Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics.

Download Full-text

DDoS Detection and Prevention Based on Joint Entropy and Conditional Entropy

Key Engineering Materials ◽

10.4028/www.scientific.net/kem.474-476.2129 ◽

2011 ◽

Vol 474-476 ◽

pp. 2129-2133

Author(s):

Yong Hao Gu ◽

Wei Ming Wu

Keyword(s):

False Positive ◽

False Positive Rate ◽

Denial Of Service ◽

Conditional Entropy ◽

High Sensitivity ◽

Joint Entropy ◽

Positive Rate ◽

Single Attribute ◽

Ddos Detection ◽

The Stability

Distributed Denial of Service (DDoS) imposes a very serious threat to the stability of the Internet. Compared with many detection approaches, detecting DDoS attacks based on entropy has advantages such as simplicity, high sensitivity and low false positive rate. But the method with single attribute entropy has high false positive rate when detecting attribute forged attacks. This paper presents a detecting method based on joint entropy and a filtering way based on conditional entropy. The efficiency of this scheme is validated with simulation on the research lab network.

Download Full-text

A Reliable Intrusion Detection System in Wide Area Networks against the assault of DDOS

International Journal of Innovative Technology and Exploring Engineering - Special Issue ◽

10.35940/ijitee.j9199.0881019 ◽

2019 ◽

Vol 8 (10) ◽

pp. 1810-1817

Keyword(s):

Intrusion Detection ◽

False Positive ◽

Detection System ◽

False Positive Rate ◽

Denial Of Service ◽

Intrusion Detection Systems ◽

Detection Systems ◽

Positive Rate ◽

Enormous Number ◽

Real Test

The real test with the present Web Intrusion Detection Systems is an enormous number of alarms are produced by the customary instruments and strategies where the greater part of them are false positive and less huge. It is hard for the web organize executive or approved client to audit each alarm that is produced by customary IDS apparatus on a bustling constant LAN or WAN condition. Thus, numerous MIM assaults might be undetected, which can make serious harm the system frameworks. Fundamentally, customary location models create countless interruption designs which produce high false positive rate. Because of countless interruption designs, a great deal of time is required for discovery of interruptions on correspondence arrange which antagonistically influences the productivity of the Intrusion Detection Systems. In this paper we proposed a half breed approaches for distinguishing different DDoS (Distributed Denial of Service) assaults in WAN. We directed an inexhaustible study on this works, from which we finished up how we move further on our work.

Download Full-text

Improving diagnosis of acute appendicitis with atypical findings by Tc-99m HMPAO leukocyte scan

Nuklearmedizin ◽

10.1055/s-0038-1623994 ◽

2002 ◽

Vol 41 (01) ◽

pp. 37-41 ◽

Cited By ~ 3

Author(s):

S. Shung-Shung ◽

S. Yu-Chien ◽

Y. Mei-Due ◽

W. Hwei-Chung ◽

A. Kao

Keyword(s):

Acute Appendicitis ◽

False Positive ◽

False Positive Rate ◽

Accurate Method ◽

Clinical Findings ◽

Pathological Findings ◽

Lower Quadrant ◽

Predictive Values ◽

Positive Rate

Summary Aim: Even with careful observation, the overall false-positive rate of laparotomy remains 10-15% when acute appendicitis was suspected. Therefore, the clinical efficacy of Tc-99m HMPAO labeled leukocyte (TC-WBC) scan for the diagnosis of acute appendicitis in patients presenting with atypical clinical findings is assessed. Patients and Methods: Eighty patients presenting with acute abdominal pain and possible acute appendicitis but atypical findings were included in this study. After intravenous injection of TC-WBC, serial anterior abdominal/pelvic images at 30, 60, 120 and 240 min with 800k counts were obtained with a gamma camera. Any abnormal localization of radioactivity in the right lower quadrant of the abdomen, equal to or greater than bone marrow activity, was considered as a positive scan. Results: 36 out of 49 patients showing positive TC-WBC scans received appendectomy. They all proved to have positive pathological findings. Five positive TC-WBC were not related to acute appendicitis, because of other pathological lesions. Eight patients were not operated and clinical follow-up after one month revealed no acute abdominal condition. Three of 31 patients with negative TC-WBC scans received appendectomy. They also presented positive pathological findings. The remaining 28 patients did not receive operations and revealed no evidence of appendicitis after at least one month of follow-up. The overall sensitivity, specificity, accuracy, positive and negative predictive values for TC-WBC scan to diagnose acute appendicitis were 92, 78, 86, 82, and 90%, respectively. Conclusion: TC-WBC scan provides a rapid and highly accurate method for the diagnosis of acute appendicitis in patients with equivocal clinical examination. It proved useful in reducing the false-positive rate of laparotomy and shortens the time necessary for clinical observation.

Download Full-text

Predicting Fetal Chromosome Anomalies in the First Trimester Using Pregnancy Associated Plasma Protein-A: A Comparison of Statistical Methods

Methods of Information in Medicine ◽

10.1055/s-0038-1634910 ◽

1993 ◽

Vol 32 (02) ◽

pp. 175-179 ◽

Cited By ~ 7

Author(s):

B. Brambati ◽

T. Chard ◽

J. G. Grudzinskas ◽

M. C. M. Macintosh

Keyword(s):

Logistic Regression ◽

General Population ◽

Likelihood Ratio ◽

False Positive ◽

False Positive Rate ◽

Ratio Method ◽

Detection Rates ◽

Gaussian Distributions ◽

Positive Rate ◽

Likelihood Ratio Method

Abstract:The analysis of the clinical efficiency of a biochemical parameter in the prediction of chromosome anomalies is described, using a database of 475 cases including 30 abnormalities. A comparison was made of two different approaches to the statistical analysis: the use of Gaussian frequency distributions and likelihood ratios, and logistic regression. Both methods computed that for a 5% false-positive rate approximately 60% of anomalies are detected on the basis of maternal age and serum PAPP-A. The logistic regression analysis is appropriate where the outcome variable (chromosome anomaly) is binary and the detection rates refer to the original data only. The likelihood ratio method is used to predict the outcome in the general population. The latter method depends on the data or some transformation of the data fitting a known frequency distribution (Gaussian in this case). The precision of the predicted detection rates is limited by the small sample of abnormals (30 cases). Varying the means and standard deviations (to the limits of their 95% confidence intervals) of the fitted log Gaussian distributions resulted in a detection rate varying between 42% and 79% for a 5% false-positive rate. Thus, although the likelihood ratio method is potentially the better method in determining the usefulness of a test in the general population, larger numbers of abnormal cases are required to stabilise the means and standard deviations of the fitted log Gaussian distributions.

Download Full-text

Identification of and Correction for Publication Bias: Comment

10.31222/osf.io/dh87m ◽

2019 ◽

Author(s):

Amanda Kvarven ◽

Eirik Strømland ◽

Magnus Johannesson

Keyword(s):

Publication Bias ◽

False Positive ◽

Large Scale ◽

Meta Analysis ◽

False Positive Rate ◽

Effect Sizes ◽

Replication Studies ◽

Moderate Reduction ◽

Positive Rate ◽

Meta Analyses

Andrews & Kasy (2019) propose an approach for adjusting effect sizes in meta-analysis for publication bias. We use the Andrews-Kasy estimator to adjust the result of 15 meta-analyses and compare the adjusted results to 15 large-scale multiple labs replication studies estimating the same effects. The pre-registered replications provide precisely estimated effect sizes, which do not suffer from publication bias. The Andrews-Kasy approach leads to a moderate reduction of the inflated effect sizes in the meta-analyses. However, the approach still overestimates effect sizes by a factor of about two or more and has an estimated false positive rate of between 57% and 100%.

Download Full-text

The false positive rate of P300-based concealed information test

Korean Journal of Cognitive and Biological Psychology ◽

10.22172/cogbio.2018.30.3.003 ◽

2018 ◽

Vol 30 (3) ◽

pp. 241-259 ◽

Cited By ~ 1

Author(s):

엄진섭 ◽

Jin-Hun Sohn ◽

Hajung Jeon

Keyword(s):

False Positive ◽

False Positive Rate ◽

Concealed Information Test ◽

Positive Rate ◽

Concealed Information ◽

Information Test

Download Full-text

PRATD: A Phased Remote Access Trojan Detection Method with Double-Sided Features

Electronics ◽

10.3390/electronics9111894 ◽

2020 ◽

Vol 9 (11) ◽

pp. 1894

Author(s):

Chun Guo ◽

Zihua Song ◽

Yuan Ping ◽

Guowei Shen ◽

Yuhei Cui ◽

...

Keyword(s):

False Positive ◽

Detection Method ◽

False Positive Rate ◽

True Positive Rate ◽

Remote Access ◽

Detection Methods ◽

Security Threats ◽

True Positive ◽

Trojan Detection ◽

Positive Rate

Remote Access Trojan (RAT) is one of the most terrible security threats that organizations face today. At present, two major RAT detection methods are host-based and network-based detection methods. To complement one another’s strengths, this article proposes a phased RATs detection method by combining double-side features (PRATD). In PRATD, both host-side and network-side features are combined to build detection models, which is conducive to distinguishing the RATs from benign programs because that the RATs not only generate traffic on the network but also leave traces on the host at run time. Besides, PRATD trains two different detection models for the two runtime states of RATs for improving the True Positive Rate (TPR). The experiments on the network and host records collected from five kinds of benign programs and 20 famous RATs show that PRATD can effectively detect RATs, it can achieve a TPR as high as 93.609% with a False Positive Rate (FPR) as low as 0.407% for the known RATs, a TPR 81.928% and FPR 0.185% for the unknown RATs, which suggests it is a competitive candidate for RAT detection.

Download Full-text

Evidence for Age-Adjusted D-Dimer to Rule out Pulmonary Embolism: An Institutional Study

American Journal of Clinical Pathology ◽

10.1093/ajcp/aqaa137.007 ◽

2020 ◽

Vol 154 (Supplement_1) ◽

pp. S5-S5

Author(s):

Ridin Balakrishnan ◽

Daniel Casa ◽

Morayma Reyes Gil

Keyword(s):

Pulmonary Embolism ◽

False Positive ◽

False Positive Rate ◽

Moderate Risk ◽

Older Population ◽

Statistical Measures ◽

Positive Rate ◽

Risk Patients ◽

D Dimer ◽

Rule Out

Abstract The diagnostic approach for ruling out suspected acute pulmonary embolism (PE) in the ED setting includes several tests: ultrasound, plasma d-dimer assays, ventilation-perfusion scans and computed tomography pulmonary angiography (CTPA). Importantly, a pretest probability scoring algorithm is highly recommended to triage high risk cases while also preventing unnecessary testing and harm to low/moderate risk patients. The d-dimer assay (both ELISA and immunoturbidometric) has been shown to be extremely sensitive to rule out PE in conjunction with clinical probability. In particularly, d-dimer testing is recommended for low/moderate risk patients, in whom a negative d-dimer essentially rules out PE sparing these patients from CTPA radiation exposure, longer hospital stay and anticoagulation. However, an unspecific increase in fibrin-degradation related products has been seen with increase in age, resulting in higher false positive rate in the older population. This study analyzed patient visits to the ED of a large academic institution for five years and looked at the relationship between d-dimer values, age and CTPA results to better understand the value of age-adjusted d-dimer cut-offs in ruling out PE in the older population. A total of 7660 ED visits had a CTPA done to rule out PE; out of which 1875 cases had a d-dimer done in conjunction with the CT and 5875 had only CTPA done. Out of the 1875 cases, 1591 had positive d-dimer results (>0.50 µg/ml (FEU)), of which 910 (57%) were from patients older than or equal to fifty years of age. In these older patients, 779 (86%) had a negative CT result. The following were the statistical measures of the d-dimer test before adjusting for age: sensitivity (98%), specificity (12%); negative predictive value (98%) and false positive rate (88%). After adjusting for age in people older than 50 years (d-dimer cut off = age/100), 138 patients eventually turned out to be d-dimer negative and every case but four had a CT result that was also negative for a PE. The four cases included two non-diagnostic results and two with subacute/chronic/subsegmental PE on imaging. None of these four patients were prescribed anticoagulation. The statistical measures of the d-dimer test after adjusting for age showed: sensitivity (96%), specificity (20%); negative predictive value (98%) and a decrease in the false positive rate (80%). Therefore, imaging could have been potentially avoided in 138/779 (18%) of the patients who were part of this older population and had eventual negative or not clinically significant findings on CTPA if age-adjusted d-dimers were used. This data very strongly advocates for the clinical usefulness of an age-adjusted cut-off of d-dimer to rule out PE.

Download Full-text

Mitigation of biases in estimating hazard ratios under non-sensitive and non-specific observation of outcomes–applications to influenza vaccine effectiveness

Emerging Themes in Epidemiology ◽

10.1186/s12982-020-00091-z ◽

2021 ◽

Vol 18 (1) ◽

Author(s):

Ulrike Baum ◽

Sangita Kulathinal ◽

Kari Auranen

Keyword(s):

False Positive ◽

False Positive Rate ◽

Vaccine Effectiveness ◽

Partial Likelihood ◽

Event Data ◽

Time To Event ◽

Positive Events ◽

Time To Event Data ◽

Hazard Ratios ◽

Positive Rate

Abstract Background Non-sensitive and non-specific observation of outcomes in time-to-event data affects event counts as well as the risk sets, thus, biasing the estimation of hazard ratios. We investigate how imperfect observation of incident events affects the estimation of vaccine effectiveness based on hazard ratios. Methods Imperfect time-to-event data contain two classes of events: a portion of the true events of interest; and false-positive events mistakenly recorded as events of interest. We develop an estimation method utilising a weighted partial likelihood and probabilistic deletion of false-positive events and assuming the sensitivity and the false-positive rate are known. The performance of the method is evaluated using simulated and Finnish register data. Results The novel method enables unbiased semiparametric estimation of hazard ratios from imperfect time-to-event data. False-positive rates that are small can be approximated to be zero without inducing bias. The method is robust to misspecification of the sensitivity as long as the ratio of the sensitivity in the vaccinated and the unvaccinated is specified correctly and the cumulative risk of the true event is small. Conclusions The weighted partial likelihood can be used to adjust for outcome measurement errors in the estimation of hazard ratios and effectiveness but requires specifying the sensitivity and the false-positive rate. In absence of exact information about these parameters, the method works as a tool for assessing the potential magnitude of bias given a range of likely parameter values.

Download Full-text

The False Positive Rate of Transcutaneous Tissue Oximetry Alarms in Microvascular Breast Reconstruction Rises after 24 Hours

Journal of Reconstructive Microsurgery ◽

10.1055/s-0040-1719048 ◽

2020 ◽

Author(s):

Phu C. Tran ◽

Will DeBrock ◽

Mary E. Lester ◽

Brett C. Hartman ◽

Juan Socas ◽

...

Keyword(s):

Breast Reconstruction ◽

Postoperative Period ◽

False Positive ◽

False Positive Rate ◽

High Sensitivity ◽

Flap Loss ◽

Vascular Compromise ◽

Positive Rate ◽

Tissue Oximetry ◽

Salvage Rate

Abstract Background Transcutaneous tissue oximetry is widely used as an adjunct for postoperative monitoring after microvascular breast reconstruction. Despite a high sensitivity at detecting vascular issues, alarms from probe malfunctions/errors can generate unnecessary nursing calls, concerns, and evaluations. The purpose of this study is to analyze the false positive rate of transcutaneous tissue oximetry monitoring over the postoperative period and assess changes in its utility over time. Patients and Methods Consecutive patients undergoing microvascular breast reconstruction at our institution with monitoring using transcutaneous tissue oximetry were assessed between 2017 and 2019. Variables of interest were transcutaneous tissue oximetry alarms, flap loss, re-exploration, and salvage rates. Results The study included 175 patients (286 flaps). The flap loss rate was 1.0% (3/286). Twelve patients (6.8%) required re-exploration, with 9 patients found to have actual flap compromise (all within 24 hours). The salvage rate was 67.0%. The 3 takebacks after 24 hours were for bleeding concerns rather than anastomotic problems. Within the initial 24-hour postoperative period, 43 tissue oximetry alarms triggered nursing calls; 7 alarms (16.2%) were confirmed to be for flap issues secondary to vascular compromise. After 24 hours, none of the 44 alarms were associated with flap compromise. The false positive rate within 24 hours was 83.7% (36/43) compared with 100% (44/44) after 24 hours (p = 0.01). Conclusion The transcutaneous tissue oximetry false positive rate significantly rises after 24 hours. The benefit may not outweigh the concerns, labor, and effort that results from alarms after postoperative day 1. We recommend considering discontinuing this monitoring after 24 hours.

Download Full-text