Detection and Classification of Network Intrusions using Hidden Markov Models

Loading...
Thumbnail Image

Files

TR_2003-6.pdf (251.64 KB)
No. of downloads: 591

Publication or External Link

Date

2003

Citation

DRUM DOI

Abstract

This paper demonstrates that it is possible to model attacks witha low number of states and classify them using Hidden MarkovModels with very low False Alarm rate and very few FalseNegatives. We also show that the models developed can be used forboth detection and classification. We put emphasis on detectionand classification of network intrusions and attacks using HiddenMarkov Models and training on anomalous sequences. We test severalalgorithms, apply different rules for classification and evaluatethe relative performance of these. Several of the attack examplespresented exploit buffer overflow vulnerabilities, due toavailability of data for such attacks. We emphasize that thepurpose of our algorithms is not only the detection andclassification of buffer overflows; they are designed fordetecting and classifying a broad range of attacks.

Notes

Rights