Change-point detection schemes are a promising approach for detecting network anomalies such as attacks and infections by unknown viruses and worms. They detect those behaviors as change-points. In general, however, because they also detect false-positive change-points, those caused by other factors such as hardware troubles, we need a scheme that only detects true-positive change-points caused by attacks and infections. True-positive change-points tend to occur simultaneously, and the number of true-positive change-points is very large, while false-positive change-points tend to occur sporadically. We exclude false-positive change-points by neglecting change-points that occur sporadically, based on information gathered from the whole network. In this paper, we propose a multi-stage network anomaly detection scheme that aggregates change-point information from distributed IDSs (Intrusion Detection Systems) and detects the true-positive change-points. Simulation results illustrate that, compared to a scheme using only one IDS, our method always yields a smaller false-positive rate, a reduction of up to 98%, under a constraint that the detection rate of the true-positive change-points must exceed 0.99.
