Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

Wang Zhigang,Qian Xingkun,Wang Dongliang

DOI: https://doi.org/10.3969/j.issn.1009-6833.2006.07.009

2006-01-01

Abstract:First,the research progress of intrusion detection is recalled,then the model of an IDS based on Markov and BW is presented.An example of using system call trace data,which is usually used in intrusion detection,is given to illustrate the performance of this model.Finally.comparison of detection ability between the above detection method and others is given.lt is found that the IDS based on HMM System Call squence has improve the accuracy greatly.

Haojin Zhu

2007-01-01

Abstract:Monitoring program behavior is one of the highlighted research topics of host-based anomaly detection recently.The key is to construct a program behavior-based anomaly detection model.Some existing anomaly detection techniques based on system call sequences are analyzed and discussed in this paper.They are compared from three dimensions: the information extracted from system call,the system call level used in anomaly detection and the information recorded by anomaly detector.Future work in this direction is also presented.

Xiaozhen Zhou,Shanping Li,Zhen Ye

DOI: https://doi.org/10.1155/2013/179390

IF: 1.43

2013-01-01

Mathematical Problems in Engineering

Abstract:Computer systems are becoming extremely complex, while system anomalies dramatically influence the availability and usability of systems. Online anomaly prediction is an important approach to manage imminent anomalies, and the high accuracy relies on precise system monitoring data. However, precise monitoring data is not easily achievable because of widespread noise. In this paper, we present a method which integrates an improved Evidential Markov model and ensemble classification to predict anomaly for systems with noise. Traditional Markov models use explicit state boundaries to build the Markov chain and then make prediction of different measurement metrics. A Problem arises when data comes with noise because even slight oscillation around the true value will lead to very different predictions. Evidential Markov chain method is able to deal with noisy data but is not suitable in complex data stream scenario. The Belief Markov chain that we propose has extended Evidential Markov chain and can cope with noisy data stream. This study further applies ensemble classification to identify system anomaly based on the predicted metrics. Extensive experiments on anomaly data collected from 66 metrics in PlanetLab have confirmed that our approach can achieve high prediction accuracy and time efficiency.

Panhong Wang,Liang Shi,Beizhan Wang,Yuanqin Wu,Yangbin Liu

DOI: https://doi.org/10.1109/iccse.2010.5593839

2010-01-01

Abstract:Intrusion detection based on System calls is a very important domain of anomaly detection, this paper firstly introduces the basic idea of Hidden Markov Model (HMM) based intrusion detection, and then expounds its current development with comparisons about the merits and shortcomings to the current mainstream technologies, by the way, presenting some further discussions upon the future direction of the HMM-based intrusion detection.

XU Ming,DING Hong,CHEN Chun

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.008

2005-01-01

Abstract:In order to exactly and rapidly detect anomaly, a detection model that can exactly depict the profiles of normal process actions was proposed. The consistently repeated system call sequences in normal process traces were regarded as macros, then a Markov chains anomaly detection model based on system call macros was constructed. Conclusions were drawn by comparing the performance metrics of Macro MCM (Markov chains model) with the first-order MCM and second-order MCM based on system call. The comparison shows that in detection performance (hit rates and false alarm rates), Macro MCM is better than the other two models; in needed memory capability, Macro MCM is more than the first-order MCM, but less than the second-order MCM; in computing speed, the training speed of Macro MCM is the slowest among three models, but its detection speed is the highest.

Ling DONG,Hongli ZHANG,Lin YE

DOI: https://doi.org/10.3969/j.issn.2095-2163.2014.04.004

2014-01-01

Abstract:System calls are the interface between operating system and user programs.Execution of each program must use some system calls.In recent years,network security incidents occur frequently,intrusion detection method based on the system call sequence analysis has become one of the hot network security technology researches.This paper presents a multi-layer model of program behaviours based on both hidden Markov models and enumerating methods,which differs from the conventional single layer approach.On experimental data provided by the University of New Mexico,experimental results have shown that the model is better in detecting anomalous behaviour of programs in terms of accuracy and response time, which indicates that this method is suitable for online host -based intrusion detection systems.

XIAN Ming,ZHANG Yi-Rong,XIAO Shun-Ping,WANG Guo-Yu

2006-01-01

Computer Science

Abstract:An anomaly detection technique of system call sequence based on rough set reduction is presented in this paper. Its fundamental idea is that rough set reduction is utilized to predict the kth position of process system call trail, i. e., the kth position is viewed as the decision attribute and the previous(k-1)positions are viewed as conditional attributes. The method of rough set reduction gives a set of minimal rules of predicting the kth system call position, thus it can apply to anomaly detection. The experiments based on synthetical sendmail system call sequences from UNM show that the proposed anomaly detection algorithm in the paper is superior to tide and comparable to the data mining algorithm of Wenke Lee, et al. in detection precision, moreover, achieves a lower negative positive rate when selecting a slightly large threshold.

徐明,陈纯,应晶

2004-01-01

Journal of Software

Abstract:The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (I.e. The threat level 1 calls). In the learning process, the etection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.

Zhenghua Xu,Xinghuo Yu,Yong Feng,Jiankun Hu,Zahir Tari,Fengling Han

DOI: https://doi.org/10.1109/iciea.2013.6566581

2013-01-01

Abstract:Due to the rapid and continuous increase of network intrusion, the need of protecting our systems becomes more and more compelling. In many situations, there exists a weak anomaly signal detection problem: due to the little number of anomalous system calls, the anomalous patterns of some intrusions may not be enough to distinguish themselves from normal activities so the existing anomaly detection systems can not detect this kind of sequences accurately. Motivated by this, we propose a multi-module anomaly detection scheme to solve this problem through utilizing system call prediction to enlarge the patterns of weak anomaly signal sequences and make them more distinguishable. Besides this, a variation of the Viterbi algorithm (called VV algorithm) is developed to predict the most probable future system calls more efficiently and a Markov-based intrusion detection method is adopted for the pattern value calculation and anomaly detection. The results of our experimental study conclude the followings: (i) the proposed scheme can greatly improve the intrusion detection accuracy of this Markov-based intrusion detection method in terms of hit rates under small false alarm rate bounds; (ii) the performance of the proposed scheme depends on the prediction accuracy of the adopted prediction technique; (iii) the developed VV algorithm is exponentially more efficient than a baseline method.

AN Jing-qi,LIU Gui-Quan,QIAN Quan

2005-01-01

Abstract:An algorithm was given to making a kind of HMM(Hidden Markov Model) for anomaly detection. The application in anomaly detetction of the model was introduced from analyzing on support of sequence and sequence prediction.Factions which inflect results and efficiency were discussed by the experiments. And the experiments also show that the method can detect intrusion without any security knowledge.

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Zhenghua Xu,Xinghuo Yu,Zahir Tari,Fengling Han,Yong Feng,Jiankun Hu

DOI: https://doi.org/10.1109/cisp.2013.6743958

2013-01-01

Abstract:Due to the rapid and continuous development of computer networks, more and more intrusion detection techniques are proposed to protect our systems. However, there is a weak anomaly detection problem among the existing system call based intrusion detection systems: the pattern value range of abnormal system call sequences generated by attacks always overlaps to that by normal behaviors so it is difficult to accurately classify the sequences falling into the overlap area by a unique threshold. Instead of using fuzzy inference, we innovatively solve this problem by proposing a top-k prediction based multi-module (abbreviated as TkPMM) anomaly detection system to enlarge patterns of sequences falling into the overlap area and make them more classifiable. We further develop a scalable linear algorithm called top-k variation of the Viterbi algorithm (called TkVV algorithm) to efficiently predict the top-k most probable future system call sequences. Extensive experimental studies show that TkPMM greatly enhances the intrusion detection accuracy of the existing intrusion detection system by up to 25% in terms of hit rates under small false alarm rate bounds and the complexity of our TkVV algorithm is exponential better than that of the baseline method.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

Yang Shi,Maoran Xu,Rongwen Zhao,Hao Fu,Tongshuang Wu,Nan Cao

DOI: https://doi.org/10.1109/THMS.2019.2925195

2019-01-01

IEEE Transactions on Human-Machine Systems

Abstract:Automatic anomaly detection techniques have been extensively used to support decision making in abnormal situations. However, existing approaches are limited in their capacity of effectively identifying anomalies due to the complexity of the real-world environment, the uncertainty of the data input, and the unavailability of ground truth. In this paper, we propose an interactive context-aware anomaly detection algorithm framework that incorporates human judgment in searching for anomalous regions within a large geographic environment. In specific, our framework, 1) estimates a focal region and detect anomalous situations in real time, through which the user can observe and analyze suspicious entities, 2) leverages user feedback to refine results and guide further analysis, and 3) tolerates potential fault feedback provided by the users and resignal dubious anomalous points. Based on the framework, we propose two algorithm implementations, respectively, employ Bayes’ theorem and metric learning. We demonstrate the effectiveness of the proposed framework and corresponding implementations through two controlled user studies and a case study with a domain expert.

Bo Gao,Huiye Ma,Yuhang Yang

DOI: https://doi.org/10.1109/ICMLC.2002.1176779

2002-01-01

Abstract:In this paper we discuss our research in developing anomaly detecting method for intrusion detection. The key idea is to use HMMs (Hidden Markov models) to learn the (normal and abnormal) patterns of Unix processes. These patterns can be used to detect anomalies and known intrusion. Using experiments on the mail-sending system call data, we demonstrate that we can construct concise and accurate classifiers to detect intrusion action.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.