Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Information security is an important and growing need. The most common schemes used for detection systems include pattern-or signature-based and anomaly-based. Anomaly-based schemes use a set of metrics, which outline the normal system behavior and any significant deviation from the established profile will be treated as an anomaly. This paper contributes with an anomaly-based scheme that monitors the bandwidth consumption of a subnetwork, at the Universidad Michoacana, in Mexico. A normal behavior model is based on bandwidth consumption of the subnetwork. The presence of an anomaly indicates that something is misusing the network viruses, worms, denial of service, or any other kind of attack. This work also presents a scheme for an automatic architecture design and parameters optimization of Hidden Markov Models HMMs, based on Evolutionary Programming EP. The variables to be used by the HMMs are: the bandwidth consumption of network IN and OUT, and the associated time where the network activity occurs. The system was tested with univariate and bivariate observation sequences to analyze and detect anomaly behavior. The HMMs, designed and trained by EP, were compared against semi-random HMMs trained by the Baum-Welch algorithm. On a second experiment, the HMMs, designed and trained by EP, were compared against HMMs created by an expert user. The HMMs outperformed the other methods in all cases. Finally, we made the HMMs time-aware, by including time as another variable. This inclusion made the HMMs capable of detecting activity patterns that are normal during a period of time but anomalous at other times. For instance, a heavy load on the network may be completely normal during working times, but anomalous at nights or weekends.

[1]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[2]  Jingsha He Performance and manageability design in an enterprise network security system , 1997, Proceedings of IEEE Enterprise Networking Mini-Conference (ENM-97) in conjunction with ICC 97.

[3]  Ji Dou,et al.  An Efficient Evolutionary Programming , 2008, 2008 International Symposium on Information Science and Engineering.

[4]  Somesh Jha,et al.  Markov chains, classifiers, and intrusion detection , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  Juan Manuel García,et al.  Workload Hidden Markov Model for Anomaly Detection , 2006, SECRYPT.

[6]  Min Song,et al.  A Hidden Markov Model based approach to detect Rogue Access Points , 2008, MILCOM 2008 - 2008 IEEE Military Communications Conference.

[7]  Mohamed Ben Ahmed,et al.  A Framework for an Adaptive Intrusion Detection System using Bayesian Network , 2007, 2007 IEEE Intelligence and Security Informatics.

[8]  Adam Prügel-Bennett,et al.  Evolving hidden Markov models for protein secondary structure prediction , 2005, 2005 IEEE Congress on Evolutionary Computation.

[9]  Yoshua Bengio,et al.  Markovian Models for Sequential Data , 2004 .

[10]  Yasser Yasami,et al.  An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[11]  Sui Dan,et al.  Detection of Network Intrusion Based on a HMM Model , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[12]  Shu-Ching Chen,et al.  Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems , 2007, ACM Trans. Auton. Adapt. Syst..

[13]  Junshan Li,et al.  An Anomaly Detection System Based on Hide Markov Model for MANET , 2010, 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM).

[14]  Rahul Khanna,et al.  System approach to intrusion detection using hidden Markov model , 2006, IWCMC '06.

[15]  Jing Zhao,et al.  Applications of HMM in Protocol Anomaly Detection , 2009, 2009 International Joint Conference on Computational Sciences and Optimization.

[16]  Eric Moulines,et al.  Inference in hidden Markov models , 2010, Springer series in statistics.

[17]  Atiwong Suchato,et al.  A Genetic Algorithm-aided Hidden Markov Model Topology Estimation for Phoneme Recognition of Thai Continuous Speech , 2008, 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing.

[18]  D. Dasgupta,et al.  Mobile security agents for network traffic analysis , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[19]  A. Qayyum,et al.  Taxonomy of statistical based anomaly detection techniques for intrusion detection , 2005, Proceedings of the IEEE Symposium on Emerging Technologies, 2005..

[20]  Nianjun Liu,et al.  Using Coupled Hidden Markov Models to Model Suspect Interactions in Digital Forensic Analysis , 2006, 2006 International Workshop on Integrating AI and Data Mining.

[21]  A. Badr,et al.  Optimizing Hidden Markov Models Using Genetic Algorithms and Artificial Immune Systems , 2022 .

[22]  Zihui Che,et al.  An Efficient Intrusion Detection Approach Based on Hidden Markov Model and Rough Set , 2010, 2010 International Conference on Machine Vision and Human-machine Interface.

[23]  Tang Jiutao,et al.  HMM-based integration of multiple models for intrusion detection , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[24]  Arti Mohanpurkar,et al.  Credit card fraud detection using Hidden Markov Model , 2011, 2011 World Congress on Information and Communication Technologies.

[25]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[26]  M. Toure,et al.  An interdisciplinary approach for adding knowledge to computer security systems , 1994, 1994 Proceedings of IEEE International Carnahan Conference on Security Technology.

[27]  H. M. Taylor,et al.  An introduction to stochastic modeling , 1985 .

[28]  Beizhan Wang,et al.  Survey on HMM based anomaly intrusion detection using system calls , 2010, 2010 5th International Conference on Computer Science & Education.

[29]  Tieli Sun,et al.  Comparison of Particle Swarm Optimization and Genetic Algorithm for HMM training , 2008, 2008 19th International Conference on Pattern Recognition.

[30]  Jing Xu,et al.  Intrusion Detection Method Based on Fuzzy Hidden Markov Model , 2009, 2009 Sixth International Conference on Fuzzy Systems and Knowledge Discovery.

[31]  Raja N. Ainon,et al.  HMM parameters estimation using hybrid Baum-Welch genetic algorithm , 2010, 2010 International Symposium on Information Technology.

[32]  Xueying Zhang,et al.  A Hybrid Speech Recognition Training Method for HMM Based on Genetic Algorithm and Baum Welch Algorithm , 2007, Second International Conference on Innovative Computing, Informatio and Control (ICICIC 2007).

[33]  Krishna R. Pattipati,et al.  Anomaly Detection via Feature-Aided Tracking and Hidden Markov Models , 2007, 2007 IEEE Aerospace Conference.

[34]  Jonathon Shlens,et al.  A Tutorial on Principal Component Analysis , 2014, ArXiv.

[35]  Do-hyeon Lee,et al.  Mobile Agent Based Intrusion Detection System Adopting Hidden Markov Model , 2007, ICCSA.

[36]  Wei Gao,et al.  Fast immunized evolutionary programming , 2004, Proceedings of the 2004 Congress on Evolutionary Computation (IEEE Cat. No.04TH8753).

[37]  M.-R. Akbarzadeh-T,et al.  HMM training by a hybrid of Chaos Optimization and Baum-Welch algorithms for discrete speech recognition , 2010, 6th International Conference on Digital Content, Multimedia Technology and its Applications.

[38]  Tetsuji Ogawa,et al.  Genetic Algorithm Based Optimization of Partly-Hidden Markov Model Structure Using Discriminative Criterion , 2006, IEICE Trans. Inf. Syst..

[39]  Padhraic Smyth,et al.  Modeling of multivariate time series using hidden markov models , 2005 .

[40]  Christopher D. Carothers,et al.  VOGUE: A variable order hidden Markov model with duration based on frequent sequence mining , 2010, TKDD.

[41]  Christian Jacob,et al.  Illustrating Evolutionary Computation with Mathematica , 2001 .

[42]  Abbes Amira,et al.  A Statistical Multiresolution Approach for Face Recognition Using Structural Hidden Markov Models , 2008, EURASIP J. Adv. Signal Process..

[43]  L. Rabiner,et al.  An introduction to hidden Markov models , 1986, IEEE ASSP Magazine.

[44]  Minghui Chen,et al.  A New Anomaly Detection Method Based on Rough Set Reduction and HMM , 2009, 2009 Eighth IEEE/ACIS International Conference on Computer and Information Science.

[45]  Midori Sugaya,et al.  Lightweight anomaly detection system with HMM resource modeling , 2009 .

[46]  Michael R. Frey,et al.  An Introduction to Stochastic Modeling (2nd Ed.) , 1994 .

[47]  Ge Bai,et al.  A Novel Genetic Algorithm Based on Tabu Search for HMM Optimization , 2008, 2008 Fourth International Conference on Natural Computation.

[48]  Christopher Leckie,et al.  An evaluation technique for network intrusion detection systems , 2006, InfoScale '06.

[49]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.