An Effective HMM-Based Intrusion Detection System with Privilege Change Event Modeling

Anomaly detection techniques have been devised to address the limitations of misuse detection approach for intrusion detection. They can abstract information about the normal behaviors of a system and detect attacks regardless of whether or not the system has observed them before. However, they have an inherent difficulty to deal with large volume of audit data to model the normal behaviors. Calculations for each trace in each pass through the training data take O(TS), where T is the length of the trace in system calls, and S is the number of state in hidden Markov model. In this paper, we propose an effective intrusion detection system (IDS) that improves the modeling time and performance with only considering the events of privilege flows based on the domain knowledge of attacks. Proposed privilege change model is evaluated with fixed sequences from BSM data on the situation where transitions between UID and EUID occur. A detailed analysis of the attacks reveals that acquiring root privilege can happen not only with user’s change but also with group’s change. To address both cases, the system exploits privilege flows of both user and group. s R w kf B\B—•‡” i kf B\B—•‡” s T