Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems

  • Sung-Bae Cho
  • Sang-Jun Han
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2820)


Hidden Markov model (HMM) has been successfully applied to anomlay detection as a technique to model normal behavior. Despite its good performance, there are some problems in applying it to real intrusion detection systems: it requires large amount of time to model normal behaviors and the false-positive error rate is relatively high. To remedy these problems, we have proposed two techniques: extracting privilege flows to reduce the normal behaviors and combining multiple models to reduce the false-positive error rate. Experimental results with real audit data show that the proposed method requires significantly shorter time to train HMM without loss of detection rate and significantly reduces the false-positive error rate.


anomaly detection hidden Markov model privilege flow combining multiple models 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Vaccaro, H.S., Liepins, G.E.: Detection of anomalous computer session activity. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 280–289 (1989)Google Scholar
  2. 2.
    Price, K.E.: Host-based misuse detection and conventional operating system’s audit data collection. M.S. Dissertaion, Purdue University, Purdue, IN (December 1997)Google Scholar
  3. 3.
    Lane, T., Brodley, C.E.: An application of machine learning to anomaly detection. In: Proceedings of the National Information Systems Security Conference, pp. 366-380, Washington, DC (October 1997)Google Scholar
  4. 4.
    Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the Fifth ACM Conference on Computer and Communications Security, pp. 150–158 (1997)Google Scholar
  5. 5.
    Ghosh, K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, USA, April 1999, pp. 51–62 (1999)Google Scholar
  6. 6.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using calls: Alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 133–145 (May 1999)Google Scholar
  7. 7.
    Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. The Journal of the Pattern Recognition society (December 2001)Google Scholar
  8. 8.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  9. 9.
    Rabiner, L.R., Juang, B.H.: An introduction to hidden Markov models. IEEE ASSP Magazine, 4–16 (January 1986)Google Scholar
  10. 10.
    Kuperman, B.A., Spafford, E.H.: Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN (October 1998)Google Scholar
  11. 11.
    Kohonen, T.: Self-Organizing Maps. Springer press, Heidelberg (1995)Google Scholar
  12. 12.
    Mukkamala, S., Sung, A.H., Abraham, A.: Intrusion Detection Using Ensemble of Soft Computing Paradigms. In: Third International Conference on Intelligent Systems Design and Applications, Intelligent Systems Design and Applications, Advances in Soft Computing, pp. 239–248. Springer Verlag, Germany (2003)Google Scholar
  13. 13.
    Didaci, L., Giacinto, G., Roli, F.: Ensemble Learning for Intrusion Detection in Computer Networks. In: Proceedings of the Workshop on Machine Learning, Methods and Applications, held in the context of the 8th Meeting of the Italian Association of Artificial Intelligence (AI*IA), September 2002, pp. 10–13 (2002)Google Scholar
  14. 14.
    Choy, J.H., Cho, S.B.: Anomaly detection of computer usage using artificial intelligence techniques. In: Kowalczyk, R., Loke, S.W., Reed, N.E., Graham, G. (eds.) PRICAI-WS 2000. LNCS (LNAI), vol. 2112, pp. 31–43. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Sung-Bae Cho
    • 1
  • Sang-Jun Han
    • 1
  1. 1.Dept. of Computer ScienceYonsei UniversitySeoulKorea

Personalised recommendations