A comparison of techniques for on-line incremental learning of HMM parameters in anomaly detection

Authors:
Wael Khreich;Eric Granger;Ali Miri;Robert Sabourin
Affiliations:
Laboratoire d'imagerie, de vision et d'intelligence artificielle, École de technologie supérieure, Montreal, QC, Canada;Laboratoire d'imagerie, de vision et d'intelligence artificielle, École de technologie supérieure, Montreal, QC, Canada;School of Information Technology and Engineering, Department of Mathematics and Statistics, University of Ottawa, Ottawa, ON, Canada;Laboratoire d'imagerie, de vision et d'intelligence artificielle, École de technologie supérieure, Montreal, QC, Canada
Venue:
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Year:
2009

Citing 8
Cited 2

Smooth on-line learning algorithms for hidden Markov models

Neural Computation
Benchmarking Anomaly-Based Detection Systems

DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
An introduction to ROC analysis

Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Combining hidden Markov models for improved anomaly detection

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Learn++: an incremental learning algorithm for supervised neuralnetworks

IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Hidden Markov processes

IEEE Transactions on Information Theory
Determining the operational limits of an anomaly-based intrusion detector

IEEE Journal on Selected Areas in Communications

Adaptive ROC-based ensembles of HMMs applied to anomaly detection

Pattern Recognition
Incremental Boolean combination of classifiers

MCS'11 Proceedings of the 10th international conference on Multiple classifier systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Hidden Markov Models (HMMs) have been shown to provide a high level performance for detecting anomalies in intrusion detection systems. Since incomplete training data is always employed in practice, and environments being monitored are susceptible to changes, a system for anomaly detection should update its HMM parameters in response to new training data from the environment. Several techniques have been proposed in literature for on-line learning of HMM parameters. However, the theoretical convergence of these algorithms is based on an infinite stream of data for optimal performances. When learning sequences with a finite length, on-line incremental versions of these algorithms can improve discrimination by allowing for convergence over several training iterations. In this paper, the performance of these techniques is compared for learning new sequences of training data in host-based intrusion detection. The discrimination of HMMs trained with different techniques is assessed from data corresponding to sequences of system calls to the operating system kernel. In addition, the resource requirements are assessed through an analysis of time and memory complexity. Results suggest that the techniques for online incremental learning of HMM parameters can provide a higher level of discrimination than those for on-line learning, yet require significantly fewer resources than with batch training. On-line incremental learning techniques may provide a promising solution for adaptive intrusion detection systems.