Detection and Classification of Network Intrusions using Hidden Markov Models
December 01, 2002
With the increased use of networked computers for critical systems, network security is attracting increasing attention and computer network intrusions have become a significant threat to communication and computer networks in recent years. The models developed in this thesis represent the first step in modelling of network attacks. The thesis demonstrates that models that represent network attacks can be developed and used for both detection and classification. In this thesis we put emphasis on detection and classification of network intrusions and attacks using Hidden Markov Models and training on anomalous sequences. We test several algorithms, apply different rules for classification and evaluate the relative performance of these. We put emphasis on one particular classification algorithm that is not dependent on data set properties. Several of the attack examples presented exploit buffer overflow vulnerabilities, due to availability of data for such attacks. We demonstrate that models for other attacks can be built following our methods but could not be tested due to lack of data. The new method proposed in this thesis is highly efficient and captures characteristic features of attacks in short period of time using very low number of sequences.