HMMPayl: An intrusion detection system based on Hidden Markov Models

Ariu, Davide; Tronci, Roberto; Giacinto, Giorgio

doi:10.1016/j.cose.2010.12.004

Cited by 116 publications

(91 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Anomaly detection mechanisms employ a model of legitimate network traffic (Xie and Yu 2009)-and treat unlikely traffic patterns as attacks. For Fraction of all connections of all clients that specified HTTP header field Content-Type as any text variant the detection of SQL-injection, cross-site-scripting (XSS), and PHP file-inclusion (L/RFI), traffic can be modeled based on HTTP header and query string information using HMMs (Ariu et al 2011), n-gram models (Wressnegger et al 2013), general kernels (Düssel et al 2008), or other models (Robertson and Maggi 2010). Anomaly-detection mechanisms were investigated, from centroid anomaly-detection models (Kloft and Laskov 2012) to setting hard thresholds on the likelihood of new HTTP requests given the model, to unsupervised learning of support-vector data description (SVDD) models (Düssel et al 2008, Görnitz et al 2013.…”

Section: Discussion and Related Workmentioning

confidence: 99%

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

We focus on the problem of detecting clients that attempt to exhaust server resources by flooding a service with protocol-compliant HTTP requests. Attacks are usually coordinated by an entity that controls many clients. Modeling the application as a structuredprediction problem allows the prediction model to jointly classify a multitude of clients based on their cohesion of otherwise inconspicuous features. Since the resulting output space is too vast to search exhaustively, we employ greedy search and techniques in which a parametric controller guides the search. We apply a known method that sequentially learns the controller and the structured-prediction model. We then derive an online policy-gradient method that finds the parameters of the controller and of the structured-prediction model in a joint optimization problem; we obtain a convergence guarantee for the latter method. We evaluate and compare the various methods based on a large collection of traffic data of a web-hosting service.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

show abstract

“…HMM can also be used in network security. Ariu [8] proposed a novel solution where the HTTP payload is analyzed using hidden Markov model. The proposed system, named HMMPayl, had high classification accuracy and was very effective on most common attacks of the Web application.…”

Section: Introductionmentioning

confidence: 99%

Network Attack Classification and Recognition Using HMM and Improved Evidence Theory

Luo¹,

Wen²,

Xiang³

2016

ijacsa

View full text Add to dashboard Cite

Abstract-In this paper, a decision model of fusion classification based on HMM-DS is proposed, and the training and recognition methods of the model are given. As the pure HMM classifier can't have an ideal balance between each model with a strong ability to identify its target and the maximum difference between models. So in this paper, the results of HMM are integrated into the DS framework, and HMM provides state probabilities for DS. The output of each hidden Markov model is used as a body of evidence. The improved evidence theory method is proposed to fuse the results and encounter drawbacks of the pure HMM for improving classification accuracy of the system. We compare our approach with the traditional evidence theory method, other representative improved DS methods, pure HMM method and common classification methods. The experimental results show that our proposed method has a significant practical effect in improving the training process of network attack classification with high accuracy.

show abstract

“…Several approaches have been proposed so far to compute the model from network data [15]. Statistic-based approaches [16] define the normal model as the probabilities of appearance of certain patterns in the training data, using thresholds and basic statistical operators such as the standard deviation, mean, covariance, etc. Heuristic-based approaches automatically generate the model of normal behavior using different approaches such as machine learning algorithms [4], evolutionary systems [17] or other artificial intelligence methods [18].…”

Section: Anomaly-based Nidsmentioning

confidence: 99%

Randomized Anagram revisited

Pastrana

Orfila

Tapiador

et al. 2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

When compared to signature-based Intrusion Detection Systems (IDS), anomaly detectors present the potential advantage of detecting previously unseen attacks, which makes them an attractive solution against zero-day exploits and other attacks for which a signature is unavailable. Most anomaly detectors rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Such algorithms, however, are generally susceptible to evasion by means of carefully constructed attacks that are not recognized as anomalous. Different strategies to thwart evasion have been proposed over the last years, including the use of randomization to make somewhat uncertain how each packet will be processed. In this paper we analyze the strength of the randomization strategy suggested for Anagram, a well-known anomaly detector based on n-gram models. We show that an adversary who can interact with the system for a short period of time with inputs of his choosing will be able to recover the secret mask used to process packets. We describe and discuss an efficient algorithm to do this and report our experiences with a prototype implementation. Furthermore, we show that the specific form of randomization suggested for Anagram is a double-edged sword, as knowledge of the mask makes evasion easier than in the non-randomized case. We finally discuss a simple countermeasure to prevent our attacks.

show abstract

HMMPayl: An intrusion detection system based on Hidden Markov Models

Cited by 116 publications

References 39 publications

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Network Attack Classification and Recognition Using HMM and Improved Evidence Theory

Randomized Anagram revisited

Contact Info

Product

Resources

About