Anomalous Detection Based on Adaboost-HMM

In order to solve high false positive rate problems of anomalous intrusion detection, a novel method of anomalous detection based on Adaboost-HMM is proposed. HMM model can be adapted for modeling system call sequences and their state behaviors, but it has higher classification accuracy to the samples belonging to this class, however the accuracy is comparative lower than the samples not included in this class. To enhance classification rate, Adaboosting is used to improve the train of HMM and reduce classification error rate of HMM. At the same time, an improved abnormality detection algorithm based on time of event is also provided. The experiment results indicate this method can increase detection performance and lower false positive rate

[1]  Salvatore J. Stolfo,et al.  Modeling system calls for intrusion detection with dynamic window sizes , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  Gunnar Rätsch,et al.  An Introduction to Boosting and Leveraging , 2002, Machine Learning Summer School.

[3]  Liang Dong,et al.  Recognition of visual speech elements using adaptively boosted hidden Markov models , 2004, IEEE Transactions on Circuits and Systems for Video Technology.

[4]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[5]  Yoav Freund,et al.  A decision-theoretic generalization of on-line learning and an application to boosting , 1997, EuroCOLT.

[6]  Yoav Freund,et al.  A decision-theoretic generalization of on-line learning and an application to boosting , 1995, EuroCOLT.

[7]  Yiguo Qiao,et al.  Anomaly intrusion detection method based on HMM , 2002 .

[8]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).