Hybrid James-Stein and successive difference covariance matrix estimators based hotelling’s T² chart for network anomaly detection using bootstrap

Statistical process control (SPC) is one of the powerful statistical methods that continuously improves the manufacturing process. The advantage of using the method in network anomaly detection is the technique does not need the knowledge of an information from the previous intrusions. The Hotelling's T² is the mostly used control chart for network intrusion detection. However, Hotelling's T² chart, which uses the conventional mean and covariance matrix, is sensitive to the outlier presence. Therefore, the conventional method is not effective to be implemented in Intrusion Detection System. To overcome this problem, Successive Difference Covariance Matrix (SDCM), which is one of the robust covariance matrix estimators, can be implemented in estimating the covariance matrix. Meanwhile, the James-Stein estimator can be adopted in estimating the mean vector of the Hotelling’s T² control chart. The utilization of the bootstrap resampling method is intended to obtain the more accurate control limit of the proposed chart. The combination of these estimators with the bootstrap resampling approach demonstrates the better performance when it is used to monitor the anomaly in the network than the other control limit approaches in training and testing dataset. In addition, the IDS based on the proposed chart has better performance than the other existing charts based on its hit rate and FN rate criteria. The proposed method also outperforms some classifier methods.