Anomaly Detection Using an MMPP-based GLRT.

Detection of anomalous network traffic is accomplished using a generalized likelihood ratio test (GLRT) applied to traffic arrival times. The network traffic arrival times are modelled using a Markov modulated Poisson process (MMPP). The GLRT is implemented using an estimate of the MMPP parameter obtained from training data that is not anomalous. MMPP parameter estimation is accomplished using Rydenu0027s expectation-maximization (EM) approach. Using data from the 1999DARPA intrusion detection evaluation, the performance of a GLRT using an MMPP, a Poisson process, and a mixture of exponentials is compared. The MMPP-based GLRT has the best performance and the largest computational requirements.