Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems
Hidden Markov model (HMM) has been successfully applied to anomlay detection as a technique to model normal behavior. Despite its good performance, there are some problems in applying it to real intrusion detection systems: it requires large amount of time to model normal behaviors and the false-positive error rate is relatively high. To remedy these problems, we have proposed two techniques: extracting privilege flows to reduce the normal behaviors and combining multiple models to reduce the false-positive error rate. Experimental results with real audit data show that the proposed method requires significantly shorter time to train HMM without loss of detection rate and significantly reduces the false-positive error rate.
Keywordsanomaly detection hidden Markov model privilege flow combining multiple models
Unable to display preview. Download preview PDF.
- 1.Vaccaro, H.S., Liepins, G.E.: Detection of anomalous computer session activity. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 280–289 (1989)Google Scholar
- 2.Price, K.E.: Host-based misuse detection and conventional operating system’s audit data collection. M.S. Dissertaion, Purdue University, Purdue, IN (December 1997)Google Scholar
- 3.Lane, T., Brodley, C.E.: An application of machine learning to anomaly detection. In: Proceedings of the National Information Systems Security Conference, pp. 366-380, Washington, DC (October 1997)Google Scholar
- 4.Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the Fifth ACM Conference on Computer and Communications Security, pp. 150–158 (1997)Google Scholar
- 5.Ghosh, K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, USA, April 1999, pp. 51–62 (1999)Google Scholar
- 6.Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using calls: Alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 133–145 (May 1999)Google Scholar
- 7.Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. The Journal of the Pattern Recognition society (December 2001)Google Scholar
- 9.Rabiner, L.R., Juang, B.H.: An introduction to hidden Markov models. IEEE ASSP Magazine, 4–16 (January 1986)Google Scholar
- 10.Kuperman, B.A., Spafford, E.H.: Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN (October 1998)Google Scholar
- 11.Kohonen, T.: Self-Organizing Maps. Springer press, Heidelberg (1995)Google Scholar
- 12.Mukkamala, S., Sung, A.H., Abraham, A.: Intrusion Detection Using Ensemble of Soft Computing Paradigms. In: Third International Conference on Intelligent Systems Design and Applications, Intelligent Systems Design and Applications, Advances in Soft Computing, pp. 239–248. Springer Verlag, Germany (2003)Google Scholar
- 13.Didaci, L., Giacinto, G., Roli, F.: Ensemble Learning for Intrusion Detection in Computer Networks. In: Proceedings of the Workshop on Machine Learning, Methods and Applications, held in the context of the 8th Meeting of the Italian Association of Artificial Intelligence (AI*IA), September 2002, pp. 10–13 (2002)Google Scholar