Control theoretic approach to intrusion detection using a distributed hidden Markov model

Cooperative ad hoc wireless networks are more vulnerable to malicious attacks than traditional wired networks. Many of these attacks are silent in nature and cannot be detected by conventional intrusion detection methods such as traffic monitoring, port scanning, or protocol violations. These sophisticated attacks operate under the threshold boundaries during an intrusion attempt and can only be identified by profiling the complete system activity in relation to normal behavior. In this article we discuss a control-theoretic hidden Markov model strategy for intrusion detection using distributed observation across multiple nodes. This model comprises a distributed HMM engine that executes in a randomly selected monitor node and functions as a part of the feedback control engine. This drives the defensive response based on hysteresis to reduce the frequency of false positives, thereby avoiding inappropriate ad hoc responses.