Intrusion Detection by Combining Multiple Hidden Markov Models

Abstract

Intrusion detection techniques can be divided into two groups according to the type of information they use: misuse detection and anomaly detection. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. By constructing models using multiple measures and combining them, we can expect an enhanced reliability in intrusion detection. In this paper, we propose a technique that combine multiple models using voting technique to improve the detection rate of intrusion detection system.

The intrusion detection system is based on anomaly detection technique using hidden Markov model (HMM). Each HMM models and evaluates one aspect of events, which are collected by Sun Microsystem’s Basic Security Module (BSM) auditing facility. Usually each event, such as a BSM event, consists of several measures. When one event is evaluated through each model, a vector of evaluation values is generated. A system call, one of the measures from BSM, can be either perfectly normal or very dangerous according to the situation. For example, a write() system call to an ordinary user file is normal, whereas it is suspiciously dangerous if done to a system file by an unprivileged user. Thus, a framework that can effectively combine various measures is needed.

In HMM, the probability with which a given sequence is generated from a model can be calculated using forward-backward procedure and an optimal model can also be built from a collection of sequences using Baum-Welch reestimation formulas. If normal behavior is modeled into an HMM, we can determine whether current behavior is normal or not by comparing the evaluation value of current behavior sequence against the model’s threshold for normal behavior. Each HMM determines whether current sequence is abnormal from the measure’s point of view it is responsible for and participates in final anomaly decision with a weight W_m according to its confidence. Voting is to determine whether or not the total result R = Σ W_m* V_m, where V_m representing a model’s voting value, is greater than or equal to the threshold T.

In the experiment, a model based on system call measure and one on measure reduced by Self Organizing Map (SOM) are combined with voting. Each model is given the same voting weight. With unanimity voting, the overall false-positive error rate, a pivotal anomaly detection technique evaluation criterion, has been enhanced to 1.18% in contrast to those of previous models’ 5.33% and 23.53%, respectively.