Recent Advances in Intrusion Detection

Volume 4219 of the series Lecture Notes in Computer Science pp 19-40

Behavioral Distance Measurement Using Hidden Markov Models

  • Debin GaoAffiliated withCarnegie Mellon University
  • , Michael K. ReiterAffiliated withCarnegie Mellon University
  • , Dawn SongAffiliated withCarnegie Mellon University

* Final gross prices may vary according to local VAT.

Get Access


The behavioral distance between two processes is a measure of the deviation of their behaviors. Behavioral distance has been proposed for detecting the compromise of a process, by computing its behavioral distance from another process executed on the same input. Provided that the two processes are diverse and so unlikely to fall prey to the same attacks, an increase in behavioral distance might indicate the compromise of one of them. In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model. We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers. Our experiments show that it detects intrusions with substantially greater accuracy and with performance overhead comparable to that of prior proposals.


intrusion detection anomaly detection system call behavioral distance