A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

Alexander G. Tartakovsky, Boris L. Rozovskii, Rudolf B. Blažek, Hongjoong Kim

Research output: Contribution to journalArticlepeer-review

221 Citations (Scopus)


Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, portscanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.

Original languageEnglish
Pages (from-to)3372-3381
Number of pages10
JournalIEEE Transactions on Signal Processing
Issue number9
Publication statusPublished - 2006 Sept

Bibliographical note

Funding Information:
Manuscript received January 6, 2005; revised Ocotber 25, 2005. This work was supported in part by the U.S. Defense Advanced Research Projects Agency under Grant N66001-00-C-8044 and the U.S. Office of Naval Research under Grant N00014-03-1-0027 at the University of Southern California, and in part by the U.S. Army under SBIR grant DAAD17-03-C0054 at Adsantec. This work was presented in part at the Second Annual IEEE SMC Information Assurance Workshop, West Point, NY, June 5–6, 2001, and at the 35th Symposium on the Interface (Interface 2003: Security and Infrastructure Protection), Salt Lake City, UT, March 12–15, 2003. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Leslie Collins.


  • Attack detection
  • Change point detection
  • Denial of service
  • Intrusion detection
  • Man-in-the-middle
  • Network security
  • Network traffic
  • Nonparametric detection
  • Port scanning
  • Sequential tests
  • Service survivability
  • Worm

ASJC Scopus subject areas

  • Signal Processing
  • Electrical and Electronic Engineering


Dive into the research topics of 'A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods'. Together they form a unique fingerprint.

Cite this