Yonghui Xiao,Yilin Shen,Jinfei Liu,Li Xiong,Hongxia Jin,Xiaofeng Xu

DOI: https://doi.org/10.48550/arxiv.1609.09172

2016-01-01

Abstract:Hidden Markov model (HMM) has been well studied and extensively used. In this paper, we present DPHMM (Differentially Private Hidden Markov Model), an HMM embedded with a private data release mechanism, in which the privacy of the data is protected through a graph. Specifically, we treat every state in Markov model as a node, and use a graph to represent the privacy policy, in which "indistinguishability" between states is denoted by edges between nodes. Due to the temporal correlations in Markov model, we show that the graph may be reduced to a subgraph with disconnected nodes, which become unprotected and might be exposed. To detect such privacy risk, we define sensitivity hull and degree of protection based on the graph to capture the condition of information exposure. Then to tackle the detected exposure, we study how to build an optimal graph based on the existing graph. We also implement and evaluate the DPHMM on real-world datasets, showing that privacy and utility can be better tuned with customized policy graph.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1002/acs.3163

IF: 3.369

2020-01-01

International Journal of Adaptive Control and Signal Processing

Abstract:SummaryThe problem of robust attack detection and prediction for networked control systems in the presence of outliers is discussed in this article. The conventional hidden Markov model (HMM) is trained to learn the system behavior (ie, transitions between different operating modes) in the nominal process. The HMM with time‐varying transition probabilities is used to track the attack behavior in which the adversary triggers more hazard modes to hasten fatigue of control devices by injecting attack signals with random magnitude and frequency. For different operating modes, the observations are assumed to follow different multivariate Student's t distributions instead of Gaussian distributions and thus address the robust estimation problem. The expectation maximization algorithm is used to estimate parameters. Finally, simulations are conducted to verify the effectiveness of the proposed method.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Chenfeng Xiong,Di Yang,Jiaqi Ma,Xiqun Chen,Lei Zhang

DOI: https://doi.org/10.1007/s11116-018-9900-9

IF: 4.814

2020-01-01

Transportation

Abstract:As an emerging dynamic modeling method that incorporates time-dependent heterogeneity, hidden Markov models (HMM) are receiving increased research attention with regards to travel behavior modeling and travel demand forecasting. This paper focuses on the model transferability of HMM. Based on a series of transferability and goodness-of-fit measures, it finds that HMMs have a superior performance in predicting future transportation mode choice, compared to conventional choice models. Aimed at further enhancing its transferability, this paper proposes a Bayesian conditional recalibration approach that maps the model prediction directly to the context data. Compared to traditional model transferring methods, the proposed approach does not assume fixed parameterization and recalibrates the utilities and the prediction directly. A comparison between the proposed approach and the traditional transfer-scaling favors our approach, with higher goodness-of-fit. This paper fills the gap in understanding the transferability of HMM and proposes a practical method that enables potential applications of HMM.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Xiaoxuan Wang,Rolf Stadler

2024-02-20

Abstract:We study automated intrusion detection in an IT infrastructure, specifically the problem of identifying the start of an attack, the type of attack, and the sequence of actions an attacker takes, based on continuous measurements from the infrastructure. We apply statistical learning methods, including Hidden Markov Model (HMM), Long Short-Term Memory (LSTM), and Random Forest Classifier (RFC) to map sequences of observations to sequences of predicted attack actions. In contrast to most related research, we have abundant data to train the models and evaluate their predictive power. The data comes from traces we generate on an in-house testbed where we run attacks against an emulated IT infrastructure. Central to our work is a machine-learning pipeline that maps measurements from a high-dimensional observation space to a space of low dimensionality or to a small set of observation symbols. Investigating intrusions in offline as well as online scenarios, we find that both HMM and LSTM can be effective in predicting attack start time, attack type, and attack actions. If sufficient training data is available, LSTM achieves higher prediction accuracy than HMM. HMM, on the other hand, requires less computational resources and less training data for effective prediction. Also, we find that the methods we study benefit from data produced by traditional intrusion detection systems like SNORT.

Machine Learning,Cryptography and Security

Lin Wang,Chunjie Yang,Youxian Sun

DOI: https://doi.org/10.1021/acs.iecr.7b03600

2017-01-01

Industrial & Engineering Chemistry Research

Abstract:Due to the existence of multiple operating modes, traditional fault detection techniques are ill-suited for complex industrial processes. Although there are more and more literature studies concerning this problem, only a few of them are based on the hidden Markov model (HMM). However, there is no exploration to concern the unknown mode in the industrial process based on it. This article proposes a novel process monitoring approach based on moving window HMM (MVHMM) for real-time multimode process monitoring with unknown mode. First, a hidden Markov model is built by training set. Instead of just considering the posterior probability of one single sample, the moving window is introduced to utilize the independence of samples for improving the accuracy of online mode identification. In addition, an MVHMM-based threshold statistic is defined to identify the unknown mode. Also, various known modes which include stable modes and transitions are separated on the basis of the Viterbi algorithm. Second, a new monitoring scheme is developed for fault detection of each mode. The effectiveness of the proposed approach is validated by the Tennessee Eastman (TE) chemical process and a numerical simulation example.

W Wang,XH Guan,XL Zhang

DOI: https://doi.org/10.1109/cdc.2004.1428613

2004-01-01

Abstract:Profiling program and user behaviors is an effective approach for detecting hostile attacks to a computer system. A new model based method by non-negative matrix factorization (NMF) is presented in this paper to profile program and user behaviors for anomaly intrusion detection. In this new method, the audit data streams obtained from sequences of system calls and UNIX commands are used as the information source. The audit data is partitioned into segments with a fixed length. Program and user behaviors are, in turn, measured by the frequencies of individual system calls or commands embedded in each segment of the data, and NMF is applied to extract the features from the blocks of audit data associated with the normal behaviors. The model describing the normal program and user behaviors are built based on these features and deviation from the normal program and user behaviors above a predetermined threshold is considered as anomalous. The method is implemented and tested with the system call data from the University of New Mexico and the Unix command data from AT&T Research lab. Experiment results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Udaya Sampath K. Perera Miriya Thanthrige,Jagath Samarabandu,Xianbin Wang

DOI: https://doi.org/10.48550/arXiv.1610.07276

2016-10-24

Abstract:Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks. Current intrusion prediction methods focus mainly on prediction of either intrusion type or intrusion category and do not use or provide contextual information such as source and target IP address. In addition most of them are dependant on domain knowledge and specific scenario knowledge. The proposed algorithm employs a bag-of-words model together with a hidden Markov model which not depend on specific domain knowledge. Since this algorithm depends on a training process it is adaptable to different conditions. A key advantage of the proposed algorithm is the inclusion of contextual data such as source IP address, destination IP range, alert type and alert category in its prediction, which is crucial for an eventual response. Experiments conducted using a public data set generated over 2500 alert predictions and achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved a prediction accuracy improvement of 5% for alert category over existing variable length Markov chain intrusion prediction methods, while providing more information for a possible defense.

Cryptography and Security

ZENG Jian-ping,GUO Dong-hui

2007-01-01

Abstract:A new detection method,MDAA,is proposed to solve the problems in determining the sliding window size and make it easily in selecting a precise decision value for current detection algorithms.In MDAA,HMM(Hidden Markov Model) is used to model the users' normal action.Sliding window size is determined by computing condition entropy of the model,thus the size can be adaptive to different users.Genetic algorithm is used to compute the maximal and minimal likelihood of sequence,and then the sequence can be transformed to a value that is more easily to be judged.Experiments on a real world data set show that the MDAA can get a better performance,and also it can be more adaptive to different users.

Gauri Kalnoor,S. Gowrishankar

DOI: https://doi.org/10.1007/s41870-021-00748-1

2021-09-24

International Journal of Information Technology

Abstract:Significant growth of smart home devices is adopted, which provides security, convenience, and energy efficiency for users, in recent years. As an instance, consider a secured smart camera that detects movements of unauthorized objects, whereas the fire accidents can be detected by smoke sensors. Though, a surface for new cyber threats is some of the most recent examples that are open up in this field. Furthermore, recent examples also show that the distributed denial of service (DDoS) attacks are performed by misusing the smart devices which are hacked violating the privacy rules. In this proposed work, the application of machine learning in an environment of smart homes is explored so that the anomalous activities that occur can be identified. The sensor data at the network level is trained using a model based on the Markov chain known as hidden Markov model (HMM) and is created using smart devices and multiple sensors from a testbed. The model generated using HMM achieves 97% accuracy while detecting potential anomalies where attacks are indicated. In this approach, we construct the model and differentiate the analysed results with existing techniques. The starting step for securing IoT networks is intrusion detection and the next step is the intruders prediction which provides an active defence against the incoming attacks. The model employs an algorithm that does not depend on specific domain knowledge. The work has achieved an improvement in prediction accuracy of 5% for an alert category over the current variable length methods of Markov chain intrusion prediction, as they provided information more for a possible defence. The DDoS attack is considered as a coordinated attack mainly carried out based on a large scale depending on whether the target system’s resources or services are available. Thus, the novel approach also describes a novel machine learning-based technique using an algorithm known as variational dynamic Bayesian algorithm which helps to obtain a HMM with the number of parameters and model states which are optimized for the prediction of a DDoS attack. This procedure conquers the speed of a moderate combination HMM approach.

Xiao X,Tian X,Zhai Q,Xia S.

DOI: https://doi.org/10.1016/j.jss.2012.05.049

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

曾剑平,郭东辉

DOI: https://doi.org/10.19884/j.1672-5220.2007.02.028

2007-01-01

Abstract:Markov model is usually selected as the base model of user action in the intrusion detection system （IDS）. However, the performance of the IDS depends on the status space of Markov model and it will degrade as the space dimension grows. Here, Markov Graph Model （MGM） is proposed to handle this issue. Specification of the model is described, and several methods for probability computation with MGM are also presented. Based on MGM, algorithms for building user model and predicting user action are presented. And the performance of these algorithms such as computing complexity, prediction accuracy, and storage requirement of MGM are analyzed.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.