Improvement of Protocol Anomaly Detection Based on Markov Chain and Its Application

  • Zheng Qin
  • Na Li
  • Da-fang Zhang
  • Nai-Zheng Bian
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3759)


As we know, a lot of network attacks come from abusing different network protocols and several new attacks violate the protocol standard. Kumar Das first presented the concept of the protocol anomaly detection. The idea of protocol anomaly detection is not new but interesting. It aims to set up models for proper use of protocols and any behavior that departs from the models will be regarded as an intrusive or suspicious one. In this paper, we made some improvements that aim at the lack of stochastic protocol models based on Markov Chain and made some evaluations for that presented by Juan M. Some necessary states are added to the protocol model. Furthermore, the initial and transition probabilities are more precise. Also, we propose to combine Chi-Square Distance into Markov Chain method to detect protocol anomaly. The experimental results show that SYN Flooding attack can be detected efficiently by the new approach.


Intrusion Detection Protocol Anomaly Detection Markov Chain Chi-Square Distance DARPA Evaluation Dataset 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Levitt, K.: Intrusion Detection: Current Capabilities and Future Directions. In: Proc. of 18th Annual Computer Security Applications Conference, pp. 365–370 (2002)Google Scholar
  2. 2.
    Das, K.: Protocol Anomaly Detection for Network-based Intrusion Detection (1-16-2004),
  3. 3.
    Postel, J.: Transmission Control Protocol. RFC 793 (September 1981),
  4. 4.
    Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection. In: Proc. of the First IEEE International Workshop on Information Assurance (IWIA 2003), pp. 3–12 (2003)Google Scholar
  5. 5.
    Lemonnier, E.: Protocol Anomaly Detection in Network-based IDSs (June 2001),
  6. 6.
    Joglekar, S.P., Tate, S.R.: ProtoMon: Embedded Monitors for Cryptographic Protocol Intrusion Detection and Prevention. In: Proc. of the International Conference on Information Technology: Coding and Computing (ITCC 2004), pp. 81–86 (2004)Google Scholar
  7. 7.
    MIT Lincoln Laboratory. Intrusion detection evaluation (04-01-2003),
  8. 8.
    Li, N., Qin, Z., Zhang, D.-F., et al.: Protocol Anomaly Detection Model Based on Markov Chain. Computer Science 31(10), 66–68 (2004)Google Scholar
  9. 9.
    Zhao, S., Deng, W.: The analysis of stochastic signal, 1st edn., pp. 153–159 (1999)Google Scholar
  10. 10.
    Gao, B., Ma, H.Y., Yang, Y.H.: HMMS (HIdden Markov Chain Models) Based on Anomaly Intrusion Detection Method. In: Proc. of the First Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)Google Scholar
  11. 11.
    Gao, F., Sun, J., Wei, Z.: The Prediction Role of Hidden Markov Model in Intrusion Detection. In: Proc. of the First International Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)Google Scholar
  12. 12.
    Jha, S., Tan, K., Maxion, R.A.: Markov Chains, Classifiers, and Intrusion Detection. In: Proc. of the 14th IEEE Workshop on Computer Security Foundations, pp. 206–219 (2001)Google Scholar
  13. 13.
    Tan, X., Wang, W., Xi, H., et al.: The system call sequence models based on Markov Chain and the application in anomaly detection. Engineering of Computer 28(12), 189–191 (2002)Google Scholar
  14. 14.
    Ye, N., Zhang, Y., Borror, C.M.: Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability 52(3), 116–123 (2003)Google Scholar
  15. 15.
    TCPDUMP public repository. TCPDUMP (6-12-2004),
  16. 16.
    Ye, N., Chen, Q., Borror, C.M.: EWMA Forecast of Normal System Activity for Computer Intrusion Detection. IEEE Transactions on Reliability 53(4), 557–566 (2004)CrossRefGoogle Scholar
  17. 17.
    Wang, H., Zhang, D., Shin, K.G.: Detecting SYN Flooding Attacks. In: Proc. of IEEE INFOCOM, pp. 1530–1539 (2002)Google Scholar
  18. 18.
    Siris, V., Papagalou, F.: Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks. In: Proc. of IEEE Global Telecommunications Conference, pp. 14–20 (2004)Google Scholar
  19. 19.
    Li, N.: The research of Protocol Anomaly Detection Based-on Markov Chain. Master thesis. Hunan University (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Zheng Qin
    • 1
  • Na Li
    • 2
  • Da-fang Zhang
    • 1
  • Nai-Zheng Bian
    • 1
  1. 1.College of SoftwareHunan UniversityChangShaChina
  2. 2.College of Computer and CommunicationHunan UniversityChangShaChina

Personalised recommendations