The Evaluation of an Anomaly Detection System Based on Chi-square Method

The conventional methods using $\chi^2$ value have been proposed to detect anomaly attacks. These systems, however, merely treat the one feature such as the source IP address or the destination port number as the probabilistic variable. The method based on multiple variables has not been proposed to aim to improve the accuracy of anomaly detection. In this paper, we propose the multiple features $\chi^{2}$ method named the CSDM (Chi-square-based Space Division Method) to improve the detection accuracy. The F-measure values of CSDM and the conventional method are compared to evaluate these systems. We also focus on the learning mechanism and it's affection for both systems. As the results of experiments using the source IP address, the destination port number, and the interval time deviation of arriving packets as the probabilistic variables, the proposed CSDM improves the F-measure compared to the conventional method meaning that the CSDM using multiple features can improve the F-measure over DoS/DDoS attacks and double attacks with 30$\%$ attacking rate. In addition, the learning time of the 2 days in the CSDM system is enough to learn the behavior of normal condition and can reveal the quick learning@performance with the high F-measures.