HMMs for Anomaly Intrusion Detection

Anomaly intrusion detection focuses on modeling normal behaviors and identifying significant deviations, which could be novel attacks. The existing techniques in that domain were analyzed, and then an effective anomaly detection method based on HMMs (Hidden Markov Models) was proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. Both temporal orderings and parameters of system calls were taken into considered in this method. The RP (Relative Probability) value, which used short sequences as inputs, was computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

[1]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[2]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[4]  Tan Xiao A Hidden Markov Model Used in Intrusion Detection , 2003 .

[5]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[6]  Salvatore J. Stolfo,et al.  Modeling system calls for intrusion detection with dynamic window sizes , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[7]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  Somesh Jha,et al.  Markov chains, classifiers, and intrusion detection , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[10]  Udo W. Pooch,et al.  Adaptive agent-based intrusion response , 2001 .

[11]  Zhang Kun An Intrusion Detection Method(RHDID) Based on Relative Hamming Distance , 2003 .

[12]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.