Abstract:
In this work, we present a Bayesian change point model that identifies the time points at which a time series undergoes abrupt changes. Our model is a hierarchical hidden Markov model that treats the change points and the dynamics of the data stream as latent variables. We describe a generic generative model, forward-backward recursions for exact inference and an expectation-maximization algorithm for hyper parameter learning. The model specifications discussed here can sense the changes in the state of the observed system as well as in the intensity and/or the ratio of the features. In addition to investigating the change point algorithm in generic notation, we also give an in-depth analysis and appropriate implementation of a particular model specification, namely, Dirichlet-Multinomial model. We present a novel application of the model: Distributed Denial of Service (DDoS) attack detection in Session Initiation Protocol (SIP) networks. In order to generate DDoS attack data, we build a network monitoring unit and a probabilistic SIP network simulation tool that initiates real-time SIP calls between a number of agents. Using a set of features extracted from target computer’s network connection and resource usage statistics, we show that our model is able to detect a variety of DDoS attacks in real time with high accuracy and low false-positive rates.
