Sensing Attacks in Computers Networks with Hidden Markov Models

  • Davide Ariu
  • Giorgio Giacinto
  • Roberto Perdisci
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4571)


In this work, we propose an Intrusion Detection model for computer newtorks based on Hidden Markov Models. While stateful techniques are widely used to detect intrusion at the operating system level, by tracing the sequences of system calls, this issue has been rarely researched for the analysis of network traffic. The proposed model aims at detecting intrusions by analysing the sequences of commands that flow between hosts in a network for a particular service (e.g., an ftp session). First the system must be trained in order to learn the typical sequences of commands related to innocuous connections. Then, intrusion detection is performed by indentifying anomalous sequences. To harden the proposed system, we propose some techniques to combine HMM. Reported results attained on the traffic acquired from a European ISP shows the effectiveness of the proposed approach.


False Alarm Hide Markov Model False Alarm Rate Intrusion Detection Decision Threshold 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Axelsson, S.: The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection. In: Proc. of RAID (May 1999)Google Scholar
  2. 2.
    Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Ann. Math. Statist. 41(1), 164–171 (1970)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Bicego, M., Murino, V., Figueiredo, M.: Similarity-Based Clustering of Sequences Using Hidden Markov Models. In: Perner, P., Rosenfeld, A. (eds.) MLDM 2003. LNCS, vol. 2734, pp. 86–95. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Cho, S., Han, S.: Two sophisticated techniques to improve HMM-based intrusion detection systems. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 207–219. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proc. of the IEEE Computer Society, Symposium on Research in Security and Privacy (1992)Google Scholar
  6. 6.
    Denning, D.E.: An Intrusion Detection Model. IEEE Trans. Software Eng. SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  7. 7.
    Dietrich, C., Schwenker, F., Palm, G.: Classification of Time Series Utilizing Temporal and Decision Fusion. In: Kittler, J., Roli, F. (eds.) MCS 2001. LNCS, vol. 2096, pp. 378–387. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Dietterich, T.: Ensemble Methods in Machine Learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification. Wiley-Interscience, Chichester (2000)Google Scholar
  10. 10.
    Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  11. 11.
    Gao, F., Sun, J., Wei, Z.: The prediction role of Hidden Markov Model in Intrusion Detection. In: Proc. of IEEE CCECE 2003, vol. 2, pp. 893–896 (May 2003)Google Scholar
  12. 12.
    Gao, D., Reiter, M., Song, D.: Behavioral Distance Measurement Using Hidden Markov Models. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Giacinto, G., Roli, F., Didaci, L.: Fusion of multiple classifiers for intrusion in computer networks. Pattern Recognition Letters 24(12), 1795–1803 (2003)CrossRefGoogle Scholar
  14. 14.
    Hashem, M.: Network Based Hidden Markov Models Intrusion Detection Systems. IJICIS, 6(1) (2006)Google Scholar
  15. 15.
    Hoang, X.D., Hu, J.: An Efficient Hidden Markov Model Training Scheme for Anomaly Intrusion Detection of Server Applications Based on System Calls. In: Proc. of 12th IEEE Conference on Networks, 2004, vol. 2, pp. 470–474 (2004)Google Scholar
  16. 16.
    Kuncheva, L., Bezdek, J.C., Duin, R.P.W.: Decision Templates for Multiple Classifier Fusion. Pattern Recognition 34(2), 299–314 (2001)zbMATHCrossRefGoogle Scholar
  17. 17.
    Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley, Chichester (2004)zbMATHGoogle Scholar
  18. 18.
    Mc Hugh, J., Christie, A., Allen, J.: Defending yourself: The role of Intrusion Detection Systems. IEEE Software 42–51 (September/October 2000)Google Scholar
  19. 19.
    Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O.M., Lee, W.: Polymorphic Blending Attack. In: USENIX Security Symposium (2006)Google Scholar
  20. 20.
    Proctor, P.E.: Pratical Intrusion Detection Handbook. Prentice-Hall, Englewood Cliffs (2001)Google Scholar
  21. 21.
    Qiao, Y., Xin, X.W., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38(13) (June 2002)Google Scholar
  22. 22.
    Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc. of IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  23. 23.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proc. of the 13th USENIX conference on System Administration, LISA ’99Google Scholar
  24. 24.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proc. of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  25. 25.
    Zhang, X., Fan, P., Zhu, Z.: A New Anomaly Detection Method Based on Hierarchical HMM. In: Proceedings of the 4th PDCAT conference (2003)Google Scholar
  26. 26.

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Davide Ariu
    • 1
  • Giorgio Giacinto
    • 1
  • Roberto Perdisci
    • 1
  1. 1.Department of Electrical and Electronic Engineering, University of Cagliari, Piazza d’Armi, 09123 CagliariItaly

Personalised recommendations