3rd International ICST Symposium on Information Assurance and Security

Research Article

Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS

  • @INPROCEEDINGS{10.1109/IAS.2007.72,
        author={Arnur G. Tokhtabayev  and Victor  A. Skormin},
        title={Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        publisher={IEEE},
        proceedings_a={IAS},
        year={2007},
        month={9},
        keywords={Anomaly Propagation  Intrusion detection  Markov Models},
        doi={10.1109/IAS.2007.72}
    }
    
  • Arnur G. Tokhtabayev
    Victor A. Skormin
    Year: 2007
    Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS
    IAS
    IEEE
    DOI: 10.1109/IAS.2007.72
Arnur G. Tokhtabayev 1,*, Victor A. Skormin1,*
  • 1: Department of Electrical & Computer Engineering, Binghamton University
*Contact email: atokhta1@binghamton.edu, vskormin@binghamton.edu

Abstract

We propose an anomaly based IDS that results in a decreased rate of false positives. It employs the new means of host-based detection in the system call domain with correlating anomalies reported by different hosts to the IDS server. A novel anomaly detection mechanism operating at the host level treats an application or service as a non-stationary stochastic process and models it as a non- stationary Markov chain that significantly improves model accuracy. A server-based procedure for the detection of anomaly propagation is employed. While false alarms do not propagate within the network, detected anomaly propagation with a high degree of certainty can be attributed to a computer worm; otherwise the alarms are to be treated as false positives.