Hidden Markov Model Based Intrusion Detection

  • Zhi-Yong Liu
  • Hong Qiao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3917)


Network security is an important issue for Intelligence and Security Informatics (ISI) [1-3]. As a complementary measure for traditional network security tools such as firewalls, the intrusion detection system (IDS) is becoming increasingly important and widely-used [4]. Generally speaking, the IDS works by building a model based on the normal data patterns and treating the operations that deviated significantly from the model as malicious. In its early stage of development, the IDS takes certain statistics (e.g., mean and variance) of the audit data to discriminate between the normal usage and attacks. Such systems are easy to construct; however, they suffer from a poor generalization ability to detect unknown or new attacks. Recently other models such as the finite Markov mode [5] and support vector machines [6] have been introduced into IDS, providing finer-grained characterization of normal users’ behavior. In this report we investigate the potential application of the Hidden Markov Model (HMM) for intrusion detection.


Support Vector Machine Hide Markov Model Intrusion Detection Intrusion Detection System Intelligent Transportation System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Chen, H., Wang, F.Y.: Arti¯cial intelligence for homeland security. IEEE Intelligent Systems 20, 12–16 (2005)CrossRefGoogle Scholar
  2. 2.
    Yao, Y.Y., Wang, F.Y., Wang, J., Zeng, D.: Rule + exception strategies for security information analysis. IEEE Intelligent Systems 20, 52–57 (2005)CrossRefGoogle Scholar
  3. 3.
    Chen, H., Wang, F.Y., Zeng, D.: Intelligence and security informatics for homeland security: Information, communication and transportation. IEEE Trans. Intelligent Transportation Systems 5, 329–341 (2004)CrossRefGoogle Scholar
  4. 4.
    Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Depart. of Computer Engineering, Chalmers University (2000)Google Scholar
  5. 5.
    Jha, S., Maxion, R.A.: Markov chains, classi¯ers, and intrusion detection. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations (2001)Google Scholar
  6. 6.
    Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks (IJCNN), vol. 2, pp. 1702–1707 (2002)Google Scholar
  7. 7.
    Bilmes, J.: A gentle tutorial on the em algorithm and its application to parameter estimation for gaussian mixture and hidden markov models. Technical Report, University of UC. Berkeley, ICSI-TR-97-021 (1997).Google Scholar
  8. 8.
    Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 227–261 (2000) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Zhi-Yong Liu
    • 1
  • Hong Qiao
    • 1
  1. 1.Key Lab of Complex Systems and Intelligence ScienceChinese Academy of SciencesBeijingP.R. China

Personalised recommendations