一种基于隐马尔可夫模型的IDS异常检测新方法

提出一种新的基于隐马尔可夫模型的异常检测方法,主要用于以shell命令或系统调用为原始数据的IDS。此方法对用户(或程序)行为建立特殊的隐马尔可夫模型,根据行为模式所对应的序列长度对其进行分类,将行为模式类型同隐马尔可夫模型的状态联系在一起,并引入一个附加状态。由于模型中各状态对应的观测值集合互不相交,模型训练中采用了运算量较小的的序列匹配方法,与传统的Baum-Welch算法相比,大大减小了训练时间。根据模型中状态的实际含义,采用了基于状态序列出现概率的判决准则。利用UNIX平台上用户shell命令数据进行的实验表明,此方法具有很高的检测准确性,其可操作性也优于同类方法。

A New Anomaly Detection Method Based on Hidden Markov Models for IDS

A new anomaly detection method based on hidden Markov models is presented for Intrusion Detection Systems with shell commands or system calls as input data. The method constructs specific hidden Markov models to represent the behavior profiles of users or programs, and associates the classes of behavior patterns with the states of the models. Because the aggregates of observed values corresponding to different states are disjoint, the parameters of the models can be calculated by a sequence matching algorithm which is much simpler than the classical Baum-Welch algorithm. This reduces the computational complexity to a great extent. A decision rule based on the probabilities of short state sequences is adopted while the particularity of the model states is taken into account. The performance of the method is tested by computer simulation with UNIX users' shell command data. The results show it maintains higher detection accuracy and practicability than other alternative approaches.