Modeling of Network Intrusions Based on the Multiple Transition Probability

  • Sang-Kyun Noh
  • DongKook Kim
  • Yong-Min Kim
  • Bong-Nam Noh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4266)


In the TCP network environment, all unit transmissions are constructed using sessions. In the session, packets are transmitted sequentially. In this case, the previous and next packets contain causality mutually. Thus, we propose a method that models network transmission information based on transitions of packet states. In addition to the transition model, a probability matrix for the multiple state-transition models of all sessions is represented. The matching of the models is achieved using the maximum log-likelihood ratio. Evaluation of the proposed method for intrusion modeling is conducted by using 1999 DARPA data sets. The method is also compared with Snort-2 which is misuse-based intrusion detection system. In addition, the techniques for advancing proposed method are discussed.


Network-based intrusion detection multiple transition probability Ergodic model probability-based modeling likelihood measure 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ross, S.M.: Introduction to Probability Models, 8th edn. Academic Press, London (2002)Google Scholar
  2. 2.
    Helstrom, C.W.: Statistical Theory of Signal Detection, 2nd edn. Pergamon Press, London (1968)Google Scholar
  3. 3.
    Shchervinin, A.F.: Conditional normalized likelihood estimators of parameters of the normal distribution. In: Measurement Techniques. Springer, New York (1992)Google Scholar
  4. 4.
    Otsuka, T., Ohya, J.: Recognizing multiple persons’ facial expressions using HMM based on automatic extraction of significant frames from image sequences. In: Proc. Int. Conf. on Image Processing (ICIP 1997), Santa Barbara, CA, USA, pp. 546–549 (October 1997)Google Scholar
  5. 5.
    Cho, S.-B., Han, S.-J.: Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 207–219. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Cheong, I.-A., Kim, Y.-M., Kim, M.-S., Noh, B.-N.: The Causality Analysis of Protocol Measures for Detection of Attacks based on Network. In: The Intl. Conf. on Information Networking, Proc., vol. III (February 2004)Google Scholar
  7. 7.
    Lincoln Laboratory. MIT, DARPA Intrusion Detection Evaluation Data Sets,
  8. 8.
    Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection. In: The First IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt, Germany (March 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sang-Kyun Noh
    • 1
  • DongKook Kim
    • 2
  • Yong-Min Kim
    • 3
  • Bong-Nam Noh
    • 2
  1. 1.Interdisciplinary Program of Information SecurityChonnam National UniversityKorea
  2. 2.Div. of Electronics Computer EngineeringChonnam National UniversityKorea
  3. 3.Dept. of Electronic CommerceChonnam National UniversityKorea

Personalised recommendations