Efficient anomaly detection by modeling privilege flows using hidden Markov model

Anomaly detection techniques have been devised to address the limitations of misuse detection approaches for intrusion detection with the model of normal behaviors. A hidden Markov model (HMM) is a useful tool to model sequence information, an optimal modeling technique to minimize false-positive error while maximizing detection rate. In spite of high performance, however, it requires large amounts of time to model normal behaviors and determine intrusions, making it difficult to detect intrusions in real-time. This paper proposes an effective HMM-based intrusion detection system that improves the modeling time and performance by only considering the privilege transition flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, without loss of detection performance.