Performance evaluation of multi-stage change-point detection scheme with alert weighting

As a detection method of large-scale simultaneous events (e.g., DDoS attack), a multi-stage change-point detection scheme with alert weighting was proposed. In the scheme, local detectors (LDs), which are deployed on each monitored subnet, try to detect an event by change-point detection. If they do, they send an alert to global detector (GD). Then GD judges whether an event is occurring by comparing the weight sum of the received alerts with an predetermined threshold value. The weight of an alert is set lower for LDs with higher false-positive rate (FPR). Conventional evaluation results only showed that alert weighting improves the performance for particular combination of two kinds of LDs with different FPRs. In this paper, we investigate the effectiveness of alert weighting for various combinations of two kinds of LDs with different FPRs in detail. We first consider the situation where detection rates (DRs) of all LDs are identical. Then, we consider the situation where high-FPR LDs show higher DR than low-FPR LDs, which is more realistic. Simulation results show that 1) alert weighting does not lead to degradation of detection performance and 2) alert weighting is most effective when event scale is moderate in our numerical examples.