SPC methods for nonstationary correlated count data with application to network surveillance

Authors


Abstract

Network surveillance methods are becoming increasingly important as the ability to monitor a wide variety of data is rapidly expanding. Network traffic metrics are usually correlated count data that display a nonstationary pattern in their mean structures. We propose to model traffic counts using a generalized linear mixed model to capture these features. We then develop three tracking statistics proposed for anomaly detection. Two of the statistics are derived variants of a Bartlett-type likelihood ratio, which itself is not computationally tractable. The first of these variants is based on an approximation to the integrated likelihood while the second is based on the concept of h-likelihood. We also consider a tracking statistic that is an exponentially weighted moving average. We compare the properties of the three tracking statistics from the point of view of FAR and detection power and contrast the proposed tracking statistics with current literature. Our comparisons show that the two generalized likelihood ratio variants are preferred choices as statistical process control tools for network surveillance. Computational aspects of the three procedures are also discussed. While our application focus is network surveillance, our proposed methods apply to other applications that have similar data characteristics. Copyright © 2014 John Wiley & Sons, Ltd.

Ancillary