Combining hidden Markov models for improved anomaly detection

Authors:
Wael Khreich;Eric Granger;Robert Sabourin;Ali Miri
Affiliations:
Laboratoire d'imagerie, de vision et d'intelligence, artificielle, École de technologie supérieure, Montreal, QC, Canada;Laboratoire d'imagerie, de vision et d'intelligence, artificielle, École de technologie supérieure, Montreal, QC, Canada;Laboratoire d'imagerie, de vision et d'intelligence, artificielle, École de technologie supérieure, Montreal, QC, Canada;School of Information Technology and Engineering, University of Ottawa, Ottawa, ON, Canada
Venue:
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Year:
2009

Citing 7
Cited 4

Benchmarking Anomaly-Based Detection Systems

DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
An introduction to ROC analysis

Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Intrusion detection by combining multiple hidden Markov models

PRICAI'00 Proceedings of the 6th Pacific Rim international conference on Artificial intelligence
Determining the operational limits of an anomaly-based intrusion detector

IEEE Journal on Selected Areas in Communications

A comparison of techniques for on-line incremental learning of HMM parameters in anomaly detection

CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Iterative Boolean combination of classifiers in the ROC space: An application to anomaly detection with HMMs

Pattern Recognition
Adaptive ROC-based ensembles of HMMs applied to anomaly detection

Pattern Recognition
Fusion of biometric systems using Boolean combination: an application to iris-based authentication

International Journal of Biometrics

Quantified Score

Hi-index	0.00

Visualization

Abstract

In host-based intrusion detection systems (HIDS), anomaly detection involves monitoring for significant deviations from normal system behavior. Hidden Markov Models (HMMs) have been shown to provide a high level performance for detecting anomalies in sequences of system calls to the operating system kernel. Although the number of hidden states is a critical parameter for HMM performance, it is often chosen heuristically or empirically, by selecting the single value that provides the best performance on training data. However, this single best HMM does not typically provide a high level of performance over the entire detection space. This paper presents a multiple-HMMs approach, where each HMM is trained using a different number of hidden states, and where HMM responses are combined in the Receiver Operating Characteristics (ROC) space according to the Maximum Realizable ROC (MRROC) technique. The performance of this approach is compared favorably to that of a single best HMM and to a traditional sequence matching technique called STIDE, using different synthetic HIDS data sets. Results indicate that this approach provides a higher level of performance over a wide range of training set sizes with various alphabet sizes and irregularity indices, and different anomaly sizes, without a significant computational and storage overhead.