Network based hidden markov models intrusion detection systems

Abstract EN

Computer network technologies have grown rapidly in the last few decades.

With the increased use of networked computers for critical applications, computer intrusions have been increased and became a significant threat to these systems and, thus Intrusion Detection Systems (IDS) have become essential addition to security infrastructure of most organizations.

An IDS is a defense system that detects, identifies, responses, distinguishes, and possibly prevents insider and outsider attacks activities targeted at computing and networked resources.

Intrusion Detection Systems are broadly categorized into Host-based Intrusion Detection Systems (HIDS), Network-based Intrusion Detection Systems (NIDS).

Most of Network Intrusion Detection Systems use pattern matching between network packets and a database of known intrusion packet signatures.

These signature-based systems are immune to intrusions, and are inefficient as the database grows significantly.

In this paper, we proposed a Network based Hidden Markov Model Intrusions Detection System (NHMMIDS) that is after training, it receives the incoming packets, extracts main features, and process to output a probability if that this packet have been met in training.

NHMMIDS is a statistical-based model that has the advantage of having complexity order of O (1) instead of O (n) with sequential search in intrusion signatures database (where n is the size of the database).

The proposed system has been tested for detection of buffer overflow, Trojan, and unspecified attacks, where we got a detection percentage not less than 98 % with no false negative results.