High-Order Markov Kernels for Network Intrusion Detection

  • Shengfeng Tian
  • Chuanhuan Yin
  • Shaomin Mu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4234)


In intrusion detection systems, sequences of system calls executed by running programs can be used as evidence to detect anomalies. Markov chain is often adopted as the model in the detection systems, in which high-order Markov chain model is well suited for the detection, but as the order of the chain increases, the number of parameters of the model increases exponentially and rapidly becomes too large to be estimated efficiently. In this paper, one-class support vector machines (SVMs) using high-order Markov kernel are adopted as the anomaly detectors. This approach solves the problem of high dimension parameter space. Experiments show that this system can produce good detection performance with low computational overhead.


Support Vector Machine Hide Markov Model Intrusion Detection Anomaly Detection System Call 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Forrest, S., Hofmeyr, S.A., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  2. 2.
    Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from UNIX process execution traces for intrusion detection. In: AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50–56. AAAI Press, Menlo Park (1997)Google Scholar
  3. 3.
    Yeung, D., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36, 229–243 (2003)CrossRefMATHGoogle Scholar
  4. 4.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automation-based method for detecting anomalous program behaviors. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 144–155 (2001)Google Scholar
  5. 5.
    Feng, L., Guan, X., Guo, S., Gao, Y., Liu, P.: Predicting the intrusion intentions by observing system call sequences. Computers & Security 23, 241–252 (2004)CrossRefGoogle Scholar
  6. 6.
    Warrender, S., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  7. 7.
    Ju, W., Vardi, Y.: A hybrid high-order Markov chain model for computer intrusion detection. Journal of Computational and Graphical Statistics 10, 277–295 (2001)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector machines. Cambridge University Press, Cambridge (2000)Google Scholar
  9. 9.
    Leslie, C., Eskin, E., Noble, W.S.: The spectrum kernel: a string kernel for SVM protein classification. In: Proceedings of the pacific biocomputing Symposium, vol. 7, pp. 566–575 (2002)Google Scholar
  10. 10.
    Leslie, C., Eskin, E., Weston, J., Noble, W.S.: Mismatch string kernels for SVM protein classification. In: Becker, S., Thrun, S., Obermayer, K. (eds.) Proceedings of Neural Information Processing Systems 15, MIT Press, Cambridge (2002)Google Scholar
  11. 11.
    Vishwanathan, S.V.N., Smola, A.J.: Fast kernels for string and tree matching. In: Becker, S., Thrun, S., Obermayer, K. (eds.) Proceedings of Neural Information Processing Systems 15, MIT Press, Cambridge (2002)Google Scholar
  12. 12.
    Lodhi, H., Saunders, C., Shawe-Taylor, C., Cristianini, N., Watkins, C.: Text classification using string kernels. Journal of Machine Learning Research 2, 419–444 (2002)CrossRefMATHGoogle Scholar
  13. 13.
    Schölkopf, B., Platt, B.J.C., Shawe-Taylor, J., Smola, A.J.: Estimating the support of a high-dimensional distribution. Technical report MSR-TR-99-87, Microsoft Research (1999)Google Scholar
  14. 14.
    Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. On Systems, Man, and Cybernetics – Part A: Systems and Humans 31(4), 266–274 (2001)CrossRefGoogle Scholar
  15. 15.
    Berchtold, A., Raftery, E.: The mixture transition distribution model for high-order Markov chains and non-Gaussian time series. Statistical Science 17(3), 328–356 (2002)CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Shengfeng Tian
    • 1
  • Chuanhuan Yin
    • 1
  • Shaomin Mu
    • 1
  1. 1.School of Computer and Information TechnologyBeijing Jiaotong UniversityBeijingP.R. China

Personalised recommendations