Abstract
Hidden Markov model (HMM) has been successfully applied to anomlay detection as a technique to model normal behavior. Despite its good performance, there are some problems in applying it to real intrusion detection systems: it requires large amount of time to model normal behaviors and the false-positive error rate is relatively high. To remedy these problems, we have proposed two techniques: extracting privilege flows to reduce the normal behaviors and combining multiple models to reduce the false-positive error rate. Experimental results with real audit data show that the proposed method requires significantly shorter time to train HMM without loss of detection rate and significantly reduces the false-positive error rate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Vaccaro, H.S., Liepins, G.E.: Detection of anomalous computer session activity. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 280–289 (1989)
Price, K.E.: Host-based misuse detection and conventional operating system’s audit data collection. M.S. Dissertaion, Purdue University, Purdue, IN (December 1997)
Lane, T., Brodley, C.E.: An application of machine learning to anomaly detection. In: Proceedings of the National Information Systems Security Conference, pp. 366-380, Washington, DC (October 1997)
Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the Fifth ACM Conference on Computer and Communications Security, pp. 150–158 (1997)
Ghosh, K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, USA, April 1999, pp. 51–62 (1999)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using calls: Alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 133–145 (May 1999)
Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. The Journal of the Pattern Recognition society (December 2001)
Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)
Rabiner, L.R., Juang, B.H.: An introduction to hidden Markov models. IEEE ASSP Magazine, 4–16 (January 1986)
Kuperman, B.A., Spafford, E.H.: Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN (October 1998)
Kohonen, T.: Self-Organizing Maps. Springer press, Heidelberg (1995)
Mukkamala, S., Sung, A.H., Abraham, A.: Intrusion Detection Using Ensemble of Soft Computing Paradigms. In: Third International Conference on Intelligent Systems Design and Applications, Intelligent Systems Design and Applications, Advances in Soft Computing, pp. 239–248. Springer Verlag, Germany (2003)
Didaci, L., Giacinto, G., Roli, F.: Ensemble Learning for Intrusion Detection in Computer Networks. In: Proceedings of the Workshop on Machine Learning, Methods and Applications, held in the context of the 8th Meeting of the Italian Association of Artificial Intelligence (AI*IA), September 2002, pp. 10–13 (2002)
Choy, J.H., Cho, S.B.: Anomaly detection of computer usage using artificial intelligence techniques. In: Kowalczyk, R., Loke, S.W., Reed, N.E., Graham, G. (eds.) PRICAI-WS 2000. LNCS (LNAI), vol. 2112, pp. 31–43. Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cho, SB., Han, SJ. (2003). Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive