An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

Hoang, Xuan Dau; Hu, Jiankun

doi:10.1109/icon.2004.1409210

Cited by 59 publications

(34 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on our previous work [3,4,11], this article proposes an efficient HMM training scheme for system-call-based anomaly intrusion detection. The rest of this article is organized as follows.…”

Section: A Simple and Efficient Hidden Markovmentioning

confidence: 99%

“…Based on our previous works [3,11], a simple and efficient HMM anomaly intrusion algorithm is proposed as follows.…”

Section: A Simple and Efficient Hmm Training Schemementioning

confidence: 99%

“…In practice, it is normally more than three times the size of the sub-HMM model. Next, find the maximum number of subsequences that are similar (i.e., each pair's correlation index is above the preset correlation threshold) by adjusting the parameter R. Then each subsequence is used to train a submodel, and the trained submodel is incrementally merged into the final model using the weighting average algorithm proposed in our prior work [3]. Compared with Davis et al's method [13], this approach incrementally merges the submodel into the final model rather than merging all submodels after they have been completely trained.…”

Section: A Simple and Efficient Hmm Training Schemementioning

confidence: 99%

“…The sendmail program is sufficiently complex for testing [3,11]. We use traces that contain syslogd intrusion as testing data.…”

Section: Experiments Experiments Setupmentioning

confidence: 99%

“…The performance metric is the false positive rate, defined as [11] where FP is the number of false positives and TN is the number of true negatives. Three different datasets shown in Table 1 are used for the test [3,11] …”

Section: Experiments Experiments Setupmentioning

confidence: 99%

See 4 more Smart Citations

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

Qiu³

et al. 2009

IEEE Network

151

View full text Add to dashboard Cite

ntrusion detection has now been widely accepted as an essential component in a decent security system. This is due to the fact that the task of preventing all attacks is impossible. Intrusion detection can detect malicious attacks that have penetrated preventative mechanisms such as firewalls, which can help provide damage assessment, response, deterrence, and prosecution support.Denning's pioneering work [1] has established the most fundamental principle that the majority of intrusion detection systems (IDSs) have followed. The principle is a hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. It is suggested that profiles are used to represent the behavior of subjects using statistical measures. IDSs can have several different classifications. An IDS can be classified as an HIDS (host-based IDS) and NIDS (network-based IDS) in terms of the target the IDS protects. Also, an IDS can be classified into misuse intrusion detection and anomaly intrusion detection according to whether the features of an intrusion are known or unknown in advance. The misuse IDS retrieves attacks' signatures and establishes a database for the collection. During the detection process, the IDS will retrieve a subject signature and search a match against the established signature database.An intrusion alert is triggered once a match is found. Such a mechanism is very effective in detecting a priori known attacks, but performs unsatisfactorily in detecting unknown attacks. Anomaly IDSs are promising in detecting unknown attacks. Based on Denning's principle, an anomaly IDS first builds a system's normal behavior profile and then compares operational system behavior against the nominal profile. If a significant deviation is found, an intrusion alert is triggered.While Denning's intrusion detection model is a host-based IDS, extensive research activities have been shifted to network-based IDSs. There are several factors behind this, summarized as follows: • Networking factor: With the rapid proliferation of Internet technology, overwhelming computing applications are network based. Many security problems are introduced from this environment such as denial of service (DoS) attacks and other security loopholes related to networking protocols.• Real-time and computing resource restraints: Ideally, intrusion can be detected as soon as it happens in order to minimize the potential damage. However, audit data collection and processing for detecting intrusion involve large amounts of computing resources. Therefore, a dedicated hardware and software IDS component is required to perform the task efficiently. Normally, a network-based IDS deduces intrusion from analyzing network packets. It is very effective in detecting DoS attempts originating outside the network. The majority AbstractExtensive research activities have been observed on network-based intrusion detection systems (IDSs). However, there are always some attacks that penetrate trafficprofiling-based network IDS...

show abstract

Section: A Simple and Efficient Hidden Markovmentioning

confidence: 99%

“…Based on our previous works [3,11], a simple and efficient HMM anomaly intrusion algorithm is proposed as follows.…”

Section: A Simple and Efficient Hmm Training Schemementioning

confidence: 99%

Section: A Simple and Efficient Hmm Training Schemementioning

confidence: 99%

“…The sendmail program is sufficiently complex for testing [3,11]. We use traces that contain syslogd intrusion as testing data.…”

Section: Experiments Experiments Setupmentioning

confidence: 99%

Section: Experiments Experiments Setupmentioning

confidence: 99%

See 3 more Smart Citations

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

Qiu³

et al. 2009

IEEE Network

151

View full text Add to dashboard Cite

show abstract

SUDMAD: Sequential and unsupervised decomposition of a multi‐author document based on a hidden markov model

Aldebei

Jia

et al. 2017

Asso for Info Science & Tech

View full text Add to dashboard Cite

Decomposing a document written by more than one author into sentences based on authorship is of great significance due to the increasing demand for plagiarism detection, forensic analysis, civil law (i.e., disputed copyright issues), and intelligence issues that involve disputed anonymous documents. Among existing studies for document decomposition, some were limited by specific languages, according to topics or restricted to a document of two authors, and their accuracies have big room for improvement. In this paper, we consider the contextual correlation hidden among sentences and propose an algorithm for Sequential and Unsupervised Decomposition of a Multi‐Author Document (SUDMAD) written in any language, disregarding topics, through the construction of a Hidden Markov Model (HMM) reflecting the authors' writing styles. To build and learn such a model, an unsupervised, statistical approach is first proposed to estimate the initial values of HMM parameters of a preliminary model, which does not require the availability of any information of author's or document's context other than how many authors contributed to writing the document. To further boost the performance of this approach, a boosted HMM learning procedure is proposed next, where the initial classification results are used to create labeled training data to learn a more accurate HMM. Moreover, the contextual relationship among sentences is further utilized to refine the classification results. Our proposed approach is empirically evaluated on three benchmark datasets that are widely used for authorship analysis of documents. Comparisons with recent state‐of‐the‐art approaches are also presented to demonstrate the significance of our new ideas and the superior performance of our approach.

show abstract

Detection of repackaged mobile applications through a collaborative approach

Aldini

Martinelli

Saracino

et al. 2014

Concurrency and Computation

View full text Add to dashboard Cite

Repackaged applications are based on genuine applications, but they subtlety include some modifications. In particular, trojanized applications are one of the most dangerous threats for smartphones. Malware code may be hidden inside applications to access private data or to leak user credit. In this paper, we propose a contract-based approach to detect such repackaged applications, where a contract specifies the set of legal actions that can be performed by an application. Current methods to generate contracts lack information from real usage scenarios, thus being inaccurate and too coarse-grained. This may result either in generating too many false positives or in missing misbehaviors when verifying the compliance between the application and the contract. In the proposed framework, application contracts are generated dynamically by a central server merging execution traces collected and shared continuously by collaborative users executing the application. More precisely, quantitative information extracted from execution traces is used to define a contract describing the expected application behavior, which is deployed to the cooperating users. Then, every user can use the received contract to check whether the related application is either genuine or repackaged. Such a verification is based on an enforcement mechanism that monitors the application execution at run-time and compares it against the contract through statistical tests

show abstract

An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

Cited by 59 publications

References 9 publications

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

SUDMAD: Sequential and unsupervised decomposition of a multi‐author document based on a hidden markov model

Detection of repackaged mobile applications through a collaborative approach

Contact Info

Product

Resources

About