Benchmarking Anomaly-Based Detection Systems
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
An introduction to ROC analysis
Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Intrusion detection by combining multiple hidden Markov models
PRICAI'00 Proceedings of the 6th Pacific Rim international conference on Artificial intelligence
Determining the operational limits of an anomaly-based intrusion detector
IEEE Journal on Selected Areas in Communications
A comparison of techniques for on-line incremental learning of HMM parameters in anomaly detection
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Adaptive ROC-based ensembles of HMMs applied to anomaly detection
Pattern Recognition
Fusion of biometric systems using Boolean combination: an application to iris-based authentication
International Journal of Biometrics
Hi-index | 0.00 |
In host-based intrusion detection systems (HIDS), anomaly detection involves monitoring for significant deviations from normal system behavior. Hidden Markov Models (HMMs) have been shown to provide a high level performance for detecting anomalies in sequences of system calls to the operating system kernel. Although the number of hidden states is a critical parameter for HMM performance, it is often chosen heuristically or empirically, by selecting the single value that provides the best performance on training data. However, this single best HMM does not typically provide a high level of performance over the entire detection space. This paper presents a multiple-HMMs approach, where each HMM is trained using a different number of hidden states, and where HMM responses are combined in the Receiver Operating Characteristics (ROC) space according to the Maximum Realizable ROC (MRROC) technique. The performance of this approach is compared favorably to that of a single best HMM and to a traditional sequence matching technique called STIDE, using different synthetic HIDS data sets. Results indicate that this approach provides a higher level of performance over a wide range of training set sizes with various alphabet sizes and irregularity indices, and different anomaly sizes, without a significant computational and storage overhead.