A Hybrid Method to Intrusion Detection Systems Using HMM

IDS use different sources of observation data and a variety of techniques to differentiate between benign and malicious behaviors. In the current work, Hidden Markov Models (HMM) are used in a manner analogous to their use in text categorization. The proposed approach performs host-based intrusion detection by using HMM along with STIDE methodology (enumeration of sub-sequences) in a hybrid fashion. The proposed method differs from STIDE in that only one profile is created for the normal behavior of all applications using short sequences of system calls issued by the normal runs of the programs. Subsequent to this, HMM with simple states along with STIDE is used to categorize an unknown program's sequence of system calls to be either normal or an intrusion. The results on 1998 DARPA data show that the hybrid method results in low false positive rate with high detection rate.

[1]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[2]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[3]  Yiguo Qiao,et al.  Anomaly intrusion detection method based on HMM , 2002 .

[4]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[5]  Jiankun Hu,et al.  A multi-layer model for anomaly intrusion detection using program sequences of system calls , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[6]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[7]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[8]  Bo Gao,et al.  HMMs (Hidden Markov models) based on anomaly intrusion detection method , 2002, Proceedings. International Conference on Machine Learning and Cybernetics.

[9]  Pradeep Kumar,et al.  Intrusion Detection System Using Sequence and Set Preserving Metric , 2005, ISI.