Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems

Cho, Sung-Bae; Han, Sang-Jun

doi:10.1007/978-3-540-45248-5_12

Sung-Bae Cho⁷ &
Sang-Jun Han⁷

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Included in the following conference series:

International Workshop on Recent Advances in Intrusion Detection

1463 Accesses
16 Citations

Abstract

Hidden Markov model (HMM) has been successfully applied to anomlay detection as a technique to model normal behavior. Despite its good performance, there are some problems in applying it to real intrusion detection systems: it requires large amount of time to model normal behaviors and the false-positive error rate is relatively high. To remedy these problems, we have proposed two techniques: extracting privilege flows to reduce the normal behaviors and combining multiple models to reduce the false-positive error rate. Experimental results with real audit data show that the proposed method requires significantly shorter time to train HMM without loss of detection rate and significantly reduces the false-positive error rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Vaccaro, H.S., Liepins, G.E.: Detection of anomalous computer session activity. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 280–289 (1989)
Google Scholar
Price, K.E.: Host-based misuse detection and conventional operating system’s audit data collection. M.S. Dissertaion, Purdue University, Purdue, IN (December 1997)
Google Scholar
Lane, T., Brodley, C.E.: An application of machine learning to anomaly detection. In: Proceedings of the National Information Systems Security Conference, pp. 366-380, Washington, DC (October 1997)
Google Scholar
Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the Fifth ACM Conference on Computer and Communications Security, pp. 150–158 (1997)
Google Scholar
Ghosh, K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, USA, April 1999, pp. 51–62 (1999)
Google Scholar
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using calls: Alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 133–145 (May 1999)
Google Scholar
Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. The Journal of the Pattern Recognition society (December 2001)
Google Scholar
Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)
Article Google Scholar
Rabiner, L.R., Juang, B.H.: An introduction to hidden Markov models. IEEE ASSP Magazine, 4–16 (January 1986)
Google Scholar
Kuperman, B.A., Spafford, E.H.: Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN (October 1998)
Google Scholar
Kohonen, T.: Self-Organizing Maps. Springer press, Heidelberg (1995)
Google Scholar
Mukkamala, S., Sung, A.H., Abraham, A.: Intrusion Detection Using Ensemble of Soft Computing Paradigms. In: Third International Conference on Intelligent Systems Design and Applications, Intelligent Systems Design and Applications, Advances in Soft Computing, pp. 239–248. Springer Verlag, Germany (2003)
Google Scholar
Didaci, L., Giacinto, G., Roli, F.: Ensemble Learning for Intrusion Detection in Computer Networks. In: Proceedings of the Workshop on Machine Learning, Methods and Applications, held in the context of the 8th Meeting of the Italian Association of Artificial Intelligence (AI*IA), September 2002, pp. 10–13 (2002)
Google Scholar
Choy, J.H., Cho, S.B.: Anomaly detection of computer usage using artificial intelligence techniques. In: Kowalczyk, R., Loke, S.W., Reed, N.E., Graham, G. (eds.) PRICAI-WS 2000. LNCS (LNAI), vol. 2112, pp. 31–43. Springer, Heidelberg (2001)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Dept. of Computer Science, Yonsei University, 134 Shinchon-dong, Sudaemoon-ku, Seoul, 120-749, Korea
Sung-Bae Cho & Sang-Jun Han

Authors

Sung-Bae Cho
View author publications
You can also search for this author in PubMed Google Scholar
Sang-Jun Han
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA
Giovanni Vigna
Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria
Christopher Kruegel
Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden
Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Cho, SB., Han, SJ. (2003). Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_12

Download citation

DOI: https://doi.org/10.1007/978-3-540-45248-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics