HMMs for Anomaly Intrusion Detection

摘要

Anomaly intrusion detection focuses on modeling normal behaviors and identifying significant deviations, which could be novel attacks. The existing techniques in that domain were analyzed, and then an effective anomaly detection method based on HMMs (Hidden Markov Models) was proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. Both temporal orderings and parameters of system calls were taken into considered in this method. The RP (Relative Probability) value, which used short sequences as inputs, was computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.