HMMPayl: An intrusion detection system based on Hidden Markov Models

Computers and Security

Volumn 30, Issue 4, 2011, Pages 221-241

  Ariu, Davide ^a   Tronci, Roberto ^a   Giacinto, Giorgio ^a  

^a University of Cagliari Piazza d'Armi ^*  (Italy)

Author keywords

Anomaly detection; Hidden Markov Models; Multiple classifiers; Network intrusion detection; Payload analysis

Indexed keywords

ANOMALY DETECTION; CLASSIFICATION ACCURACY; COMPUTER SECURITY; DATA SETS; DETECTION RATES; EXPRESSIVE POWER; FALSE POSITIVE RATES; INTRUSION DETECTION SYSTEMS; KEY TOPICS; MULTIPLE CLASSIFIERS; MULTIPLE CLASSIFIERS SYSTEMS; NETWORK INTRUSION DETECTION; OPTIMAL CHOICE; PAYLOAD ANALYSIS; WEB APPLICATION; WEB SERVERS;

COMPUTATIONAL COMPLEXITY; FEATURE EXTRACTION; HIDDEN MARKOV MODELS; HTTP; OBJECT RECOGNITION; WORLD WIDE WEB;

INTRUSION DETECTION;

EID: 79955482186     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2010.12.004     Document Type: Article

References (51)

1. L. Baum, and J. Egon An inequality with applications to statistical estimation for probabilistic function of a Markov process and to a model for ecology Bulletin American Metereology Society 73 1967 360 363
2. L. Baum, and G. Sell Growth functions for transformations on manifolds Pacific Journal of Mathematics 27 2 1968 211 227
3. L. Baum, T. Petrie, G. Soules, and N. Weiss A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains The Annals of Mathematical Statistics 41 1 1970 164 171
4. B. Biggio, G. Fumera, and F. Roli Adversarial pattern classification using multiple classifiers and randomisation N. da Vitoria Lobo, T. Kasparis, F. Roli, JT.-Y. Kwok, M. Georgiopoulos, G.C. Anagnostopoulos, M. Loog, SSPR/SPR Lecture notes in computer science vol. 5342 2008 Springer 500 509
5. A. Biggio, G. Fumera, and F. Roli Multiple classifier systems for adversarial classification tasks J.A. Benediktsson, J. Kittler, F. Roli, MCS Lecture notes in computer science vol. 5519 2009 Springer 132 141
6. A.P. Bradley The use of the area under the roc curve in the evaluation of machine learning algorithms Pattern Recognition 30 7 1997 1145 1159 (Pubitemid 127406521)
7. Breach Security Inc ModSecurity: open source web application firewall November 2009 http://www.modsecurity.org
8. Breach Security Inc WebDefend November 2009 http://www.breach.com/ products/webdefend.html
9. S.-B. Cho, and S.-J. Han Two sophisticated techniques to improve HMM-based intrusion detection systems G. Vigna, E. Jonsson, C. Krügel, RAID Lecture notes in computer science vol. 2820 2003 Springer 207 219
10. Citrix Systems Inc Netscaler application firewall November 2009 http://www.citrix.com/English/PS2/products/product.asp?contentID=25636
11. I. Corona, D. Ariu, and G. Giacinto HMM-Web: a framework for the detection of attacks against web applications Communications ICC'09. IEEE international conference on, 2009 2009 1 6
12. I. Corona, G. Giacinto, C. Mazzariello, F. Roli, and C. Sansone Information fusion for computer security: state of the art and open issues Information Fusion 10 2009 274 284
13. A. Cortes, and M. Mohri Confidence intervals for the area under the roc curve Advances in neural information processing systems (NIPS 2004) vol. 17 2005 MIT Press
14. M. Damashek Gauging similarity with n-grams: language-independent categorization of text Science 267 5199 1995 843 848
15. T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Underduk Polymorphic shellcode engine using spectrum analysis Phrack 2003 0x0b (0x3d)
16. T.G. Dietterich Ensemble methods in machine learning J. Kittler, F. Roli, Multiple classifier systems Lecture notes in computer science vol. 1857 2000 Springer 1 15
17. R. Duin The combining classifier: to train or not to train? Proceedings 16th international conference on pattern recognition, 2002 vol. 2 2002 765-770
18. R. Durbin, S. Eddy, A. Krogh, and G. Mitchison Biological sequence analysis 2006 Cambridge University Press
19. F5 Networks Inc BIG-IP application security manager November 2009 http://www.f5.com/products/big-ip/product-modules/application-security-manager. html
20. W. Fan, M. Miller, S. Stolfo, W. Lee, and P. Chan Using artificial anomalies to detect unknown and known network intrusions Knowledge and Information Systems 6 5 2004 507 527
21. P. Fogla, and W. Lee Evading network anomaly detection systems: formal reasoning and practical techniques CCS'06: Proceedings of the 13th ACM conference on computer and communications security 2006 ACM New York, NY, USA 59-68
22. D. Gao, M. Reiter, and D. Song Beyond output voting: detecting compromised replicas using HMM-based behavioral distance IEEE Transactions on Dependable and Secure Computing 6 2 2009 96 110
23. Ghmm: General Hidden Markov Model library, http://ghmm.org/.
24. S. Günter, and H. Bunke Optimizing the number of states, training iterations and gaussians in an hmm-based handwritten word recognizer Proceedings of the Seventh International Conference on Document analysis and recognition 2003 IEEE Computer Society 472
25. K.L. Ingham, and H. Inoue Comparing anomaly detection techniques for HTTP C. Krügel, R. Lippmann, A. Clark, RAID Lecture notes in computer science vol. 4637 2007 Springer 42 62
26. Internet Security Systems IBM-ISS, X-force 2009 trend and risk report Tech. rep. 2010 IBM Global Technology Services
27. A. Kolcz, and C.H. Teo Feature weighting for improved classifier robustness Sixth conference on email and anti-spam (CEAS) 2009 Mountain View, CA, USA
28. C. Kruegel, and G. Vigna Anomaly detection of web-based attacks CCS'03: Proceedings of the 10th ACM conference on computer and communications security 2003 ACM New York, NY, USA 251-261
29. C. Krügel, T. Toth, and E. Kirda Service specific anomaly detection for network intrusion detection SAC'02: proceedings of the 2002 ACM symposium on APPLIED computing 2002 ACM New York, NY, USA 201-208
30. L. Kuncheva Fuzzy classifier design Studies in fuzziness and soft computing vol. 49 2000 Springer-Verlag
31. L. Kuncheva Combining pattern classifiers 2004 Wiley
32. Libpcap: Network programming library, http://www.tcpdump.org.
33. R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, and K. Das The 1999 darpa off-line intrusion detection evaluation Computer Networks 34 4 2000 579 595 [recent Advances in Intrusion Detection Systems]
34. F. Maggi, W.K. Robertson, C. Krügel, and G. Vigna Protecting a moving target: addressing web application concept drift E. Kirda, S. Jha, D. Balzarotti, RAID Lecture notes in computer Science vol. 5758 2009 Springer 21 40
35. M.V. Mahoney Network traffic anomaly detection based on packet bytes SAC'03: proceedings of the 2003 ACM symposium on applied computing 2003 ACM New York, NY, USA 346-350
36. L. MartinGarcia Programming with libpcap - sniffing the network from our own application Hakin9 Magazine February 2008 http://recursos.aldabaknocking. com/libpcapHakin9LuisMartinGarcia.pdf
37. J. Mason, S. Small, F. Monrose, and G. MacManus English shellcode CCS'09: proceedings of the 16th ACM conference on computer and communications security 2009 ACM New York, NY, USA 524-533
38. J. McHugh Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory ACM Transactions on Information and System Security 3 4 2000 262 294
39. R. Perdisci, G. Gu, and W. Lee Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems Data Mining ICDM'06. Sixth international conference on, 2006 2006 488 498 (Pubitemid 47485828)
40. R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee Mcpad: a multiple classifier system for accurate payload-based anomaly detection Computer Networks 53 6 2009 864 881 [Special Issue on Traffic Classification and Its Applications to Modern Networks]
41. L. Rabiner A tutorial on Hidden Markov Models and selected applications in speech recognition Proceedings of the IEEE 77 2 1989 257 286
42. RFC 2616-Hypertext Transfer Protocol - HTTP/1.1, 1999.
43. R.N. Rodrigues, L.L. Ling, and V. Govindaraju Robustness of multimodal biometric fusion methods against spoof attacks Journal of Visual Language and Computing 20 3 2009 169 179
44. B. Sangster, T. O'Connor, T. Cook, R. Fanelli, E. Dean, and J. Adams Toward instrumenting network warfare competitions to generate labeled datasets Security's workshop on cyber security experimentation and test (CSET) 2009 USENIX
45. Y. Song, A.D. Keromytis, and S.J. Stolfo Spectrogram: a mixture-of-Markov-chains model for anomaly detection in web traffic NDSS 2009 The Internet Society
46. C.Y. Suen n-gram statistics for natural language understanding and text processing IEEE Transactions on Pattern Analysis and Machine Intelligence PAMI 1 2 1979 164 172
47. R. Tronci, G. Giacinto, and F. Roli Dynamic score selection for fusion of multiple biometric matchers R. Cucchiara, ICIAP, IEEE computer Society 2007 15 22
48. K. Wang, and S.J. Stolfo Anomalous payload-based network intrusion detection E. Jonsson, A. Valdes, M. Almgren, RAID Lecture Notes in Computer Science vol. 3224 2004 Springer 203 222 (Pubitemid 39741895)
49. K. Wang, G.F. Cretu, and S.J. Stolfo Anomalous payload-based worm detection and signature generation A. Valdes, D. Zamboni, RAID Lecture notes in computer science vol. 3858 2005 Springer 227 246 (Pubitemid 43973730)
50. K. Wang, J.J. Parekh, and S.J. Stolfo Anagram: a content anomaly detector resistant to mimicry attack D. Zamboni, C. Krügel, RAID Lecture notes in computer science vol. 4219 2006 Springer 226 248 (Pubitemid 44617855)
51. C. Warrender, S. Forrest, and B. Pearlmutter Detecting intrusions using system calls: alternative data models Security and Privacy Proceedings of the 1999 IEEE symposium on 1999 1999 133 145