|
| This Article | ||
| | ||
| Share | ||
| Bibliographic References | ||
| Add to: | ||
 Digg  Furl  Spurl  Blink  Simpy  Google  Del.icio.us  Y!MyWeb | ||
| Search | ||
| ||
36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9
Big Island, Hawaii
January 06-January 09
ISBN: 0-7695-1874-5
| ASCII Text | x | ||
| Dirk Ourston, Sara Matzner, William Stump, Bryan Hopkins, "Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks," 2013 46th Hawaii International Conference on System Sciences, vol. 9, pp. 334b, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003. | |||
| BibTex | x | ||
| @article{ 10.1109/HICSS.2003.1174909, author = {Dirk Ourston and Sara Matzner and William Stump and Bryan Hopkins}, title = {Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks}, journal ={2013 46th Hawaii International Conference on System Sciences}, volume = {9}, year = {2003}, isbn = {0-7695-1874-5}, pages = {334b}, doi = {http://doi.ieeecomputersociety.org/10.1109/HICSS.2003.1174909}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } | |||
| RefWorks Procite/RefMan/Endnote | x | ||
| TY - CONF JO - 2013 46th Hawaii International Conference on System Sciences TI - Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks SN - 0-7695-1874-5 SP EP A1 - Dirk Ourston, A1 - Sara Matzner, A1 - William Stump, A1 - Bryan Hopkins, PY - 2003 KW - Coordinated Internet attacks KW - Hidden Markov Models KW - rare data KW - noise KW - multi-stage network intrusions KW - partial data VL - 9 JA - 2013 46th Hawaii International Conference on System Sciences ER - | |||
This paper describes a novel approach using Hidden Markov Models (HMM) to detect complex Internet attacks. These attacks consist of several steps that may occur over an extended period of time. Within each step, specific actions may be interchangeable. A perpetrator may deliberately use a choice of actions within a step to mask the intrusion. In other cases, alternate action sequences may be random (due to noise) or because of lack of experience on the part of the perpetrator. For an intrusion detection system to be effective against complex Internet attacks, it must be capable of dealing with the ambiguities described above. We describe research results concerning the use of HMMs as a defense against complex Internet attacks. We describe why HMMs are particularly useful when there is an order to the actions constituting the attack (that is, for the case where one action must precede or follow another action in order to be effective). Because of this property, we show that HMMs are well suited to address the multi-step attack problem. In a direct comparison with two other classic machine learning techniques, decision trees and neural nets, we show that HMMs perform generally better than decision trees and substantially better than neural networks in detecting these complex intrusions.
Index Terms:
Coordinated Internet attacks, Hidden Markov Models, rare data, noise, multi-stage network intrusions, partial data
Citation:
Dirk Ourston, Sara Matzner, William Stump, Bryan Hopkins, "Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks," hicss, vol. 9, pp.334b, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003
Usage of this product signifies your acceptance of the Terms of Use.