This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9
Big Island, Hawaii
January 06-January 09
ISBN: 0-7695-1874-5
Dirk Ourston, University of Texas at Austin
Sara Matzner, University of Texas at Austin
William Stump, University of Texas at Austin
Bryan Hopkins, University of Texas at Austin
This paper describes a novel approach using Hidden Markov Models (HMM) to detect complex Internet attacks. These attacks consist of several steps that may occur over an extended period of time. Within each step, specific actions may be interchangeable. A perpetrator may deliberately use a choice of actions within a step to mask the intrusion. In other cases, alternate action sequences may be random (due to noise) or because of lack of experience on the part of the perpetrator. For an intrusion detection system to be effective against complex Internet attacks, it must be capable of dealing with the ambiguities described above. We describe research results concerning the use of HMMs as a defense against complex Internet attacks. We describe why HMMs are particularly useful when there is an order to the actions constituting the attack (that is, for the case where one action must precede or follow another action in order to be effective). Because of this property, we show that HMMs are well suited to address the multi-step attack problem. In a direct comparison with two other classic machine learning techniques, decision trees and neural nets, we show that HMMs perform generally better than decision trees and substantially better than neural networks in detecting these complex intrusions.
Index Terms:
Coordinated Internet attacks, Hidden Markov Models, rare data, noise, multi-stage network intrusions, partial data
Citation:
Dirk Ourston, Sara Matzner, William Stump, Bryan Hopkins, "Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks," hicss, vol. 9, pp.334b, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003
Usage of this product signifies your acceptance of the Terms of Use.