Title :
An improved Hidden Markov Model for anomaly detection using frequent common patterns
Author :
Sultana, Afroza ; Hamou-Lhadj, Abdelwahab ; Couture, Mario
Abstract :
Host-based intrusion detection techniques are needed to ensure the safety and security of software systems, especially, if these systems handle sensitive data. Most host-based intrusion detection systems involve building some sort of reference models offline, usually from execution traces (in the absence of the source code), to characterize the system healthy behavior. The models can later be used as a baseline for online detection of abnormal behavior. Perhaps the most popular techniques are the ones based on the use of Hidden Markov Models (HMM). These techniques, however, require long training time of the models, which makes them computationally infeasible, the main reason being the large size of typical traces. In this paper, we propose an improved HMM using the concept of frequent common patterns. In other words, we build models based on extracting the largest n-grams (patterns) in the traces instead of taking each trace event on its own. We show through a case study that our approach can reduce the training time by 31.96%-48.44% compared to the original HMM algorithms while keeping almost the same accuracy rate.
Keywords :
hidden Markov models; security of data; HMM algorithms; execution traces; frequent common patterns; host-based intrusion detection techniques; improved hidden Markov model; n-grams; online detection; reference models; software system safety; software system security; system healthy behavior; Accuracy; Algorithm design and analysis; Data models; Hidden Markov models; Intrusion detection; Training; Behavioral modeling; HMM; Host-based Anomanly Detection Systems; N-gram extraction algorithm;
Conference_Titel :
Communications (ICC), 2012 IEEE International Conference on
Conference_Location :
Ottawa, ON
Print_ISBN :
978-1-4577-2052-9
Electronic_ISBN :
1550-3607
DOI :
10.1109/ICC.2012.6364527
