
Intrusion Detection: How do you find the Needle in a haystack? - sdoering
http://analyticsmadeskeezy.com/2012/11/29/intrusion-detection-made-skeezy-how-do-you-find-the-dea-in-a-haystack/
======
graycat
This work is intuitive and heuristic. But with some meager assumptions, it's
also possible to make a real 'statistical hypothesis test' out of such things.

So, with a hypothesis test we get not just a heuristic 'local outlier factor'
but a probability of Type I error.

And we can have some other advantages that tell us some good things about the
probability of Type II error.

Of course, with more data, we know what to do, use the classic most powerful
Neyman-Pearson result. There all those seemingly important intuitive
consideration in the OP of 'A is a friend of B but B has lots of friends much
closer than A so that B is not a friend of A' don't get involved and, thus,
look suspicious.

There is, of course,

David J. Marchette, 'Computer Intrusion Detection: A Statistical Viewpoint',
ISBN 0-387-95281-0, Springer-Verlag, New York, 2001.

