Ye Du,Huiqiang Wang,Yonggang Pang

DOI: https://doi.org/10.1109/wcica.2004.1342334

2004-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. The existing techniques are analyzed, and then an effective anomaly detection method based on HMMs (hidden Markov models) is proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. The RP (relative probability) value, which uses short sequences as inputs, is computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

Zhi-Yong Liu,Hong Qiao

DOI: https://doi.org/10.1007/11734628_26

2006-01-01

Abstract:Network security is an important issue for Intelligence and Security Informatics (ISI) [1-3]. As a complementary measure for traditional network security tools such as firewalls, the intrusion detection system (IDS) is becoming increasingly important and widely-used [4]. Generally speaking, the IDS works by building a model based on the normal data patterns and treating the operations that deviated significantly from the model as malicious. In its early stage of development, the IDS takes certain statistics (e.g., mean and variance) of the audit data to discriminate between the normal usage and attacks. Such systems are easy to construct; however, they suffer from a poor generalization ability to detect unknown or new attacks. Recently other models such as the finite Markov mode [5] and support vector machines [6] have been introduced into IDS, providing finer-grained characterization of normal users' behavior. In this report we investigate the potential application of the Hidden Markov Model (HMM) for intrusion detection.

Qb Yin,Lr Shen,Rb Zhang,Xy Li,Hq Wang

DOI: https://doi.org/10.1109/ICMLC.2003.1260114

2003-01-01

Abstract:The intrusion detection technologies of the network security are researched, and the technologies of pattern recognition are used to intrusion detection. Intrusion detection rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. Hidden Markov Model (HMM) has been successfully used in speech recognition and some classification areas. Since Anomaly Intrusion Detection can be treated as a classification problem, some basic ideas have been proposed on using HMM to model normal behavior. The experiments have showed that the method based on HMM is effective to detect anomalistic behaviors.

Fei Gao,Jizhou Sun,Zunce Wei

DOI: https://doi.org/10.1109/CCECE.2003.1226038

2003-01-01

Abstract:Information security is an issue of serious global concern. The development of Internet increases the security risk of information systems greatly. This paper utilizes HMM (hidden Markov model) to realize the forecast ability of IDS (intrusion detection system). In this model, a command sequence or a control information sequence is regarded as a series of state transitions with a certain probability. The performance of several algorithms is compared such as F-BP (forward-back propagation) algorithm, Viterbi learning algorithm, EM (expectation maximization) algorithm, etc. In order to provide a soft boundary to the decision-making, fuzzy math is also introduced to this model. By this means, the intelligence of the IDS is improved and some decision-making abilities and reasoning abilities are offered to IDS. As well this paper reports the results about our project.

Bo Gao,Huiye Ma,Yuhang Yang

DOI: https://doi.org/10.1109/ICMLC.2002.1176779

2002-01-01

Abstract:In this paper we discuss our research in developing anomaly detecting method for intrusion detection. The key idea is to use HMMs (Hidden Markov models) to learn the (normal and abnormal) patterns of Unix processes. These patterns can be used to detect anomalies and known intrusion. Using experiments on the mail-sending system call data, we demonstrate that we can construct concise and accurate classifiers to detect intrusion action.

Ye Du,Huiqiang Wang,Yonggang Pang

DOI: https://doi.org/10.1007/978-3-540-30497-5_108

2004-01-01

Abstract:Anomaly intrusion detection focuses on modeling normal behaviors and identifying significant deviations, which could be novel attacks. The existing techniques in that domain were analyzed, and then an effective anomaly detection method based on HMMs (Hidden Markov Models) was proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. Both temporal orderings and parameters of system calls were taken into considered in this method. The RP (Relative Probability) value, which used short sequences as inputs, was computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Fei Wang,Hongliang Zhu,Bin Tian,Yang Xin,Xinxin Niu,Yu Yang

DOI: https://doi.org/10.1109/icbnmt.2011.6155940

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a HMM-based method for anomaly detection. The proposed method is composed of two important stages: off-line training stage and on-line testing stage. In the off-line training stage, we train the normal behaviors by hidden Markov models (HMMs). In the on-line testing stage, we make the final decision based on the minimum risk Bayesian decision theory. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that our method can achieve satisfying results.

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.

Wang Zhigang,Qian Xingkun,Wang Dongliang

DOI: https://doi.org/10.3969/j.issn.1009-6833.2006.07.009

2006-01-01

Abstract:First,the research progress of intrusion detection is recalled,then the model of an IDS based on Markov and BW is presented.An example of using system call trace data,which is usually used in intrusion detection,is given to illustrate the performance of this model.Finally.comparison of detection ability between the above detection method and others is given.lt is found that the IDS based on HMM System Call squence has improve the accuracy greatly.

ZHOU Xing,PENG Qin-ke,WANG Jing-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.076

2008-01-01

Abstract:How to extract sequence patterns of system calls is an important research topic of system call based intrusion detection approaches.This paper proposed a new method to construct variable-length patterns by using the chains of function return addresses information from call stack of the process.Compared with Wang's method,this method could generate a more integrated set of patterns.Then,constructed a two-layer hidden Markov model(HMM) based on variable-length patterns to detect abnormal behaviors.Compared with the traditional HMM method,this method could achieve lower false negatives rate and false positives rate.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

Jingling Zhao,Guoxiao Huang,Tianyu Liu,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-319-61542-4_94

2017-01-01

Abstract:In order to ensure the normal operation and security of the software, this paper presents an abnormal behavior state recognition system based on Hidden Markov model, using the local regularity of the trace of the system call to extract the intrinsic sequence pattern, and construct the normal behavior model through the HMM algorithm. This system is capable of establishing the system call model during normal operation and judge whether the software is running normally by the matching between the actual system call and the normal model. Experiments show that, compared with only using system call sequence information of classical hidden Markov method, the method of training time is only 10% of the traditional method, and can obtain lower false positive rate and false negative rate.

Panhong Wang,Liang Shi,Beizhan Wang,Yangbin Liu

DOI: https://doi.org/10.1109/icinfa.2011.5949013

2011-01-01

Abstract:HMM (Hidden Markov Model) is a very important intrusion detection tool. The classical HMM training algorithm is a climbing algorithm. It can only find a local optimal solution. To improve the accuracy of HMM training, this paper introduces a hybrid algorithm into intrusion detection. Experiments show that this algorithm can find a more accurate model.

Lai Yingxu,Liu Jing,Wang Yipei

DOI: https://doi.org/10.3969/j.issn.0258-7998.2011.07.052

2011-01-01

Abstract:A method of user behavior anomaly detection was presented.The method constructs specific hidden Markov model(HMM) with shell commands as audit data.The method is different with other references on data preprocessing and representing the behavior profiles of users.The results of computer simulation show the method presented can achieve high detection accuracy and practicability.

Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

Xin Zan,Feng Gao,Jiuqiang Han,Yu Sun

DOI: https://doi.org/10.1109/mines.2009.277

2009-01-01

Abstract:Recently, several approaches for intrusion correlation and attack scenario analysis have been proposed. However, these approaches all focus on the flooding alert reduction or high-level alert correlation. In this paper, we study the problem of tracking and predicting of attack intentions. We use hidden markov models to represent the typical attack scenarios and design a complete framework named HMM-AIP composed of online tracking and prediction module and offline model training module. A novel and effective tracking and predicting attack intention algorithm is presented. We perform experiments to validate our algorithm and the results show that our approach can identify false alert and give the creditable prediction result when the alert observation sequence fits the typical attack scenarios nicely.

Peng Li,Lei Liu,Jing Xu,Hongji Yang,Liying Yuan,Chenkai Guo,Xiujuan Ji

DOI: https://doi.org/10.1109/compsac.2017.64

2017-01-01

Abstract:Due to the increasing complexity of web and client application's structure, security problem has become more and more critical. Among all the threats reported, SQL Injection Attacks (SQLIAs) have always been top-ranked in recent years, and network logs, which are very important for the detection of SQLIA, are often utilized to analyze the user's attacking behaviors. However, the collection of network logs is often compromised due to the growing complexity of network structure, leading to a great challenge to the log-based SQLIA detection. In view of this, this paper proposes a novel approach to the detection of SQLIA based on log analyzing with Hidden Markov Model (HMM), combined with statistical characteristic and feature matching. At first, we build browsing behavior models of attackers and legal users. Furthermore, we use HMM to restore user's browsing procedure from the customised user logs. Finally, the method detects SQLIAs by analyzing the behavior of users in reality, without requiring sensitive information submitted by users. Our experiments show that the proposed method can detect possible SQLIAs and identify malicious users effectively, and has higher accuracy in comparison with the Kmeans method.

Jing Zhao,HouKuan Huang,ShengFeng Tian,Xiang Zhao

DOI: https://doi.org/10.1109/CSO.2009.51

2009-01-01

Abstract:A protocol anomaly detection model based on hidden Markov model (HMM) is given in this work which can verify normal and abnormal traffic. Then we demonstrate the model's correctness and effectiveness by using MIT Lincoln Laboratory 1999 DARPA Intrusion Detection Evaluation Data Set.

Panhong Wang,Liang Shi,Beizhan Wang,Yuanqin Wu

DOI: https://doi.org/10.1109/ICCSE.2010.5593839

2010-01-01

Abstract:Intrusion detection based on System calls is a very important domain of anomaly detection, this paper firstly introduces the basic idea of Hidden Markov Model (HMM) based intrusion detection, and then expounds its current development with comparisons about the merits and shortcomings to the current mainstream technologies, by the way, presenting some further discussions upon the future direction of the HMM-based intrusion detection.