The Study of Intrusion Prediction Based on HsMM

Intrusion detection is an important technique in the defense-in-depth network security framework. The IDS continuously watch the activity on a network or computer, looking for attack and intrusion evidences. However, host-based intrusion detectors are particularly vulnerable, as they can be disabled or tampered by successful intruders. In this paper, a hidden semi-Markov models method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. BSM audit data are used as research data sources. The HsMM structure is redefined to describe the intrusion detection. The time duration of the hidden states is computed by contributing the risk factor of every system call. Then the output probability of current system call sequences are calculated to decide whether the current system behavior is normal and compute the anomaly probability of the subsequent system calls. In the addition, the approximate time when the intrusion has established is estimated. The evaluation of the proposed methodology was carried out through DARPA 1998.The experiment result proves that the proposed method can find the attack attempt in advance to gain the precious time of the active intrusion precaution.

[1]  Robert P. Goldman,et al.  Plan recognition in intrusion detection systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  Yan Gao,et al.  Predicting the intrusion intentions by observing system call sequences , 2004, Comput. Secur..

[3]  Jian Zhou,et al.  Off-Line Handwritten Word Recognition Using a Hidden Markov Model Type Stochastic Network , 1994, IEEE Trans. Pattern Anal. Mach. Intell..

[4]  Xiangliang Zhang,et al.  Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data , 2006, Comput. Secur..

[5]  Wei Wang,et al.  Modeling program behaviors by hidden Markov models for intrusion detection , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[6]  XIE Yi,et al.  A Detection Approach of User Behaviors Based on HsMM , 2005 .

[7]  Nong Ye,et al.  First‐order versus high‐order stochastic models for computer intrusion detection , 2002 .

[8]  Venu Govindaraju,et al.  Hidden Markov models combining discrete symbols and continuous attributes in handwriting recognition , 2006, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[9]  P. Baruah,et al.  HMMs for diagnostics and prognostics in machining processes , 2005 .

[10]  Xie Yi,et al.  Anomaly Detection Based on Web Users’ Browsing Behaviors , 2007 .

[11]  Yiguo Qiao,et al.  Anomaly intrusion detection method based on HMM , 2002 .