Efficacy of Hidden Markov Models Over Neural Networks in Anomaly Intrusion Detection

The timely and accurate detection of novel attacks is a persistent necessity to insure the dependability of information processing systems. Although anomaly intrusion detection systems (AIDSs) have the potential to discover novel attacks, AIDSs suffer from the lack of generalization capability and the presence of high false alarm rates. Many machine learning techniques have been proposed to overcome the lack of generalization in existing AIDSs. Unfortunately, the main stream of these techniques is static techniques that perform structural pattern recognition. Such techniques are not capable of efficiently modeling an essential property of the behaviors of the monitored objects. This property is the sequential relationship between the events of the patterns that constitute the normal and abnormal behaviors. In this research, we show that the sequential relationship between the events of the normal and abnormal behaviors is vital for anomaly detection. Moreover, the techniques that efficiently model this property can build robust AIDSs. To illustrate this reality, we investigate the performance of two different detection techniques: hidden Markov models (HMMs), a sequential learning mechanism, and multilayer perceptron (MLP) neural network, a structural pattern recognition technique. We demonstrate that the detection of HMMs classifiers outperforms the detection of the MLP classifiers in a noticeable manner