Efficient anomaly detection by modeling privilege flows using hidden Markov model

Sung-Bae Cho, Hyuk Jang Park

Research output: Contribution to journalArticle

110 Citations (Scopus)

Abstract

Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

Original languageEnglish
Pages (from-to)45-55
Number of pages11
JournalComputers and Security
Volume22
Issue number1
DOIs
Publication statusPublished - 2003 Jan 1

Fingerprint

Hidden Markov models
privilege
Intrusion detection
Transition flow
performance
behavior model
knowledge
time

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this

@article{98485228f95f4bab9e2ad132b51609dd,
title = "Efficient anomaly detection by modeling privilege flows using hidden Markov model",
abstract = "Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.",
author = "Sung-Bae Cho and Park, {Hyuk Jang}",
year = "2003",
month = "1",
day = "1",
doi = "10.1016/S0167-4048(03)00112-3",
language = "English",
volume = "22",
pages = "45--55",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",
number = "1",

}

Efficient anomaly detection by modeling privilege flows using hidden Markov model. / Cho, Sung-Bae; Park, Hyuk Jang.

In: Computers and Security, Vol. 22, No. 1, 01.01.2003, p. 45-55.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Efficient anomaly detection by modeling privilege flows using hidden Markov model

AU - Cho, Sung-Bae

AU - Park, Hyuk Jang

PY - 2003/1/1

Y1 - 2003/1/1

N2 - Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

AB - Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

UR - http://www.scopus.com/inward/record.url?scp=0037282635&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037282635&partnerID=8YFLogxK

U2 - 10.1016/S0167-4048(03)00112-3

DO - 10.1016/S0167-4048(03)00112-3

M3 - Article

AN - SCOPUS:0037282635

VL - 22

SP - 45

EP - 55

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

IS - 1

ER -