Modeling program behaviors by hidden markov models for intrusion detection

Wei Wang*, Xiao Hong Guan, Xiang Liang Zhang

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

41 Scopus citations

Abstract

Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on Hidden Markov Models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than Other methods.

Original languageEnglish (US)
Title of host publicationProceedings of 2004 International Conference on Machine Learning and Cybernetics
Pages2830-2835
Number of pages6
StatePublished - Nov 2 2004
EventProceedings of 2004 International Conference on Machine Learning and Cybernetics - Shanghai, China
Duration: Aug 26 2004Aug 29 2004

Publication series

NameProceedings of 2004 International Conference on Machine Learning and Cybernetics
Volume5

Other

OtherProceedings of 2004 International Conference on Machine Learning and Cybernetics
CountryChina
CityShanghai
Period08/26/0408/29/04

Keywords

  • Anomaly detection
  • Computer security
  • Hidden markov models (HMMs)
  • Intrusion detection
  • Pattern recognition
  • Program behaviors
  • System call

ASJC Scopus subject areas

  • Engineering(all)

Fingerprint Dive into the research topics of 'Modeling program behaviors by hidden markov models for intrusion detection'. Together they form a unique fingerprint.

Cite this