Hidden semi-Markov model for anomaly detection

In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection. 2008 Elsevier Inc. All rights reserved.