Panhong Wang,Liang Shi,Beizhan Wang,Yuanqin Wu

DOI: https://doi.org/10.1109/ICCSE.2010.5593839

2010-01-01

Abstract:Intrusion detection based on System calls is a very important domain of anomaly detection, this paper firstly introduces the basic idea of Hidden Markov Model (HMM) based intrusion detection, and then expounds its current development with comparisons about the merits and shortcomings to the current mainstream technologies, by the way, presenting some further discussions upon the future direction of the HMM-based intrusion detection.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.

AN Jing-qi,LIU Gui-Quan,QIAN Quan

2005-01-01

Abstract:An algorithm was given to making a kind of HMM(Hidden Markov Model) for anomaly detection. The application in anomaly detetction of the model was introduced from analyzing on support of sequence and sequence prediction.Factions which inflect results and efficiency were discussed by the experiments. And the experiments also show that the method can detect intrusion without any security knowledge.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Wang Zhigang,Qian Xingkun,Wang Dongliang

DOI: https://doi.org/10.3969/j.issn.1009-6833.2006.07.009

2006-01-01

Abstract:First,the research progress of intrusion detection is recalled,then the model of an IDS based on Markov and BW is presented.An example of using system call trace data,which is usually used in intrusion detection,is given to illustrate the performance of this model.Finally.comparison of detection ability between the above detection method and others is given.lt is found that the IDS based on HMM System Call squence has improve the accuracy greatly.

Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

ZHOU Xing,PENG Qin-ke,WANG Jing-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.076

2008-01-01

Abstract:How to extract sequence patterns of system calls is an important research topic of system call based intrusion detection approaches.This paper proposed a new method to construct variable-length patterns by using the chains of function return addresses information from call stack of the process.Compared with Wang's method,this method could generate a more integrated set of patterns.Then,constructed a two-layer hidden Markov model(HMM) based on variable-length patterns to detect abnormal behaviors.Compared with the traditional HMM method,this method could achieve lower false negatives rate and false positives rate.

Panhong Wang,Liang Shi,Beizhan Wang,Yangbin Liu

DOI: https://doi.org/10.1109/icinfa.2011.5949013

2011-01-01

Abstract:HMM (Hidden Markov Model) is a very important intrusion detection tool. The classical HMM training algorithm is a climbing algorithm. It can only find a local optimal solution. To improve the accuracy of HMM training, this paper introduces a hybrid algorithm into intrusion detection. Experiments show that this algorithm can find a more accurate model.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.

LI HONGWEI,YAN XIAOKE,DENG FEIQI

DOI: https://doi.org/10.3969/j.issn.1008-0570.2007.36.021

2007-01-01

Abstract:In this paper, new conception of emergent level is defined by abnormal pattern in normal- abnormal serials. Hidden Markov Model is induced to detect abnormal pattern. Because computation is large when training and detecting on datum directly, clustering is induced to decrease the dimensions firstly and then HMM algorithm is used to detect the abnormal model. Results show that it is effective.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

Fanping Zeng,Kaitao Yin,Minghui Chen,Xufa Wang

DOI: https://doi.org/10.1109/ICIS.2009.140

2009-01-01

Abstract:Over the past few years, anomaly detection has been an increasing concern with the rapid growth of the network security. Hidden Markov model (HMM) has been applied in various methods in intrusion detection and proved to be a good tool to model normal behaviors of privileged processes, however, one major problem with this approach is that it demands excessive computing resources and costs a long model training time, which makes it inefficient for practical intrusion detection. This paper presents a new method of bringing rough set reduction into HMM to overcome the shortcoming. The proposed approach classifies and simplifies the long observation sequence by virtue of rough set reduction, and the decision conditions obtained in rough set reduction phase could be used in further detection. The experimental results indicate that this method can promote the model training efficiency. Further-more, it is suitable for anomaly detection with high detect rate and low false alarm rate.

Chun Yang,Feiqi Deng,Haidong Yang

DOI: https://doi.org/10.1109/CHINACOM.2007.4469390

2007-01-01

Abstract:Previous Research in network intrusion detection system (NIDS) has typically used misuse detection or supervised anomaly detection techniques. These techniques have difficulty in detecting new types of attacks or causing high false positives in real network environment. Unsupervised anomaly detection can overcome the drawbacks of misuse detection and supervised anomaly detection. In this paper, normal-anomaly patterns are built over the network traffic dataset that uses subtractive clustering, and at the same time the built Hidden Markov Model (HMM) correlates the observation sequences and state transitions to predict the most probable intrusion state sequences. The proposed unsupervised anomaly detection approach is capable of reducing false positives by classifying intrusion sequences into different emergency levels. The experimental results are also reported using the KDDCup'99 dataset and Matlab.

Shun-Zheng Yu,Ning Li

2006-01-01

Abstract:This paper presents a novel anomaly detection method that is to be used in detecting distributed denial of service (DDoS) attacks on a Web server. The anomaly detection algorithm is based on a hidden semi-Markov model (HSMM) that will issue alarms with high accuracy and detect intrusions with high efficiency. Finally, an experiment is conducted to validate the algorithm.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/cscwd.2006.253054

2006-01-01

Abstract:It is difficult for the existing anomaly detection methods to distinguish the burst of normal traffic from the anomalous traffic in a large-scale Web site. This paper uses hidden semi-Markov model to describe the browsing behaviors of Web users. An efficient recursive algorithm for this model is presented for the online implementation of model update, which is used to track the Web users' browsing behaviors dynamically. An anomaly detection scheme is proposed for the application of this model. Likelihood of an observation sequence on a user browsing behaviors fitting to the model is used as a measure of normality of the user. Finally, an experiment is conducted to validate our model and algorithms, which is based on a real traffic data and an emulated distributed denial of service attack

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.