Title :
A Multi-order Markov Chain Based Scheme for Anomaly Detection
Author :
Wenyao Sha ; Yongxin Zhu ; Tian Huang ; Meikang Qiu ; Yan Zhu ; Qiannan Zhang
Author_Institution :
Shanghai Jiao Tong Univ., Shanghai, China
Abstract :
This paper presents a feasible multi-order Markov chain based scheme for anomaly detection in server systems. In our approach, both the high-order Markov chain and multivariate time series are taken into account, along with the detailed design of training and testing algorithms. To evaluate its effectiveness, the Defense Advanced Research Projects Agency (DARPA) Intrusion Detection Evaluation Data Set is used as stimuli to our model, by which system calls and the corresponding return values form a two-dimensional input set. The calculation result shows that this approach is able to produce several effective indicators of anomalies. In addition to the absolute values given by an individual single-order model, we also notice a novelty unprecedented before, i.e., the changes in ranking positions of outputs from different-order ones also correlate closely with abnormal behaviours. Moreover, the analysis and application proves our approach´s efficiency in consuming reasonable cost of time and storage.
Keywords :
Markov processes; security of data; time series; DARPA intrusion detection evaluation data set; Defense Advanced Research Projects Agency; absolute values; anomalies indicator; anomaly detection; high-order Markov chain; multiorder Markov chain; multivariate time series; return values; server systems; single-order model; system calls; testing algorithms; training algorithms; two-dimensional input set; Data models; Hidden Markov models; Intrusion detection; Markov processes; Servers; Time series analysis; Training; Kth-order Markov chain; Markov chain; anomaly detection; multivariate time series;
Conference_Titel :
Computer Software and Applications Conference Workshops (COMPSACW), 2013 IEEE 37th Annual
Conference_Location :
Japan
DOI :
10.1109/COMPSACW.2013.12
