Combining Incremental Hidden Markov Model and Adaboost Algorithm for Anomaly Intrusion Detection

摘要

Traditional Hidden Markov Model (HMM) has been successfully applied to anomaly intrusion detection. Incremental HMM (HMM) further improves the training time of HMM. However, both HMM and IHMM still have the problem of high false positive rate. In this paper, we propose an Adaboost-IHMM to combine IHMM and adaboost for anomaly intrusion detection. As adaboost firstly uses many IHMMs to collectively classify samples then decides the results of samples' classifications, the Adaboost-IHMM can improve the accurate rate of classifications. Experimental results with Stide datasets show that the proposed method can significantly improve the false positive rate by 70% without decreasing detection rate. Besides, we also propose a method to adjust the normal profile for avoiding erroneous detection caused by changes of normal behavior. We perform with experiments with realistic datasets extracted from the use of popular browsers. Compared with traditional HMM method, our method can improve the training time by 90% to build a new normal profile.