XU Ming,CHEN Chun,YING Jing

DOI: https://doi.org/10.1360/jos160276

2005-01-01

Journal of Software

Abstract:On the basis of the current single layer Markov chain anomaly detection model, this paper proposes a new two-layer model. Two distinctly different processes, the different requests and the system call sequence in the same request section, are classified as two layers and dealt with by different Markov chains respectively. The two-layer frame can depict the dynamic activity of the protected process more exactly than the single layer frame, so that the two-layer detection model can promote the detection rate and degrade the false alarm rate. Furthermore, the detected anomaly will be limited in the corresponding request sections where anomaly happens. The new detection model is suitable for privileged processes, especially for those based on request-response.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.

Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

Wang Zhigang,Qian Xingkun,Wang Dongliang

DOI: https://doi.org/10.3969/j.issn.1009-6833.2006.07.009

2006-01-01

Abstract:First,the research progress of intrusion detection is recalled,then the model of an IDS based on Markov and BW is presented.An example of using system call trace data,which is usually used in intrusion detection,is given to illustrate the performance of this model.Finally.comparison of detection ability between the above detection method and others is given.lt is found that the IDS based on HMM System Call squence has improve the accuracy greatly.

ZHOU Xing,PENG Qin-ke,WANG Jing-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.076

2008-01-01

Abstract:How to extract sequence patterns of system calls is an important research topic of system call based intrusion detection approaches.This paper proposed a new method to construct variable-length patterns by using the chains of function return addresses information from call stack of the process.Compared with Wang's method,this method could generate a more integrated set of patterns.Then,constructed a two-layer hidden Markov model(HMM) based on variable-length patterns to detect abnormal behaviors.Compared with the traditional HMM method,this method could achieve lower false negatives rate and false positives rate.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Xi Xiao,Zhenlong Wang,Qing Li,Shutao Xia,Yong Jiang

DOI: https://doi.org/10.1049/iet-ifs.2015.0211

2016-01-01

IET Information Security

Abstract:Android has become the most prevalent mobile system, but in the meanwhile malware on this platform is widespread. System call sequences are studied to detect malware. However, malware detection with these approaches relies on common system-call-subsequences. It is not so efficient because it is difficult to decide the appropriate length of the common subsequences. To address this issue, the authors propose a new approach, back-propagation neural network on Markov chains from system call sequences (BMSCS). It treats one system call sequence as a homogeneous stationary Markov chain and applies back-propagation neural network (BPNN) to detect malware by comparing transition probabilities in the chain. Since transition probabilities from one system call to another in malware are significantly different from those in benign applications, BMSCS can efficiently detect malware by capturing the anomaly in state transitions with the help of BPNN. The authors evaluate the performance of BMSCS by experiments with real application samples. The experiment results show that the F-score of BMSCS achieves up to 0.982773, which is higher than the other methods in the literature.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1002/acs.3163

IF: 3.369

2020-01-01

International Journal of Adaptive Control and Signal Processing

Abstract:SummaryThe problem of robust attack detection and prediction for networked control systems in the presence of outliers is discussed in this article. The conventional hidden Markov model (HMM) is trained to learn the system behavior (ie, transitions between different operating modes) in the nominal process. The HMM with time‐varying transition probabilities is used to track the attack behavior in which the adversary triggers more hazard modes to hasten fatigue of control devices by injecting attack signals with random magnitude and frequency. For different operating modes, the observations are assumed to follow different multivariate Student's t distributions instead of Gaussian distributions and thus address the robust estimation problem. The expectation maximization algorithm is used to estimate parameters. Finally, simulations are conducted to verify the effectiveness of the proposed method.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.

Zhenghua Xu,Xinghuo Yu,Yong Feng,Jiankun Hu,Zahir Tari,Fengling Han

DOI: https://doi.org/10.1109/iciea.2013.6566581

2013-01-01

Abstract:Due to the rapid and continuous increase of network intrusion, the need of protecting our systems becomes more and more compelling. In many situations, there exists a weak anomaly signal detection problem: due to the little number of anomalous system calls, the anomalous patterns of some intrusions may not be enough to distinguish themselves from normal activities so the existing anomaly detection systems can not detect this kind of sequences accurately. Motivated by this, we propose a multi-module anomaly detection scheme to solve this problem through utilizing system call prediction to enlarge the patterns of weak anomaly signal sequences and make them more distinguishable. Besides this, a variation of the Viterbi algorithm (called VV algorithm) is developed to predict the most probable future system calls more efficiently and a Markov-based intrusion detection method is adopted for the pattern value calculation and anomaly detection. The results of our experimental study conclude the followings: (i) the proposed scheme can greatly improve the intrusion detection accuracy of this Markov-based intrusion detection method in terms of hit rates under small false alarm rate bounds; (ii) the performance of the proposed scheme depends on the prediction accuracy of the adopted prediction technique; (iii) the developed VV algorithm is exponentially more efficient than a baseline method.

Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

Guojun Mao,Jing Zhang,Xindong Wu

DOI: https://doi.org/10.1109/wcica.2008.4593135

2008-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. In this paper, we propose two algorithms, based on frequency patterns (FP) and tree patterns (TP) for intrusion detection respectively. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to quickly find out frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.