350 rub
Journal Highly available systems №2 for 2025 г.
Article in number:
Application of multivariate cumulative sum control charts for detecting cyber attacks
Type of article: scientific article
DOI: https://doi.org/10.18127/j20729472-202502-07
UDC: 004.056.5
Keywords: Intrusion detection systems (SOV IDS) theory of disruption signs of network traffic Hotelling maps MEWMA MCUSUM computer attacks
Authors:

S.D. Erokhin1, B.B. Borisenko2, A.S. Fadeev3, D.A. Kryukov4

1–3 MTUCI (Moscow, Russia)
4 MIREA-RTU (Moscow, Russia)
1 esd@mtuci.ru, 2 fepem@yandex.ru, 3 aleksandr-sml@mail.ru, 4 dm.bk@bk.ru

Abstract:

The rapid growth of cyberattacks necessitates the development of advanced anomaly detection methods in network traffic. Traditional univariate statistical control charts, such as Shewhart, CUSUM, and EWMA, face limitations in handling correlated network parameters, leading to missed anomalies or false alarms. This study addresses these challenges by exploring the application of multivariate cumulative sum control charts (MCUSUM) for detecting cyberattacks, emphasizing their ability to account for interdependencies among traffic features. The primary problem lies in the inefficiency of univariate methods in capturing complex correlations within network traffic parameters, which are critical for identifying sophisticated attacks. The study aims to evaluate the effectiveness of MCUSUM variants (Healy, Crosier, Pignatiello-Runger) and Hotelling’s Т2 charts in detecting anomalies caused by cyberattacks. The goal is to determine optimal methods for different attack scenarios, balancing precision, recall, and computational efficiency.

The research employs the CSE-CIC-IDS2018 dataset, a comprehensive resource containing labeled examples of normal and attack traffic. Fourteen key features, such as flow duration, packet rates, and header lengths, were selected to train and test the models. Multivariate methods were implemented as follows: Hotelling’s Т2 charts monitor deviations in multivariate means using covariance structures, ideal for abrupt changes like DDoS attacks.

Healy’s method projects data onto a predefined shift direction, suitable for predictable attack patterns.

Crosier’s approaches adaptively accumulate deviations, reducing false positives for unidirectional anomalies (e.g., traffic flooding).

Pignatiello-Runger’s techniques combine long-term trend analysis with quadratic forms, balancing sensitivity and computational load.

Experiments revealed distinct performance profiles: Crosier-2 achieved the highest precision (94%) and recall (90%) for small-to-moderate shifts, demonstrating robustness against low-intensity attacks. Pignatiello-Runger-1 excelled in detecting large shifts (93% recall), making it suitable for high-impact attacks.

Hotelling’s Т2 showed lower sensitivity to gradual changes (75% recall) but remained effective for sudden traffic spikes (93% precision).

Healy’s method, while precise (85%), required prior knowledge of attack vectors, limiting its versatility.

The integration of MCUSUM charts into intrusion detection systems (IDS) enhances their capability to identify both known and novel threats, including stealthy malware and low-and-slow attacks. By leveraging multivariate correlations, these methods reduce false alarms and accelerate response times, critical for protecting critical infrastructures. For instance, Crosier-2’s adaptability makes it ideal for real-time monitoring in dynamic networks, while Pignatiello-Runger’s hybrid approach offers a balance for resource-constrained environments.

This study underscores the importance of selecting context-appropriate multivariate control charts. Hotelling’s Т2 remains indispensable for detecting abrupt anomalies, whereas MCUSUM variants provide superior performance for subtle, persistent deviations. Future work should focus on optimizing parameter tuning and integrating machine learning to further enhance adaptability. The findings contribute significantly to advancing cybersecurity frameworks, ensuring robust defense mechanisms against evolving cyber threats.

Pages: 74-85
For citation

Erokhin S.D., Borisenko B.B., Fadeev A.S., Kryukov D.A. Application of multivariate cumulative sum control charts for detecting cyber attacks. Highly Available Systems. 2025. V. 21. № 2. P. 74−85. DOI: https://doi.org/ 10.18127/j20729472-202502-07 (in Russian)

References
  1. Borisenko B.B. Modifikaciya karty` Xotellinga, niveliruyushhaya vliyanie trenda, i ee primenenie pri obnaruzhenii cifrovy`x vodyany`x znakov. PDM. 2010. № 2(8). URL: https://cyberleninka.ru/article/n/modifikatsiya-karty-hotellinga-niveliruyuschaya-vliyanie-trenda-i-ee-primenenie-pri-obnaruzhenii-tsifrovyh-vodyanyh-znakov (data obrashheniya: 02.06.2024).
  2. Duncan A.J. Quality control and industrial statistics. N.Y.: Irwin. 1974. 992 r.
  3. Val`d A. Posledovatel`ny`j analiz. M.: Fizmatlit. 1960.
  4. Robert S.W. Control chart tests based on geometric moving average. Technometrics. 1959. № 1. P. 239–250.
  5. Patcha A., Park J.-M. (Jerry) An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks. 2007. 51. 3448–3470. 10.1016/j.comnet.2007.02.001.
  6. Tartakovsky A.G., Rozovskii B.L., Blažek R.B., Kim H. Detection of intrusions in information systems by sequential change-point methods. Statistical Methodology. 2006. V. 3. Iss. 3. P. 252–293, ISSN 1572-3127, https://doi.org/10.1016/j.stamet.2005.05.003 (https://www.sciencedirect.com/science/article/pii/S1572312705000493) (data obrashheniya: 02.06.2024).
  7. Baranov V.A. Vy`yavlenie razladki processa nablyudenij kak metod opredeleniya vtorzheniya. Problemy` informacionnoj bezopasnosti. Komp`yuterny`e sistemy`. 2011. № 1. S. 7–16. EDN NZFZRJ.
  8. Sundaron E`.M. Issledovanie vliyaniya faktora sglazhivaniya na parametry` kontrol`noj karty` e`ksponencial`no vzveshennogo skol`zyashhego srednego. MNIZh. 2016. № 8-3(50). URL: https://cyberleninka.ru/article/n/issledovanie-vliyaniya-faktora-sglazhivaniya-na-parametry-kontrolnoy-karty-eksponentsialno-vzveshennogo-skolzyaschego-srednego (data obrashheniya: 04.06.2024).
  9. Alpatov A.N. Opredelenie peregruzki v raspredelyonny`x komp`yuterny`x sistemax na osnove statisticheskix metodov. Sovremenny`e tendencii razvitiya nauki i proizvodstva / Sb. materialov III Mezhdunar. nauchno-prakt. konf. Kemerovo, 21–22 yanvarya 2016 g. Kuzbasskij gos. texn. un-t im. T.F. Gorbacheva. T. II. Kemerovo: OOO «Zapadno-Sibirskij nauchny`j centr». 2016. S. 257–262. EDN VMSVMZ.
  10. Anikeeva O.V., Ivaxnenko A.G., Storublev M.L. Metody` optimizacii i prinyatiya reshenij v upravlenii kachestvom. Kursk: ZAO «Universitetskaya kniga». 2015. 216 s.
  11. Telkov A.Yu., Danilova O.Yu., Telkova S.A. Obnaruzhenie setevy`x anomalij ob``ema trafika metodom kontrol`ny`x kart universal`noj sistemoj monitoringa ZABBIX. Vestnik VI MVD Rossii. 2020. №3. URL: https://cyberleninka.ru/article/n/obnaruzhenie-setevyh-anomaliy-obema-trafika-metodom-kontrolnyh-kart-universalnoy-sistemoy-monitoringa-zabbix (data obrashheniya: 18.10.2024).
  12. Klyachkin V.N., Karpunina I.N. Ispol`zovanie metodov statisticheskogo kontrolya dlya ocenki stabil`nosti raboty` agregatov. Doklady` AN VSh RF. 2016. №3 (32). URL: https://cyberleninka.ru/article/n/ispolzovanie-metodov-statisticheskogo-kontrolya-dlya-otsenki-stabilnosti-raboty-agregatov (data obrashheniya: 18.10.2024).
  13. Sheluxin O.I., Filinova A.S. Obnaruzhenie setevy`x anomal`ny`x vy`brosov trafika metodom razladki Brodskogo–Darxovskogo. T-Comm. 2013. № 10. URL: https://cyberleninka.ru/article/n/obnaruzhenie-setevyh-anomalnyh-vybrosov-trafika-metodom-razladki-brodskogo-darhovs­kogo (data obrashheniya: 19.10.2024).
  14. CSE-CIC-IDS2018 on AWS. A collaborative project between the Communications Security Establishment (CSE) & the Canadian Institute for Cybersecurity (CIC). URL:https://www.unb.ca/cic/datasets/ids-2018.html (data obrashheniya: 02.06.2024).
  15. Borisenko B.B., Eroxin S.D., Fadeev A.S., Martishin I.D. Obnaruzhenie komp`yuterny`x atak pri ispol`zovanii mnogoslojnogo perseptrona i setej s dolgoj kratkosrochnoj pamyat`yu. Sistemy` sinxronizacii, formirovaniya i obrabotki signalov. 2021. T. 12. № 5. S. 4–13. EDN UUWXOH.
  16. Eroxina O.V., Borisenko B.B., Martishin I.D., Fadeev A.S. Analiz vliyaniya parametrov mnogoslojnogo perseptrona na kachestvo identifikacii komp`yuternoj ataki. Sistemy` sinxronizacii, formirovaniya i obrabotki signalov. 2021. T. 12. № 4. S. 19–26. EDN ZHTUIW.
  17. Get`man A.I., Goryunov M.N., Maczkevich A.G., Ry`bolovlev D.A. Metodika sbora obuchayushhego nabora danny`x dlya modeli obnaruzheniya komp`yuterny`x atak. Trudy` Instituta sistemnogo programmirovaniya RAN. 2021; 33(5): 83–104. https://doi.org/10.15514/ ISPRAS-2021-33(5)-5 (data obrashheniya: 02.06.2024).
  18. Erokhin S., Borisenko B., Fadeev A. Reducing the Dimension of Input Data for IDS by Using Match Analysis // Conference of Open Innovations Association, FRUCT. 2021. № 28. P. 96–102. EDN WBZWDT.
  19. Eroxin S.D., Borisenko B.B., Martishin I.D., Fadeev A.S. Analiz sushhestvuyushhix metodov snizheniya razmernosti vxodny`x danny`x.  T-Comm: Telekommunikacii i transport. 2022. T. 16. № 1. S. 30–37. DOI 10.36724/2072-8735-2022-16-1-30-37. EDN LEHFTU.
  20. Eroxin S.D., Borisenko B.B., Fadeev A.S., Martishin I.D. O razrabotke dataseta dlya obnaruzheniya setevy`x atak. REDS: Telekommunikacionny`e ustrojstva i sistemy`. 2022. T. 12. № 1. S. 18–25. EDN WZPCUS.
  21. Münz G, Carle G. Application of forecasting techniques and control charts for traffic anomaly detection. Proceedings of the 19th ITC Specialist Seminar on Network Usage and Traffic. 2008. Berlin, Germany.
  22. Klyachkin V.N. Statisticheskie metody` v upravlenii kachestvom: komp`yuterny`e texnologii. M.: Finansy` i statistika; INFRA-M. 2009. 304 s.
  23. Alekseeva A.V. Metody` i algoritmy` povy`sheniya e`ffektivnosti kontrolya mnogomernogo rasseyaniya pokazatelej funkcionirovaniya slozhny`x texnicheskix sistem. Special`nost` 05.13.01 «Sistemny`j analiz, upravlenie i obrabotka informacii (po otraslyam)». Diss. na soiskanie uchenoj stepeni kand. tex. nauk. 2022. 149 s. EDN LRCOLD.
  24. Klyachkin V.N., Krasheninnikov V.R., Kuvajskova Yu.E. Prognozirovanie i diagnostika stabil`nosti funkcionirovaniya texnicheskix ob``ektov: monografiya. M.: RUSAJNS. 2020. 200 s.
  25. Kai Yang, Peihua Qiuges. Adaptive Process Monitoring Using Covariate Information. Technometrics. 2021. V. 63(3). P. 313–328.
  26. Klyachkin V.N. Modeli i metody` statisticheskogo kontrolya mnogoparametricheskogo texnologicheskogo processa. M.: FIZMATLIT. 2011. 196 s.
  27. Ahsan M., Mashuri M., Kuswanto H., Prastyo D. Intrusion Detection System Using Multivariate Control Chart Hotelling's T2 Based on PCA. International Journal on Advanced Science. Engineering and Information Technology. 2018. V. 8. № 5. P. 1905–1911. 10.18517/ijaseit.8.5.3421.
  28. Ahsan M., Mashuri M., Khusna H. Intrusion detection system using bootstrap resampling approach of T2 control chart based on successive difference covariance matrix. Journal of Theoretical and Applied Information Technology. 2018. V. 96. № 8. P. 2128–2138.
  29. Borisenko B.B., Eroxin S.D., Fadeev A.S. Ob obnaruzhenii komp`yuterny`x atak s ispol`zovaniem teorii razladki. Sistemy` sinxronizacii, formirovaniya i obrabotki signalov. 2024. T. 15. № 6. S. 4–9. EDN FBZLTK.
  30. Klyachkin V.N. Komp`yuterny`e texnologii mnogomernogo kontrolya kachestva. Tr. 7-j Mezhdunar. konf. «Informacionny`e seti, sistemy` i texnologii». Minsk: BGE`U. 2001. T. 2. S. 170–176.
  31. Geza E. Multivariate Statistical Process Control of Platinum: A Case of a Mining Company in Zvishavane, Zimbabwe. International Journal of Research in Engineering and Applied Sciences. 2013. V. 3. P. 22–54.
  32. Kim H., Rozovskii B., Tartakovsky A. A Nonparametric Multichart CUSUM Test for Rapid Detection of DoS Attacks in Computer Networks. International Journal of Computing and Information Sciences. 2004. V. 2. № 3. P. 149–158.
  33. Bouyeddou B., Harrou F., Sun Y. and Kadri B. Detecting SYN flood attacks via statistical monitoring charts: A comparative study. 5th International Conference on Electrical Engineering – Boumerdes (ICEE-B). Boumerdes. Algeria, 2017. P. 1–5. doi: 10.1109/ICEE-B.2017.8192118.
  34. Moraes D.A.O., Oliveira F.L.P., Duczmal L.H. On the Hotelling’s T, MCUSUM and MEWMA control charts’ performance with different variability sources: a simulation study. Brazilian Journal of Operations & Production Management. 2015. 12(2). P. 196–212. https://doi.org/10.14488/BJOPM.2015.v12.n2.a2
  35. Narvand A., Soleimani P., Raissi S. Phase II monitoring of auto-correlated linear profiles using linear mixed model. Journal of Industrial Engineering International. 2013. V. 9. № 1. P. 1–9. DOI 10.1186/2251-712x-9-12
  36. Healy J.D. A Note on Multivariate CUSUM Procedures. Technometrics. 1987. 29:4. 409–412.
  37. Fallahnezhad M.S., Ghalichehbaf A. A review on the MCUSUM Charts in Detecting the Shifts of the Process with Comparison Study. International Journal of Innovation in Engineering. 2023. V. 3. № 2. P. 30–38. DOI 10.59615/ijie.3.2.30
  38. Crosier R.B. Multivariate Generalizations of Cumulative Sum Quality-Control Schemes. Technometrics. 1988. V. 30. № 3. P. 291–303.
  39. Devianto D., Maiyastri Asdi Y., Maryati S., Sari S. P., Hidayat R. The Mixed MEWMA and MCUSUM Control Chart Design of Efficiency Series Data of Production Quality Process Monitoring. Int. J. Adv. Sci. Eng. Inf. Technol. Jun. 2024. V. 14. № 3. P. 841–846.
  40. Lowry C., Woodall W., Champ C., Rigdon S. A Multivariate Exponentially Weighted Moving Average Control Chart. Technometrics. 2012. 34. 46–53. 10.1080/00401706.1992.10485232
  41. Pignatiello J.J., Runger G.C. Comparisons of Multivariate CUSUM Charts. Journal of Quality Technology. 1990. 22(3). P. 173–186. doi: 10.1080/00224065.1990.11979237
Date of receipt: 21.04.2025
Approved after review: 15.05.2025
Accepted for publication: 30.05.2025