Detection and Classification of Network Intrusions using Hidden Markov Models

Thumbnail Image


MS_2003-1.pdf (711.12 KB)
No. of downloads: 2505

Publication or External Link






With the increased use of networked computers for criticalsystems, network security is attracting increasing attention andcomputer network intrusions have become a significant threat tocommunication and computer networks in recent years.

The models developed in this thesis represent the first step inmodelling of network attacks. The thesis demonstrates that modelsthat represent network attacks can be developed and used for bothdetection and classification. In this thesis we put emphasis ondetection and classification of network intrusions and attacksusing Hidden Markov Models and training on anomalous sequences. Wetest several algorithms, apply different rules for classificationand evaluate the relative performance of these. We put emphasis onone particular classification algorithm that is not dependent ondata set properties. Several of the attack examples presentedexploit buffer overflow vulnerabilities, due to availability ofdata for such attacks. We demonstrate that models for otherattacks can be built following our methods but could not be testeddue to lack of data.

The new method proposed in this thesis is highly efficient andcaptures characteristic features of attacks in short period of timeusing very low number of sequences.