John S. Baras


Detection and Classification of Network Intrusions using Hidden Markov Models

Svetlana Radosavac and John S. Baras

Number: CSHCN TR 2003-6, Year: 2003, Advisor: John S. Baras

Full-text article [ PDF]


This paper demonstrates that it is possible to model attacks witha low number of states and classify them using Hidden MarkovModels with very low False Alarm rate and very few FalseNegatives. We also show that the models developed can be used forboth detection and classification. We put emphasis on detectionand classification of network intrusions and attacks using HiddenMarkov Models and training on anomalous sequences. We test severalalgorithms, apply different rules for classification and evaluatethe relative performance of these. Several of the attack examplespresented exploit buffer overflow vulnerabilities, due toavailability of data for such attacks. We emphasize that thepurpose of our algorithms is not only the detection andclassification of buffer overflows; they are designed fordetecting and classifying a broad range of attacks.

Biography | Site Map | Contact Dr. Baras | Send Feedback | ©2008 ISR