TY - GEN
T1 - Optimal index policies for quickest localization of anomaly in cyber networks
AU - Cohen, Kobi
AU - Zhao, Qing
AU - Swami, Ananthram
PY - 2013/12/1
Y1 - 2013/12/1
N2 - We consider the problem of quickest localization of anomaly in a resource-constrained cyber network consisting of multiple components. Due to resource constraints, only one component can be probed at each time. The observations are random realizations drawn from two different distributions depending on whether the component is normal or anomalous. Components are assigned priorities. Components with higher priorities in an abnormal state should be fixed before components with lower priorities to reduce the overall damage to the network. The objective is to minimize the expected weighted sum of completion times of abnormal components subject to error probability constraints. We consider two different anomaly models: the independent model in which each component can be abnormal independent of other components, and the exclusive model in which there is one and only one abnormal component. We develop index policies under both models. Optimal low-complexity algorithms are derived for the simple hypotheses case, where the distribution is completely known under both hypotheses. Asymptotically (as the error probability approaches zero) optimal low-complexity algorithms are derived for the composite hypotheses case, where there is uncertainty in the distribution parameters. Simulation results then illustrate the performance of the algorithms.
AB - We consider the problem of quickest localization of anomaly in a resource-constrained cyber network consisting of multiple components. Due to resource constraints, only one component can be probed at each time. The observations are random realizations drawn from two different distributions depending on whether the component is normal or anomalous. Components are assigned priorities. Components with higher priorities in an abnormal state should be fixed before components with lower priorities to reduce the overall damage to the network. The objective is to minimize the expected weighted sum of completion times of abnormal components subject to error probability constraints. We consider two different anomaly models: the independent model in which each component can be abnormal independent of other components, and the exclusive model in which there is one and only one abnormal component. We develop index policies under both models. Optimal low-complexity algorithms are derived for the simple hypotheses case, where the distribution is completely known under both hypotheses. Asymptotically (as the error probability approaches zero) optimal low-complexity algorithms are derived for the composite hypotheses case, where there is uncertainty in the distribution parameters. Simulation results then illustrate the performance of the algorithms.
KW - Anomaly detection
KW - Intrusion detection
KW - Sequential hypothesis testing
UR - http://www.scopus.com/inward/record.url?scp=84897743035&partnerID=8YFLogxK
U2 - 10.1109/GlobalSIP.2013.6736855
DO - 10.1109/GlobalSIP.2013.6736855
M3 - Conference contribution
AN - SCOPUS:84897743035
SN - 9781479902484
T3 - 2013 IEEE Global Conference on Signal and Information Processing, GlobalSIP 2013 - Proceedings
SP - 221
EP - 224
BT - 2013 IEEE Global Conference on Signal and Information Processing, GlobalSIP 2013 - Proceedings
T2 - 2013 1st IEEE Global Conference on Signal and Information Processing, GlobalSIP 2013
Y2 - 3 December 2013 through 5 December 2013
ER -