Intrusion detection using fuzzy window Markov model

Because the computer systems audit is a series of system commands or events, which we name states, a very natural method of detecting intrusion is to use a Markov model to calculate the audit series anomaly. Some researchers have done some work based on stationary Markov theory. Stationary Markov theory, however, has its shortcoming of incorrect assumption, and that can directly affect intrusion detection effect, because some "noise" can often make the state series change. To solve this problem, a window Markov (WM) model is proposed. In the WM model, the next state of time t does not depend on the state of time t+1 but on the states in a time window of [t+1, t+m]. In the WM model, it is not reasonable to give every state in the window equal evaluation to be the next state of time t, so we create a fuzzy window Markov (FWM) model. In the FWM model the states in the time window have different fuzzy evaluation values to indicate the probability to be the next state of time t. To test our FWM model, we have carried out an experiment based on the datasets collected at UNM by Forrest. Results show that the FWM model can work effectively.