Information Technology Reference
In-Depth Information
N
increases, the
D
of t-NSA will also decrease much more and smaller than the
expected
P
because of the overlap of the detectors [7]. Related experiments will be
given in subsection 4.2.
From Fig. 5 and Fig. 6, it is also known that the standard deviation of
C
in h-
NSA is much less than it in t-NSA, while the standard deviation of
D
in h-NSA is
little higher than it in t-NSA. However, the standard deviation of
D
in h-NSA is
always little than 0.055, and this is acceptable since its detection rate is much higher
than that of t-NSA.
N
P
4.2 Comparisons on
for Fixed
R
In this subsection, the experiments are conducted to show the efficiency of h-NSA for
fixed
P
.
In this experiment, the expected detectors number
N
is calculated by the formula
R
−
ln
P
f
of
N
=
in t-NSA [5, 7]. In h-NSA, the
N
is gotten after the following
R
R
P
m
steps.
(1) Initialize
N
=
0
and
CP
=
1
.
f
R
(2) According to the h-NSA described in section 3.2, one detector is generated.
(2.1) Calculate
P
,
as formula (3) for this detector.
b
(2.2)
CP
=
CP
*
(
−
P
)
.
f
f
m
,
b
(2.3)
N
=
N
+
1
.
R
R
(3) If
CP
>
P
, go to (2).
f
f
(4) End.
In Table 7, '
P
(actual)' means the real values of
P
are gained by experimentally
testing. And the size of the test set, namely
N
, are also given in Table 3.
N
is set
T
T
as 10000 except one the case of
l=16
,
r=12
and
N
=
60
(because it is difficult, and
S
often impossible to generate 10000 anomaly strings).
From Table 7, it is shown that the needed matured detectors
N
of h-NSA is
R
much less than that of t-NSA for the same
P
. And the real value of
P
of h-NSA is
much nearer to the expected
P
too. In fact, as
N
and
P
increase, the real
P
of t-
S
NSA is much larger than the expected
P
, namely 0.1.
