Sciweavers

ICC
2009
IEEE

Combining Hidden Markov Models for Improved Anomaly Detection

14 years 7 months ago
Combining Hidden Markov Models for Improved Anomaly Detection
—In host-based intrusion detection systems (HIDS), anomaly detection involves monitoring for significant deviations from normal system behavior. Hidden Markov Models (HMMs) have been shown to provide a high level performance for detecting anomalies in sequences of system calls to the operating system kernel. Although the number of hidden states is a critical parameter for HMM performance, it is often chosen heuristically or empirically, by selecting the single value that provides the best performance on training data. However, this single best HMM does not typically provide a high level of performance over the entire detection space. This paper presents a multiple-HMMs approach, where each HMM is trained using a different number of hidden states, and where HMM responses are combined in the Receiver Operating Characteristics (ROC) space according to the Maximum Realizable ROC (MRROC) technique. The performance of this approach is compared favorably to that of a single best HMM and to...
Wael Khreich, Eric Granger, Robert Sabourin, Ali M
Added 21 May 2010
Updated 21 May 2010
Type Conference
Year 2009
Where ICC
Authors Wael Khreich, Eric Granger, Robert Sabourin, Ali Miri
Comments (0)