. We formulate the problem as a priority-based constrained optimization problem. The objective is to minimize the expected weighted sum of completion times of abnormal components subject to error probability constraints. We then propose a two-stage optimization formulation to solve the problem. First, we consider the independent model, where each component is abnormal independent of other components. Next, we consider the exclusive model, where one only one component is abnormal. We develop optimal index policies under both models. Optimal low-complexity algorithms are derived for the simple hypotheses case, where the distribution is completely known under both hypotheses. Asymptotically (as the error probability approaches zero) optimal low-complexity algorithms are derived for the composite hypotheses case, where there is uncertainty in the distribution parameters. Simulation results then illustrate the performance of the algorithms

Topics:
Index Terms — Anomaly detection, Intrusion Detection System

Year: 2013

OAI identifier:
oai:CiteSeerX.psu:10.1.1.352.8740

Provided by:
CiteSeerX

Download PDF:To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.