Abstract
Anomaly detection systems are developed by learning a baseline-model from a set of events captured from a computer system operating under normal conditions. The model is then used to recognize unusual activities as deviations from normality. Hidden Markov models (HMMs) are powerful probabilistic finite state machines that have been used to acquire these baseline-models. Although previous research has indicated that HMMs can effectively represent complex sequences, the traditional learning algorithm for HMMs is too computationally expensive for use with real-world anomaly detection systems. This paper describes the use of a novel incremental learning algorithm for HMMs that allows the efficient acquisition of anomaly detection models. The new learning algorithm requires less memory and training time than previous approaches for learning discrete HMMs and can be used to perform online learning of accurate baseline-models from complex computer applications to support anomaly detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 133–145 (1999)
Florez, G., Liu, Z., Bridges, S., Skjellum, A., Vaughn, R.: Lightweight monitoring of MPI programs in real-time. To Appear in Concurrency and Computation: Practice and Experience (2005)
Lane, T.: Hidden Markov Models for human/computer interface modeling. In: Proceedings of the, IJCAI Workshop on Learning About Users, pp. 35–44 (1999)
Barbara, D., Goel, R., Jajodia, S.: Mining malicious data corruption with Hidden Markov Models. In: Proceedings of the 16th Annual IFIP Working Conference on Data and Application Security, Cambridge, England (2002)
Forrest, S., Longstaff, T.A.: A sense of self for UNIX processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)
Tan, K., Maxion, R.: Determining the operational limits of an anomaly-based intrusion detector. IEEE Journal on Selected Areas in Communications, Special Issue on Design and Analysis Techniques for Security Assurance 21, 96–110 (2003)
Siraj, A., Bridges, S., Vaughn, R.: Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. In: International Fuzzy Systems Association/ North American Fuzzy Information Processing Society (IFSA/NAFIPS) Conference on Soft Computing, Vancouver, Canada (2001)
Florez, G., Liu, Z., Bridges, S., Vaughn, R.: Integrating intelligent anomaly detection agents into distributed monitoring systems. Journal of Network and Computer Applications (2005) (to appear)
Rabiner, L.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)
MacDonald, I., Zucchini, W.: Hidden Markov and Other Models for Discrete-valued Time Series. Monographs on Statistics and Applied Probability. Chapman and HALL/CRC (1997)
Lane, T.: Machine Learning Techniques for the Computer Security Domain of Anomaly Detection. PhD thesis, Purdue University (2000)
Kettnaker, V.M.: Time-dependent HMMs for visual intrusion detection. In: Proceedings of the 2003 Conference on Computer Vision and Pattern Recognition Workshop, Madison, Wisconsin (2003)
Stenger, B., Ramesh, V., Paragios, N., Coetzee, F., Buhmann, J.M.: Topology free Hidden Markov Models: Application to background modeling. In: Proceedings of the International Conference on Computer Vision, Vancouver, Canada, pp. 297–301 (2001)
Florez-Larrahondo, G., Bridges, S., Hansen, E.A.: Incremental estimation of discrete hidden markov models based on a new backward procedure. In: 20th National Conference on Artificial Intelligence (AAAI 2005), Pittsburgh, Pennsylvania (2005) (to appear)
Cunningham, R., Lippmann, R.P., Fried, D.J., Garfikle, S.L.: Evaluating intrusion detection systems without attacking your friends: The 1998 darpa intrusion detection evaluation. Network Intrusion Detection (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Florez-Larrahondo, G., Bridges, S.M., Vaughn, R. (2005). Efficient Modeling of Discrete Events for Anomaly Detection Using Hidden Markov Models. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds) Information Security. ISC 2005. Lecture Notes in Computer Science, vol 3650. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11556992_38
Download citation
DOI: https://doi.org/10.1007/11556992_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29001-8
Online ISBN: 978-3-540-31930-6
eBook Packages: Computer ScienceComputer Science (R0)