A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection
- 1 June 2001
- journal article
- Published by Taylor & Francis in Journal of Computational and Graphical Statistics
- Vol. 10 (2) , 277-295
- https://doi.org/10.1198/10618600152628068
Abstract
A hybrid model based mostly on a high-order Markov chain and occasionally on a statistical-independence model is proposed for profiling command sequences of a computer user in order to identify a “signature behavior” for that user. Based on the model, an estimation procedure for such a signature behavior driven by maximum likelihood (ML) considerations is devised. The formal ML estimates are numerically intractable, but the ML-optimization problem can be substituted by a linear inverse problem with positivity constraint (LININPOS), for which the EM algorithm can be used as an equation solver to produce an approximate ML-estimate. The intrusion detection system works by comparing a user's command sequence to the user's and others' estimated signature behaviors in real time through statistical hypothesis testing. A form of likelihood-ratio test is used to detect if a given sequence of commands is from the proclaimed user, with the alternative hypothesis being a masquerader user. Applying the model to real-l...Keywords
This publication has 5 references indexed in Scilit:
- Intrusion detection using sequences of system callsJournal of Computer Security, 1998
- Network Tomography: Estimating Source-Destination Traffic Intensities from Link DataJournal of the American Statistical Association, 1996
- A new smoothing-regularization approach for a maximum-likelihood estimation problemApplied Mathematics & Optimization, 1994
- Estimation and Modelling Repeated Patterns in High Order Markov Chains with the Mixture Transition Distribution ModelJournal of the Royal Statistical Society Series C: Applied Statistics, 1994
- A Model for High-Order Markov ChainsJournal of the Royal Statistical Society Series B: Statistical Methodology, 1985