Detection and Classification of Network Intrusions using Hidden Markov Models
Svetlana Radosavac and John S. Baras
Number: CSHCN TR 2003-6, Year: 2003, Advisor: John S. Baras
This paper demonstrates that it is possible to model attacks witha low number of states and classify them using Hidden MarkovModels with very low False Alarm rate and very few FalseNegatives. We also show that the models developed can be used forboth detection and classification. We put emphasis on detectionand classification of network intrusions and attacks using HiddenMarkov Models and training on anomalous sequences. We test severalalgorithms, apply different rules for classification and evaluatethe relative performance of these. Several of the attack examplespresented exploit buffer overflow vulnerabilities, due toavailability of data for such attacks. We emphasize that thepurpose of our algorithms is not only the detection andclassification of buffer overflows; they are designed fordetecting and classifying a broad range of attacks.