Browse > Article

Performance Improvement of Infusion Detection System based on Hidden Markov Model through Privilege Flows Modeling  

박혁장 (연세대학교 컴퓨터과학과)
조성배 (연세대학교 컴퓨터과학과)
Publication Information
Journal of KIISE:Information Networking / v.29, no.6, 2002 , pp. 674-684 More about this Journal
Abstract
Anomaly detection techniques have teen devised to address the limitations of misuse detection approach for intrusion detection. An HMM is a useful tool to model sequence information whose generation mechanism is not observable and is an optimal modeling technique to minimize false-positive error and to maximize detection rate, However, HMM has the short-coming of login training time. This paper proposes an effective HMM-based IDS that improves the modeling time and performance by only considering the events of privilege flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, as well as no loss of recognition performance.
Keywords
Intrusion Detection System; Anomaly Detection; Hidden Markov Model; Privilege Change; Audit Data Reflection;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 H.S. Vaccaro and G.E. Liepins, 'Detection of anomalous computer session activity,' Proc. IEEE Symp. on Research in Security and Privacy, pp. 280-289, 1989   DOI
2 C. Warrender, S. Forrest and B. Pearlmutter, 'Detecting intrusion using calls: Alternative data models,' IEEE Symposium on Security and Privacy, May 1999   DOI
3 최종호, 조성배, '은닉 마르코프 모델에 기반한 정상행위의 순서적 이벤트 모델링을 통한 침입탐지 시스템', 정보과학회, pp 306-308, 1999   과학기술학회마을
4 B.A. Kuperman and Eugene H. Spafford. 'Generation of application level audit data via library interposition,' CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN, October 1998
5 T. F. Lunt, 'A survey of intrusion detection techniques,' Computer & Security, vol. 12, no. 4, June 1993   DOI   ScienceOn
6 H.S. Javitz and A. Valdes, 'The SRI IDES statistical anomaly detector,' NIDES Technical Report, 1994
7 J. Hochberg, et al, 'Nadir: An automated system for detecting network intrusion and misuse,' Computers & Security, vol. 12, no. 3, pp. 235-248, 1993   DOI   ScienceOn
8 K.E. Price, 'Hostbased misuse detection and conventional operating system's audit data collection,' M.S. Dissertaion, Purdue University, Purdue, IN, December 1997
9 H. Debar, M. Becker and D. Siboni, 'A neural network component for an intrusion detection system,' Proc. 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240-250, Oakland, CA, May 1992   DOI
10 L.R. Rabiner, 'A tutorial on hidden Markov models and selected applications in speech recognition,' Proc. of the IEEE, vol. 77, no. 2, 1989   DOI   ScienceOn
11 S. Axelsson, 'Research in Intrusion-Detection Systems: A Survey,' Chalmers University of Technology, 1999
12 CERTCC-KR, 한국정보보호진흥원, http://www.certcc.or.kr/
13 L.R. Rabiner and B.H. Juang, 'An introduction to hidden Markov models,' IEEE ASSP Magazine, 1986