A Hybrid High-order Markov Chain Model for Computer Intrusion Detection (1999)

Abstract:

A hybrid model based mostly on a high-order Markov chain and occasionally on an independence model is proposed for pro ling the command-sequence of a computer user in order to identify a "signature behavior" for that user. Based on the model, an estimation procedure for such a signature behavior driven by Maximum Likelihood (ML) considerations is devised. The formal ML estimates are numerically intractable, but the ML-optimization problem can be substituted by a linear inverse problem with positivity constraints (LININPOS), for which the EM algorithm can be used as an equation solver to produce an approximate ML-estimate. A user's command-sequence is then compared to his and others' estimated signature-behavior in real time, by means of statistical hypothesis testing. A form of the likelihood-ratio test is used to test if a given sequence of commands is from the proclaimed user, with the alternative hypothesis being masquerader user. Data from a real-life experiment, conducted at a research lab, is used to assess the method.

Keywords:

Anomaly Detection; Unix; Mixture Transition Distribution (MTD); LININPOS; EM.

Author: 
Wen-Hua JuYehuda Vardi
Publication Date: 
Monday, February 1, 1999
File Attachment: 
PDF icon tr92.pdf
Report Number: 
92