A novel hidden Markov model for detecting complicate network attacks

Shi, Zhicai; Xia, Yongxiang

doi:10.1109/wcins.2010.5541790

Cited by 7 publications

(2 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[6] present an intrusion detection system where based on system calls, Zihui et al [7] is based on a set of data of system calls, Zeng et al [13] worked on reduction of a set of observations, Li et al. [14] used a fuzzy approach, Lee et al [20] perform Intrusion detection based on mobile agents, Zhicai et al [10] present an approach based on the discrete steps of the attacker or malware, and Khanna et al [22] work used functions of multigaussian mixture on sequences of observation. -HMMs used on Anomaly Deteccion Systems.…”

Section: Hmms Applied To Anomaly Detectionmentioning

confidence: 99%

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Flores

Calderón

Antolino

et al. 2015

IDA

View full text Add to dashboard Cite

Information security is an important and growing need. The most common schemes used for detection systems include pattern-or signature-based and anomaly-based. Anomaly-based schemes use a set of metrics, which outline the normal system behavior and any significant deviation from the established profile will be treated as an anomaly. This paper contributes with an anomaly-based scheme that monitors the bandwidth consumption of a subnetwork, at the Universidad Michoacana, in Mexico. A normal behavior model is based on bandwidth consumption of the subnetwork. The presence of an anomaly indicates that something is misusing the network (viruses, worms, denial of service, or any other kind of attack). This work also presents a scheme for an automatic architecture design and parameters optimization of Hidden Markov Models (HMMs), based on Evolutionary Programming (EP). The variables to be used by the HMMs are: the bandwidth consumption of network (IN and OUT), and the associated time where the network activity occurs. The system was tested with univariate and bivariate observation sequences to analyze and detect anomaly behavior. The HMMs, designed and trained by EP, were compared against semi-random HMMs trained by the Baum-Welch algorithm. On a second experiment, the HMMs, designed and trained by EP, were compared against HMMs created by an expert user. The HMMs outperformed the other methods in all cases. Finally, we made the HMMs time-aware, by including time as another variable. This inclusion made the HMMs capable of detecting activity patterns that are normal during a period of time but anomalous at other times. For instance, a heavy load on the network may be completely normal during working times, but anomalous at nights or weekends.speech and gesture recognition, as well as applications to anomaly detection. In an HMM, the estimation of good model parameters affects the performance of the recognition or detection processes [3]. The HMM parameters can be determined during an iterative process called "training". The Baum-Welch algorithm [4] is one method applied in setting an HMM's parameters, but this method has a drawback: being a gradient-based method, it may converge to a local optimum.Global search techniques can be used to optimize an HMM's parameters. Genetic Algorithms (GA) and Evolutionary Programming (EP) are global optimization techniques that can be used to optimize an HMM's parameters [3]. Studies of using GA to train HMMs are relatively rare, particularly in comparison with the large literature on applying GA to neural network training [2].In the study presented in this paper we want to know (given certain events or behaviors of the study objects), what is expected or what can be anticipated as output. That is, we are interested in studying the behavior of a set of random variables over time, working with stochastic processes. In other words, given the behavior of a computer network, the problem is to automatically develop an HMM capable of discerning between normal and anomalous behavior. This tas...

show abstract

Section: Hmms Applied To Anomaly Detectionmentioning

confidence: 99%

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Flores

Calderón

Antolino

et al. 2015

IDA

View full text Add to dashboard Cite

show abstract

“…This system use a network monitor distributing in sharing network to detect and filter packets, and the network monitor is using distributed network intrusion detection system [3][4] to detect message. In order to give an accurately alarm to attack messages, and try to reduce error rate, use misuse detection system, its principle is that matching the messages with the known attack signature, so can reduce false rate, but the shortcoming of this method is that is can do nothing to the new attack.…”

Section: The Traccback Attack Of System Modelmentioning

confidence: 99%

Research on Attack Source Traceback

Wei

2013

AMM

View full text Add to dashboard Cite

The existing methods of attack traceback still have many defects, such as input debugging method requires the professional intervention; ICMP traceback message takes up the network bandwidth resources and so on, so a new collaborative network is picked up, based on ant source of ideological attack tracking method. This method is mainly used strategy from ICMP traceback message, that is, data packet attacked is backed-up on the network monitor, and then the scope of the query path information is reduced using the ant colony algorithm, enabling rapid construction of the attack path. Experiments show that the method improves the query speed of tracking information and the accuracy of positioning the source attack.

show abstract

A systematic review on intrusion detection based on the Hidden Markov Model

Ramaki

Rasoolzadegan

Jafari

2018

Statistical Analysis

View full text Add to dashboard Cite

Apart from using traditional security solutions in software systems such as firewalls and access control mechanisms, utilizing intrusion detection systems are also necessary. Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM-based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up-to-date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM-based intrusion detection techniques have 6 main advantages-precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real-time applications by processing data streams on-the-fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning. KEYWORDSHidden Markov Model, intrusion detection, intrusion detection system, statistical learning, system and network security

show abstract

A novel hidden Markov model for detecting complicate network attacks

Cited by 7 publications

References 6 publications

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Research on Attack Source Traceback

A systematic review on intrusion detection based on the Hidden Markov Model

Contact Info

Product

Resources

About