36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the (2003)
Big Island, Hawaii
Jan. 6, 2003 to Jan. 9, 2003
Dirk Ourston , University of Texas at Austin
Sara Matzner , University of Texas at Austin
William Stump , University of Texas at Austin
Bryan Hopkins , University of Texas at Austin
This paper describes a novel approach using Hidden Markov Models (HMM) to detect complex Internet attacks. These attacks consist of several steps that may occur over an extended period of time. Within each step, specific actions may be interchangeable. A perpetrator may deliberately use a choice of actions within a step to mask the intrusion. In other cases, alternate action sequences may be random (due to noise) or because of lack of experience on the part of the perpetrator. For an intrusion detection system to be effective against complex Internet attacks, it must be capable of dealing with the ambiguities described above. We describe research results concerning the use of HMMs as a defense against complex Internet attacks. We describe why HMMs are particularly useful when there is an order to the actions constituting the attack (that is, for the case where one action must precede or follow another action in order to be effective). Because of this property, we show that HMMs are well suited to address the multi-step attack problem. In a direct comparison with two other classic machine learning techniques, decision trees and neural nets, we show that HMMs perform generally better than decision trees and substantially better than neural networks in detecting these complex intrusions.
Coordinated Internet attacks, Hidden Markov Models, rare data, noise, multi-stage network intrusions, partial data
D. Ourston, S. Matzner, W. Stump and B. Hopkins, "Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks," 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the(HICSS), Big Island, Hawaii, 2003, pp. 334b.