Efficient anomaly detection by modeling privilege flows using hidden Markov model

Sung Bae Cho; Hyuk Jang Park

doi:10.1016/S0167-4048(03)00112-3

Efficient anomaly detection by modeling privilege flows using hidden Markov model

Sung Bae Cho, Hyuk Jang Park

College of Computing

Research output: Contribution to journal › Article › peer-review

125 Citations (Scopus)

Abstract

Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

Original language	English
Pages (from-to)	45-55
Number of pages	11
Journal	Computers and Security
Volume	22
Issue number	1
DOIs	https://doi.org/10.1016/S0167-4048(03)00112-3
Publication status	Published - 2003

Bibliographical note

Funding Information:
This paper was supported by a grant from the Ministry of Information and Communication in Korea.

All Science Journal Classification (ASJC) codes

Computer Science(all)
Law

Access to Document

10.1016/S0167-4048(03)00112-3

Cite this

@article{98485228f95f4bab9e2ad132b51609dd,

title = "Efficient anomaly detection by modeling privilege flows using hidden Markov model",

abstract = "Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.",

author = "Cho, {Sung Bae} and Park, {Hyuk Jang}",

note = "Funding Information: This paper was supported by a grant from the Ministry of Information and Communication in Korea. ",

year = "2003",

doi = "10.1016/S0167-4048(03)00112-3",

language = "English",

volume = "22",

pages = "45--55",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Limited",

number = "1",

}

TY - JOUR

T1 - Efficient anomaly detection by modeling privilege flows using hidden Markov model

AU - Cho, Sung Bae

AU - Park, Hyuk Jang

N1 - Funding Information: This paper was supported by a grant from the Ministry of Information and Communication in Korea.

PY - 2003

Y1 - 2003

N2 - Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

AB - Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.

UR - http://www.scopus.com/inward/record.url?scp=0037282635&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037282635&partnerID=8YFLogxK

U2 - 10.1016/S0167-4048(03)00112-3

DO - 10.1016/S0167-4048(03)00112-3

M3 - Article

AN - SCOPUS:0037282635

SN - 0167-4048

VL - 22

SP - 45

EP - 55

JO - Computers and Security

JF - Computers and Security

IS - 1

ER -

Efficient anomaly detection by modeling privilege flows using hidden Markov model

Abstract

Bibliographical note

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this