HMMs for anomaly intrusion detection

Authors:
Ye Du;Huiqiang Wang;Yonggang Pang
Affiliations:
College of Computer Science and Technology, Harbin Engineering University, Harbin, China;College of Computer Science and Technology, Harbin Engineering University, Harbin, China;College of Computer Science and Technology, Harbin Engineering University, Harbin, China
Venue:
CIS'04 Proceedings of the First international conference on Computational and Information Science
Year:
2004

Citing 3
Cited 0

Markov Chains, Classifiers, and Intrusion Detection

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Architecture for an Artificial Immune System

Evolutionary Computation
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly intrusion detection focuses on modeling normal behaviors and identifying significant deviations, which could be novel attacks. The existing techniques in that domain were analyzed, and then an effective anomaly detection method based on HMMs (Hidden Markov Models) was proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. Both temporal orderings and parameters of system calls were taken into considered in this method. The RP (Relative Probability) value, which used short sequences as inputs, was computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.