Investigating hidden markov models capabilities in anomaly detection

Shrijit S. Joshi, Vir V. Phoha

Research output: Chapter in Book/Entry/PoemConference contribution

61 Scopus citations

Abstract

Hidden Markov Model (HMM) based applications are common in various areas, but the incorporation of HMM's for anomaly detection is still in its infancy. This paper aims at classifying the TCP network traffic as an attack or normal using HMM. The paper's main objective is to build an anomaly detection system, a predictive model capable of discriminating between normal and abnormal behavior of network traffic. In the training phase, special attention is given to the initialization and model selection issues, which makes the training phase particularly effective. For training HMM, 12.195% features out of the total features (5 features out of 41 features) present in the KDD Cup 1999 data set are used. Result of tests on the KDD Cup 1999 data set shows that the proposed system is able to classify network traffic in proportion to the number of features used for training HMM. We are extending our work on a larger data set for building an anomaly detection system.

Original languageEnglish (US)
Title of host publicationProceedings of the 43rd Annual Association for Computing Machinery Southeast Conference, ACMSE '05
Pages198-1103
Number of pages906
DOIs
StatePublished - 2005
Externally publishedYes
Event43rd Annual Association for Computing Machinery Southeast Conference, ACMSE '05 - Kennesaw, GA, United States
Duration: Mar 18 2005Mar 20 2005

Publication series

NameProceedings of the Annual Southeast Conference
Volume1

Other

Other43rd Annual Association for Computing Machinery Southeast Conference, ACMSE '05
Country/TerritoryUnited States
CityKennesaw, GA
Period3/18/053/20/05

Keywords

  • Anomaly detection system
  • Hidden markov models

ASJC Scopus subject areas

  • General Computer Science

Fingerprint

Dive into the research topics of 'Investigating hidden markov models capabilities in anomaly detection'. Together they form a unique fingerprint.

Cite this