An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

Hoang, X and Hu, J 2004, 'An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls', in H. K. Pung and F. Lee (ed.) Proceedings of the 12th IEEE International Conference on Networks (ICON 2004), Singapore, 16-19 November 2004, pp. 470-474.

Document type:	Conference Paper
Collection:	Conference Papers

Attached Files
Name			Description	MIMEType		Size	Downloads
n2004000537.pdf			Published version		application/pdf	341.36KB	140

Title	An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls
Author(s)	Hoang, X Hu, J
Year	2004
Conference name	International Conference on Networks
Conference location	Singapore
Conference dates	16-19 November 2004
Proceedings title	Proceedings of the 12th IEEE International Conference on Networks (ICON 2004)
Editor(s)	H. K. Pung F. Lee
Publisher	IEEE
Place of publication	Piscataway, USA
Start page	470
End page	474
Total pages	5
Abstract	Recently hidden Markov model (HMM) has been proved to be a good tool to model normal behaviours of privileged processes for anomaly intrusion detection based on system calls. However, one major problem with this approach is that it demands excessive computing resources in the HMM training process, which makes it inefficient for practical intrusion detection systems. In this paper a simple and efficient HMM training scheme is proposed by the innovative integration of multiple-observations training and incremental HMM training. The proposed scheme first divides the long observation sequence into multiple subsets of sequences. Next each subset of data is used to infer one sub-model, and then this sub-model is incrementally merged into the final HMM model. Our experimental results show that our HMM training scheme can reduce the training time by about 60% compared to that of the conventional batch training. The results also show that our HMM-based detection model is able to detect all denial-of-service attacks embedded in testing traces.
Subjects	Computer Communications Networks
Keyword(s)	data analysis intrusion detection system calls
Copyright notice	© 2004 IEEE
ISBN	0-7803-8783-X

Access Statistics:	97 Abstract Views, 140 File Downloads - Detailed Statistics
Created:	Wed, 08 Apr 2009, 09:42:32 EST by Catalyst Administrator