Abstract
In this work, we propose an Intrusion Detection model for computer newtorks based on Hidden Markov Models. While stateful techniques are widely used to detect intrusion at the operating system level, by tracing the sequences of system calls, this issue has been rarely researched for the analysis of network traffic. The proposed model aims at detecting intrusions by analysing the sequences of commands that flow between hosts in a network for a particular service (e.g., an ftp session). First the system must be trained in order to learn the typical sequences of commands related to innocuous connections. Then, intrusion detection is performed by indentifying anomalous sequences. To harden the proposed system, we propose some techniques to combine HMM. Reported results attained on the traffic acquired from a European ISP shows the effectiveness of the proposed approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Axelsson, S.: The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection. In: Proc. of RAID (May 1999)
Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Ann. Math. Statist. 41(1), 164–171 (1970)
Bicego, M., Murino, V., Figueiredo, M.: Similarity-Based Clustering of Sequences Using Hidden Markov Models. In: Perner, P., Rosenfeld, A. (eds.) MLDM 2003. LNCS, vol. 2734, pp. 86–95. Springer, Heidelberg (2003)
Cho, S., Han, S.: Two sophisticated techniques to improve HMM-based intrusion detection systems. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 207–219. Springer, Heidelberg (2003)
Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proc. of the IEEE Computer Society, Symposium on Research in Security and Privacy (1992)
Denning, D.E.: An Intrusion Detection Model. IEEE Trans. Software Eng. SE-13(2), 222–232 (1987)
Dietrich, C., Schwenker, F., Palm, G.: Classification of Time Series Utilizing Temporal and Decision Fusion. In: Kittler, J., Roli, F. (eds.) MCS 2001. LNCS, vol. 2096, pp. 378–387. Springer, Heidelberg (2001)
Dietterich, T.: Ensemble Methods in Machine Learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000)
Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification. Wiley-Interscience, Chichester (2000)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2003)
Gao, F., Sun, J., Wei, Z.: The prediction role of Hidden Markov Model in Intrusion Detection. In: Proc. of IEEE CCECE 2003, vol. 2, pp. 893–896 (May 2003)
Gao, D., Reiter, M., Song, D.: Behavioral Distance Measurement Using Hidden Markov Models. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)
Giacinto, G., Roli, F., Didaci, L.: Fusion of multiple classifiers for intrusion in computer networks. Pattern Recognition Letters 24(12), 1795–1803 (2003)
Hashem, M.: Network Based Hidden Markov Models Intrusion Detection Systems. IJICIS, 6(1) (2006)
Hoang, X.D., Hu, J.: An Efficient Hidden Markov Model Training Scheme for Anomaly Intrusion Detection of Server Applications Based on System Calls. In: Proc. of 12th IEEE Conference on Networks, 2004, vol. 2, pp. 470–474 (2004)
Kuncheva, L., Bezdek, J.C., Duin, R.P.W.: Decision Templates for Multiple Classifier Fusion. Pattern Recognition 34(2), 299–314 (2001)
Kuncheva, L.: Combining Pattern Classifiers: Methods and Algorithms. Wiley, Chichester (2004)
Mc Hugh, J., Christie, A., Allen, J.: Defending yourself: The role of Intrusion Detection Systems. IEEE Software 42–51 (September/October 2000)
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O.M., Lee, W.: Polymorphic Blending Attack. In: USENIX Security Symposium (2006)
Proctor, P.E.: Pratical Intrusion Detection Handbook. Prentice-Hall, Englewood Cliffs (2001)
Qiao, Y., Xin, X.W., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38(13) (June 2002)
Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc. of IEEE 77(2), 257–286 (1989)
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proc. of the 13th USENIX conference on System Administration, LISA ’99
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proc. of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (1999)
Zhang, X., Fan, P., Zhu, Z.: A New Anomaly Detection Method Based on Hierarchical HMM. In: Proceedings of the 4th PDCAT conference (2003)
IDS-Informer, www.blade-software.com
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ariu, D., Giacinto, G., Perdisci, R. (2007). Sensing Attacks in Computers Networks with Hidden Markov Models. In: Perner, P. (eds) Machine Learning and Data Mining in Pattern Recognition. MLDM 2007. Lecture Notes in Computer Science(), vol 4571. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73499-4_34
Download citation
DOI: https://doi.org/10.1007/978-3-540-73499-4_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73498-7
Online ISBN: 978-3-540-73499-4
eBook Packages: Computer ScienceComputer Science (R0)