Abstract
Anomaly intrusion detection focuses on modeling normal behaviors and identifying significant deviations, which could be novel attacks. The existing techniques in that domain were analyzed, and then an effective anomaly detection method based on HMMs (Hidden Markov Models) was proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. Both temporal orderings and parameters of system calls were taken into considered in this method. The RP (Relative Probability) value, which used short sequences as inputs, was computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anderson, J.P.: Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington (1980)
Carver, C.A.: Adaptive Agent-based Intrusion Response, pp. 8–10. Texas A&M University (2001)
Yeung, D.Y., Ding, Y.: Host-based Intrusion Detection Using Dynamic and Static Behavioral Models. Pattern Recognition 36, 229–243 (2003)
Anderson, D., Frivold, T., Valdes, A.: Next-generation Intrusion Detection Expert System (NIDES). Computer Science Laboratory, SRI International Menlo Park (1995)
Hofmeyr, S.A., Forrest, S.: Architecture for An Artificial Immune System. Evolutionary Computation 8, 443–473 (2000)
Ye, N.: A Markov Chain Model of Temporal Behavior for Anomaly Detection. In: The 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, West Point, NY (2000)
Jha, S., Tany, K., Maxion, R.A.: Markov Chains, Classifiers, and Intrusion Detection. In: The 14th IEEE Computer Security Foundations Workshop, Cape Breton, Novia Scotia, Canada (2001)
Eskin, E., Wenke, L., Stolfo, S.J.: Modeling System Calls for Intrusion Detection with Dynamic Window Sizes. In: DARPA Information Survivability Conference & Exposition, Anaheim, California (2001)
Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE 77, 257–286 (1989)
Tan, X.B., Wang, W.P., Xi, H.S., Yin, B.Q.: A Hidden Markov Model Used in Intrusion Detection. Chinese Journal of Computer Research and Development 40, 245–250 (2003)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls:Alternative Data Models. In: The 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society, Los Alamitos (1999)
Zhang, K., Xu, M.W., Zhang, H., Liu, F.Y.: An Intrusion Detection Method (RHDID)Based on Relative Hamming Distance. Chinese journal of computers 26, 65–70 (2003)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longsta1, T.A.: A Sense of Self for Unix Processes. In: The IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 120–129 (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Du, Y., Wang, H., Pang, Y. (2004). HMMs for Anomaly Intrusion Detection. In: Zhang, J., He, JH., Fu, Y. (eds) Computational and Information Science. CIS 2004. Lecture Notes in Computer Science, vol 3314. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30497-5_108
Download citation
DOI: https://doi.org/10.1007/978-3-540-30497-5_108
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24127-0
Online ISBN: 978-3-540-30497-5
eBook Packages: Computer ScienceComputer Science (R0)