Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS

Arnur G. Tokhtabayev; Victor  A. Skormin

3rd International ICST Symposium on Information Assurance and Security

Research Article

Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.1109/IAS.2007.72,
    author={Arnur G. Tokhtabayev  and Victor  A. Skormin},
    title={Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS},
    proceedings={3rd International ICST Symposium on  Information Assurance and Security},
    publisher={IEEE},
    proceedings_a={IAS},
    year={2007},
    month={9},
    keywords={Anomaly Propagation  Intrusion detection  Markov Models},
    doi={10.1109/IAS.2007.72}
}

Arnur G. Tokhtabayev
Victor A. Skormin
Year: 2007
Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS
IAS
IEEE
DOI: 10.1109/IAS.2007.72

Arnur G. Tokhtabayev ¹^,*, Victor A. Skormin¹^,*

1: Department of Electrical & Computer Engineering, Binghamton University

*Contact email: atokhta1@binghamton.edu, vskormin@binghamton.edu

Abstract

We propose an anomaly based IDS that results in a decreased rate of false positives. It employs the new means of host-based detection in the system call domain with correlating anomalies reported by different hosts to the IDS server. A novel anomaly detection mechanism operating at the host level treats an application or service as a non-stationary stochastic process and models it as a non- stationary Markov chain that significantly improves model accuracy. A server-based procedure for the detection of anomaly propagation is employed. While false alarms do not propagate within the network, detected anomaly propagation with a high degree of certainty can be attributed to a computer worm; otherwise the alarms are to be treated as false positives.

Keywords: Anomaly Propagation Intrusion detection Markov Models

Published: 2007-09-10
Publisher: IEEE
Modified: 2011-08-02

: http://dx.doi.org/10.1109/IAS.2007.72