Skip to main content
SpringerLink
Log in

Improvement of Protocol Anomaly Detection Based on Markov Chain and Its Application

  • Conference paper
Parallel and Distributed Processing and Applications - ISPA 2005 Workshops (ISPA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3759))

Abstract

As we know, a lot of network attacks come from abusing different network protocols and several new attacks violate the protocol standard. Kumar Das first presented the concept of the protocol anomaly detection. The idea of protocol anomaly detection is not new but interesting. It aims to set up models for proper use of protocols and any behavior that departs from the models will be regarded as an intrusive or suspicious one. In this paper, we made some improvements that aim at the lack of stochastic protocol models based on Markov Chain and made some evaluations for that presented by Juan M. Some necessary states are added to the protocol model. Furthermore, the initial and transition probabilities are more precise. Also, we propose to combine Chi-Square Distance into Markov Chain method to detect protocol anomaly. The experimental results show that SYN Flooding attack can be detected efficiently by the new approach.

This paper is supported by the National Natural Science Foundation of China under Grant No.60273070, the Sci & Tech. Project of Hunan under Grant No. 04GK3022.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Levitt, K.: Intrusion Detection: Current Capabilities and Future Directions. In: Proc. of 18th Annual Computer Security Applications Conference, pp. 365–370 (2002)

    Google Scholar 

  2. Das, K.: Protocol Anomaly Detection for Network-based Intrusion Detection (1-16-2004), http://www.sans.org/rr/whitepapers/detection/349.php

  3. Postel, J.: Transmission Control Protocol. RFC 793 (September 1981), http://www.faqs.org/rfcs/rfc793.html

  4. Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection. In: Proc. of the First IEEE International Workshop on Information Assurance (IWIA 2003), pp. 3–12 (2003)

    Google Scholar 

  5. Lemonnier, E.: Protocol Anomaly Detection in Network-based IDSs (June 2001), http://erwan.lemonnier.free.fr/exjobb/report/protocol_anomaly_detection.pdf

  6. Joglekar, S.P., Tate, S.R.: ProtoMon: Embedded Monitors for Cryptographic Protocol Intrusion Detection and Prevention. In: Proc. of the International Conference on Information Technology: Coding and Computing (ITCC 2004), pp. 81–86 (2004)

    Google Scholar 

  7. MIT Lincoln Laboratory. Intrusion detection evaluation (04-01-2003), http://www.ll.mit.edu/IST/ideval

  8. Li, N., Qin, Z., Zhang, D.-F., et al.: Protocol Anomaly Detection Model Based on Markov Chain. Computer Science 31(10), 66–68 (2004)

    Google Scholar 

  9. Zhao, S., Deng, W.: The analysis of stochastic signal, 1st edn., pp. 153–159 (1999)

    Google Scholar 

  10. Gao, B., Ma, H.Y., Yang, Y.H.: HMMS (HIdden Markov Chain Models) Based on Anomaly Intrusion Detection Method. In: Proc. of the First Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)

    Google Scholar 

  11. Gao, F., Sun, J., Wei, Z.: The Prediction Role of Hidden Markov Model in Intrusion Detection. In: Proc. of the First International Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)

    Google Scholar 

  12. Jha, S., Tan, K., Maxion, R.A.: Markov Chains, Classifiers, and Intrusion Detection. In: Proc. of the 14th IEEE Workshop on Computer Security Foundations, pp. 206–219 (2001)

    Google Scholar 

  13. Tan, X., Wang, W., Xi, H., et al.: The system call sequence models based on Markov Chain and the application in anomaly detection. Engineering of Computer 28(12), 189–191 (2002)

    Google Scholar 

  14. Ye, N., Zhang, Y., Borror, C.M.: Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability 52(3), 116–123 (2003)

    Google Scholar 

  15. TCPDUMP public repository. TCPDUMP (6-12-2004), http://www.tcpdump.org/

  16. Ye, N., Chen, Q., Borror, C.M.: EWMA Forecast of Normal System Activity for Computer Intrusion Detection. IEEE Transactions on Reliability 53(4), 557–566 (2004)

    Article  Google Scholar 

  17. Wang, H., Zhang, D., Shin, K.G.: Detecting SYN Flooding Attacks. In: Proc. of IEEE INFOCOM, pp. 1530–1539 (2002)

    Google Scholar 

  18. Siris, V., Papagalou, F.: Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks. In: Proc. of IEEE Global Telecommunications Conference, pp. 14–20 (2004)

    Google Scholar 

  19. Li, N.: The research of Protocol Anomaly Detection Based-on Markov Chain. Master thesis. Hunan University (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Software, Hunan University, 410082, ChangSha, China

    Zheng Qin, Da-fang Zhang & Nai-Zheng Bian

  2. College of Computer and Communication, Hunan University, 410082, ChangSha, China

    Na Li

Authors
  1. Zheng Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Na Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Da-fang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nai-Zheng Bian
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Nanjing University, 210093, Nanjing, China

    Guihai Chen

  2. Dept. of CS, Georgia State University, 30302, Atlanta, GA, USA

    Yi Pan

  3. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 200030, Shanghai, China

    Minyi Guo

  4. Department of Computer Science, University of Virginia,  

    Jian Lu

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Qin, Z., Li, N., Zhang, Df., Bian, NZ. (2005). Improvement of Protocol Anomaly Detection Based on Markov Chain and Its Application. In: Chen, G., Pan, Y., Guo, M., Lu, J. (eds) Parallel and Distributed Processing and Applications - ISPA 2005 Workshops. ISPA 2005. Lecture Notes in Computer Science, vol 3759. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576259_43

Download citation

  • DOI: https://doi.org/10.1007/11576259_43

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29770-3

  • Online ISBN: 978-3-540-32115-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation