Bootstrap based T2 chart with hybrid James Stein and SDCM for network anomaly detection

The conventional multivariate chart based on Shewhart approach will face a problem when it is utilized in monitoring the multiple outliers. To overcome the situation, the James-Stein estimator and Successive Difference Covariance Matrix can be adopted to improve the estimated mean vector and covariance matrix, respectively. Attacks in the network have a similar nature as the multiple outliers. Therefore, by improving its estimated mean vector and covariance matrix, the multivariate Hotelling's T2 chart can be exploited for detecting network attacks as an intrusion detection system. In this paper, the performance of the Hotelling's T2 is updated using the James-Stein estimator and Successive Difference Covariance Matrix estimators in monitoring network anomalies. The bootstrap resampling method is applied in estimating the control limit of the proposed IDS. Further, the reputable NSL-KDD dataset is used as a standard in assessing the proposed chart performance. The proposed IDS demonstrates a good performance for the training dataset with hit rate detection of 0.9175. Meanwhile, for the testing dataset, the proposed method excels the other charts with hit rate detection of 0.8557.