An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

Hoang, X and Hu, J 2004, 'An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls', in H. K. Pung and F. Lee (ed.) Proceedings of the 12th IEEE International Conference on Networks (ICON 2004), Singapore, 16-19 November 2004, pp. 470-474.


Document type: Conference Paper
Collection: Conference Papers

Attached Files
Name Description MIMEType Size
n2004000537.pdf Published version application/pdf 341.36KB
Title An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls
Author(s) Hoang, X
Hu, J
Year 2004
Conference name International Conference on Networks
Conference location Singapore
Conference dates 16-19 November 2004
Proceedings title Proceedings of the 12th IEEE International Conference on Networks (ICON 2004)
Editor(s) H. K. Pung
F. Lee
Publisher IEEE
Place of publication Piscataway, USA
Start page 470
End page 474
Total pages 5
Abstract Recently hidden Markov model (HMM) has been proved to be a good tool to model normal behaviours of privileged processes for anomaly intrusion detection based on system calls. However, one major problem with this approach is that it demands excessive computing resources in the HMM training process, which makes it inefficient for practical intrusion detection systems. In this paper a simple and efficient HMM training scheme is proposed by the innovative integration of multiple-observations training and incremental HMM training. The proposed scheme first divides the long observation sequence into multiple subsets of sequences. Next each subset of data is used to infer one sub-model, and then this sub-model is incrementally merged into the final HMM model. Our experimental results show that our HMM training scheme can reduce the training time by about 60% compared to that of the conventional batch training. The results also show that our HMM-based detection model is able to detect all denial-of-service attacks embedded in testing traces.
Subjects Computer Communications Networks
Keyword(s) data analysis
intrusion detection
system calls
DOI - identifier 10.1109/ICON.2004.1409210
Copyright notice © 2004 IEEE
ISBN 0-7803-8783-X
Versions
Version Filter Type
Altmetric details:
Access Statistics: 235 Abstract Views, 1000 File Downloads  -  Detailed Statistics
Created: Wed, 08 Apr 2009, 09:42:32 EST by Catalyst Administrator
© 2014 RMIT Research Repository • Powered by Fez SoftwareContact us