Abstract
Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.
Supported by National Natural Science Foundation under Grant No.60373107 and National High-Tech Research and Development Plan of China under Grant No.2003AA142060.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Forrest, S., Hofmery, S.A., Somayaji, A.: A Sense of Self For Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, California, pp. 120–128 (1996)
Ghosh, A.K., Schwartzbard, A.: Learning program behavior profiles for intrusion detection. In: Proceedings: 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, pp. 51–62 (1999)
Lee, W., Stolfo, S.J.: Data Mining Approaches for intrusion detection. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, pp. 79–94 (1998) 26-29
Wespi, A., Dacier, M., Debar, H.: Intrusion Detection using Variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 110. Springer, Heidelberg (2000)
Ye, N.: A Markov chain model of temporal behavior for anomaly detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 166–169. IEEE, Oakland (2000)
Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Trans. SMC-A 31(4), 266–274 (2001)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 9-12, pp. 133–145 (1999)
Qiao, Y., Xin, X.W., Bin, Y., Ge, S.: Anomaly intrusion detection method based on HMM. Electronics Letters 38(13), 663–664 (2002)
Wei, W., Hong, G.X., Liang, Z.X.: Modeling program behaviors by hidden Markov models for Intrusion Detection. In: Proceedings of 3rd International Conference on Machine Learning and Cybernetics, August 26-29, pp. 2830–2835 (2004)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast autiomation-based method for detection anomalous program behaviors. In: Proceedings of IEEE symposium on Security and Privacy, Oakland, California, pp. 144–155 (2001)
Femg, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of IEEE symposium on Security and Privacy, Berkeley, California (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, C., Peng, Q. (2005). Anomaly Detection Method Based on HMMs Using System Call and Call Stack Information. In: Hao, Y., et al. Computational Intelligence and Security. CIS 2005. Lecture Notes in Computer Science(), vol 3802. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11596981_47
Download citation
DOI: https://doi.org/10.1007/11596981_47
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30819-5
Online ISBN: 978-3-540-31598-8
eBook Packages: Computer ScienceComputer Science (R0)