Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1002/acs.3163

IF: 3.369

2020-01-01

International Journal of Adaptive Control and Signal Processing

Abstract:SummaryThe problem of robust attack detection and prediction for networked control systems in the presence of outliers is discussed in this article. The conventional hidden Markov model (HMM) is trained to learn the system behavior (ie, transitions between different operating modes) in the nominal process. The HMM with time‐varying transition probabilities is used to track the attack behavior in which the adversary triggers more hazard modes to hasten fatigue of control devices by injecting attack signals with random magnitude and frequency. For different operating modes, the observations are assumed to follow different multivariate Student's t distributions instead of Gaussian distributions and thus address the robust estimation problem. The expectation maximization algorithm is used to estimate parameters. Finally, simulations are conducted to verify the effectiveness of the proposed method.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Sha‐Yuan Zhou,Shu‐Qing Wang

DOI: https://doi.org/10.1002/apj.5500130322

2005-01-01

Developments in Chemical Engineering and Mineral Processing

Abstract:AbstractFor many on‐line fault diagnosis schemes based on process data, a moving time window is an indispensable technique to track dynamic data. In this paper, a novel approach combining variable moving window and hidden Markov model (HMM) for on‐line identification of abnormal operating conditions is proposed. The main feature of this method is that the window length can be changed with time. Before fault diagnosis, some process measurements are used for fault alarm. As a tool for feature extraction, principal component analysis (PCA) is employed in order to reduce the large number of correlated variables. The effectiveness of the approach is illustrated by case studies from the Tennessee Eastman process.

Lin Wang,Chunjie Yang,Youxian Sun

DOI: https://doi.org/10.1021/acs.iecr.7b03600

2017-01-01

Industrial & Engineering Chemistry Research

Abstract:Due to the existence of multiple operating modes, traditional fault detection techniques are ill-suited for complex industrial processes. Although there are more and more literature studies concerning this problem, only a few of them are based on the hidden Markov model (HMM). However, there is no exploration to concern the unknown mode in the industrial process based on it. This article proposes a novel process monitoring approach based on moving window HMM (MVHMM) for real-time multimode process monitoring with unknown mode. First, a hidden Markov model is built by training set. Instead of just considering the posterior probability of one single sample, the moving window is introduced to utilize the independence of samples for improving the accuracy of online mode identification. In addition, an MVHMM-based threshold statistic is defined to identify the unknown mode. Also, various known modes which include stable modes and transitions are separated on the basis of the Viterbi algorithm. Second, a new monitoring scheme is developed for fault detection of each mode. The effectiveness of the proposed approach is validated by the Tennessee Eastman (TE) chemical process and a numerical simulation example.

Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1088/1757-899x/631/4/042046

2019-01-01

IOP Conference Series Materials Science and Engineering

Abstract:Abstract Traditional methods for detecting data anomalies of power equipment fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. To solve the problem of abnormal fault detection of electric equipment, the abnormal detection algorithm based on statistical analysis and machine learning is used in the paper. The reconstruction method based on Long Short Term Memory (LSTM) time sequence is proposed for time series data abnormal detection. Experiments show that the new method is effective in detecting and correcting abnormal data, which reduces the detection time and improves the accuracy of state estimation results. There are huge differences within the positive samples in anomaly detection, so several methods are studied in the paper. One-class SVM algorithm is often used in novelty detection and isolation forest algorithm is used in outlier detection. Machine learning methods which is based on statistical analysis will play an increasingly important role in the fields of equipment monitoring and predictive maintenance, safety of electric equipment.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Kiichi Tago,Qun Jin

DOI: https://doi.org/10.1109/itme.2018.00040

2018-10-01

Abstract:Nowadays, it has become convenient to record data related to an individual using a wearable device. However, it is difficult to utilize the data according to the individual, especially to anomaly detection. Anomaly detection is very important for healthcare, e.g., early detecting of illness. In our previous study, we proposed an approach to specifying latent factors using Structural Equation Modeling (SEM). In this paper, we propose an improved approach for anomaly detection taking account of personal status based on latent factors. To estimate the states, we adopt Hidden Markov Model (HMM). Moreover, we use Hotelling's theory to detect abnormal data statistically. By using our approach, even if states can not be explicitly obtained from a device, hidden states can be estimated to perform anomaly detection in more details.

Su Yang,Weihua Liu

DOI: https://doi.org/10.1109/iThings/CPSCom.2011.25

IF: 5.711

2011-01-01

Internet of Things

Abstract:Trajectories of people provide rich information about the collective behaviors, where the term collective behavior means the behavior of a large number of people as a whole. Abnormal people trajectories that are rarely observed may correspond with some unusual events, for instance, natural disasters, terrorism attacks, or traffic accidents. To detect such abnormal people trajectories, namely outliers, this paper presents a solution based on Hidden Markov Model (HMM). The motivation to use HMM for outlier detection on people trajectories is that time-varying people distribution can be modeled by using HMM and HMM can provide the probability that a sequence appears. Here, the time-varying people distributions with low probabilities to appear are regarded as outliers. Experiments with an artificial data set simulating collective behaviors and a real-world traffic data set validate the proposed solution.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Min Wang,Donghua Zhou,Maoyin Chen

DOI: https://doi.org/10.1109/tcyb.2022.3228524

IF: 11.8

2024-01-01

IEEE Transactions on Cybernetics

Abstract:Effective process monitoring is both a prerequisite and a guarantee for high system reliability. In modern industrial processes, binary variables may appear together with continuous variables, making process monitoring more intractable. Recently, a model named hybrid variable monitoring (HVM) has been proposed to conduct anomaly detection with both continuous and binary variables. Although the performance of HVM has been significantly improved after using the information of binary variables, it assumes that every continuous variable obeys a single Gaussian distribution and each binary variable obeys a single Bernoulli distribution. It is difficult for practical processes to satisfy such strict assumptions. To overcome this problem, this study proposes an improved algorithm called HVM mixture model (HVMMM). The HVMMM contains multiple components with the assumption of an HVM for every component. Compared with the HVM, the HVMMM is suitable for more general situations and has a more accurate characterization of the data features. Subsequently, the expectation-maximization (EM) algorithm is adopted for parameter learning for multiple components. The mathematical expressions of the parameters are derived in detail. In addition, the improvement on the monitoring performance caused by multiple components is analyzed. Finally, a numerical example and a practical case are used to demonstrate the effectiveness and efficiency of HVMMM. After multiple components are considered, the fault detection rate increases by 5.49% in the numerical example and the false alarm rate reduces by 1.6% in the practical case.

Jiangjiao Duan,Jianping Zeng,Dongzhan Zhang

DOI: https://doi.org/10.1109/fskd.2009.732

2009-01-01

Abstract:Hidden Markov model (HMM) is widely used in time series modeling. Usually, it is necessarily to calculate the sequence's likelihood w.r.t. HMM to evaluate the similarity between the sequence and the HMM. Hence, it is required to provide a method to select a best threshold value that can determine whether the sequence is well approximated by the model or not. However, this process is usually done manually. Here, we provide a method (HTDM) to determine the threshold automatically. Based on likelihood statistic, we conclude that the likelihood is subjected to normal distribution, and then standard deviation of the distribution is estimated. Hence, the distance threshold value can be achieved based on the rule of "three sigma". In the experiment, we make performance comparison between the HMM-based hierarchical clustering algorithm HHCH using HTDM, and algorithm HBHCTS in which threshold is set by manual. Experiment results show that the proposed method is effective on both syntax dataset and real world dataset.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

ZENG Jian-ping,GUO Dong-hui

2007-01-01

Abstract:A new detection method,MDAA,is proposed to solve the problems in determining the sliding window size and make it easily in selecting a precise decision value for current detection algorithms.In MDAA,HMM(Hidden Markov Model) is used to model the users' normal action.Sliding window size is determined by computing condition entropy of the model,thus the size can be adaptive to different users.Genetic algorithm is used to compute the maximal and minimal likelihood of sequence,and then the sequence can be transformed to a value that is more easily to be judged.Experiments on a real world data set show that the MDAA can get a better performance,and also it can be more adaptive to different users.

Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

Amayri, Manar,Bouguila, Nizar

DOI: https://doi.org/10.1007/s10044-024-01341-5

IF: 2.307

2024-09-19

Pattern Analysis and Applications

Abstract:Hidden Markov models (HMMs) are popular methods for continuous sequential data modeling and classification tasks. In such applications, the observation emission densities of the HMM hidden states are generally continuous, can vary from one model to the other, and are typically modeled by elliptically contoured distributions, namely Gaussians or Student's t-distributions. In this context, this paper proposes a novel HMM with Bounded Asymmetric Student's t-Mixture Model (BASMM) emissions. Our new BASMMHMM is introduced in the light of the added robustness guaranteed by the BASMM in comparison to other popular emission distributions such as the Gaussian Mixture Model (GMM). In fact, GMMs generally have a limited performance with outliers in the data sets (observations) that the HMM is fitted to. Also, GMMs cannot sufficiently model skewed populations, which are typical in many fields, such as financial or signal processing-related data sets. An excellent alternative to solve this problem is found in Student's t-mixture models. They have similar behaviour and shape to GMMs, but with heavier tails. This allows to have more tolerance towards data sets that span extensive ranges and include outliers. Asymmetry and bounded support are also important features that can further extend the model's flexibility and fit the imperfections of real-world data. This leads us to explore the effectiveness of the BASMM as an observation emission distribution in HMMs, hence the proposed BASMMHMM. We will also demonstrate the improved robustness of our model by presenting the results of three different experiments: occupancy estimation, stock price prediction, and human activity recognition.

computer science, artificial intelligence

Guojian Luo,Jianfeng Qu,Lina Zhang,Xiaoyu Fang,Yi Zhang,Tong Zhou

DOI: https://doi.org/10.1109/iscc55528.2022.9912983

2022-01-01

Abstract:Increased needs for social security promote the development of video surveillance, appealing to the exigency of real-time detection of anomalous events. Considering the rarity and unpredictability of anomalous events, a classical strategy is to model normal data and detect outliers to the model. As a fundamental generative model for time series data, Hidden Markov models (HMM) have been employed in various fields such as speech recognition and video analysis. In this paper, we propose the use of Bayesian HMMs with Dirichlet mixtures which are arrayed along patched frames with Dirichlet distributions as emission probability functions. These spatially-aligned HMMs evolve in parallel, significantly reducing inference time. Learning algorithm based on Stochastic Variational Inference and Discrete Variable Enumeration is applied to our model for fast and robust inference. Experiments over the public UCSD dataset demonstrate the validity of this approach.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

U. Hacizade,A.Y. Kalayci

DOI: https://doi.org/10.1109/ET63133.2024.10721523

2024-09-17

Abstract:In this study, studies on intrusion detection systems have been meticulously examined and an example model of the intrusion detection system has been created. The UNSW-NB15 data set used in this process was subjected to training and testing stages with machine learning methods such as Logistic Regression, K-nearest Neighbor Algorithm, Support Vector Machines, Naive Bayes, Decision Tree and Random Forest Algorithm. By applying machine learning methods to the data used in the training phase, normal network traffic was taught and a reference model was created with this information.

Engineering,Computer Science

J Li,JX Wang,YN Zhao,ZH Yang

DOI: https://doi.org/10.1016/j.patrec.2003.10.001

IF: 4.757

2003-01-01

Pattern Recognition Letters

Abstract:Hidden Markov models (HMMs) are stochastic models widely used in speech and image processing in recent years. The number of states in a classical HMMs is usually predefined and fixed during training, and may be quite different from the real number of hidden states of the signal source. Moreover, in pattern recognition applications, different signal sources probably have different state numbers, thereby cannot be well modeled by HMMs with a fixed state number. This paper proposes a self-adaptive design method of HMMs to overcome this limitation. According to this design, an HMM automatically matches its state number to the real state number of the signal source being modeled. To realize a practicable training algorithm for the new HMM, this paper first introduces an entropic definition of the a priori probability of the model and accordingly a maximum a posteriori (MAP) training strategy, and then designs an MAP training algorithm in the case of fixed state number based on the deterministic annealing (DA) technique. Based on this MAP training, a complete training method named shrink algorithm is finally proposed for the new HMM. Experimental results indicate that self-adaptive HMMs can model stochastic signals more accurately and have better performance in pattern recognition than classical models.

Chao Ning,Maoyin Chen,Donghua Zhou

DOI: https://doi.org/10.1021/ie5002394

2014-01-01

Industrial & Engineering Chemistry Research

Abstract:Multiple operating modes pose a challenge for process monitoring in industry. Although many monitoring approaches have achieved quite success, most of them neglected the dependency of sampled data and only dealt with samples in a separate fashion. This paper proposes a sequential framework for multimode process monitoring with hidden Markov model-based statistics pattern analysis (HMM-SPA). To begin with, a hidden Markov model is trained on the basis of the historical data. Statistics pattern analysis mixture models (SPAMM) are constructed to characterize the distinctive statistical pattern of each operating mode. Then, during online monitoring period, the mode vector is obtained using the Viterbi algorithm, and the differential mode vector is calculated. At last, the proposed method switches to an appropriate monitoring index automatically, according to the norm of the differential mode vector. The effectiveness of the proposed method is demonstrated by a numerical simulation, a continuous stirred tank heater (CSTH) process, and the Tennessee Eastman process.