Modeling program behaviors by hidden Markov models for intrusion detection

@inproceedings{citeulike:363237, abstract = {Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.}, author = {Wang, Wei and Guan, Xiao H. and Zhang, Xiang L. }, citeulike-article-id = {365134}, journal = {Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on}, keywords = {intrusion\_detection, markov}, posted-at = {2005-10-26 05:16:10}, priority = {2}, title = {Modeling program behaviors by hidden Markov models for intrusion detection}, url = {http://ieeexplore.ieee.org/xpls/abs\_all.jsp?arnumber=1378514}, volume = {5}, year = {2004} }

TY - CONF ID - citeulike:363237 L3 - citeulike-article-id:365134 N2 - Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods. JF - Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on TI - Modeling program behaviors by hidden Markov models for intrusion detection VL - 5 KW - intrusion_detection KW - markov AU - Wang, Wei AU - Guan, Xiao AU - Zhang, Xiang PY - 2004/// UR - http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1378514 ER -