Hidden Markov Model Based Intrusion Detection
Network security is an important issue for Intelligence and Security Informatics (ISI) [1-3]. As a complementary measure for traditional network security tools such as firewalls, the intrusion detection system (IDS) is becoming increasingly important and widely-used . Generally speaking, the IDS works by building a model based on the normal data patterns and treating the operations that deviated significantly from the model as malicious. In its early stage of development, the IDS takes certain statistics (e.g., mean and variance) of the audit data to discriminate between the normal usage and attacks. Such systems are easy to construct; however, they suffer from a poor generalization ability to detect unknown or new attacks. Recently other models such as the finite Markov mode  and support vector machines  have been introduced into IDS, providing finer-grained characterization of normal users’ behavior. In this report we investigate the potential application of the Hidden Markov Model (HMM) for intrusion detection.
KeywordsSupport Vector Machine Hide Markov Model Intrusion Detection Intrusion Detection System Intelligent Transportation System
- 4.Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Depart. of Computer Engineering, Chalmers University (2000)Google Scholar
- 5.Jha, S., Maxion, R.A.: Markov chains, classi¯ers, and intrusion detection. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations (2001)Google Scholar
- 6.Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks (IJCNN), vol. 2, pp. 1702–1707 (2002)Google Scholar
- 7.Bilmes, J.: A gentle tutorial on the em algorithm and its application to parameter estimation for gaussian mixture and hidden markov models. Technical Report, University of UC. Berkeley, ICSI-TR-97-021 (1997).Google Scholar
- 8.Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 227–261 (2000) Google Scholar