Skip to main content
SpringerLink
Log in

Host-Based Anomaly Intrusion Detection

  • Chapter
Handbook of Information and Communication Security

Abstract

Network security has become an essential component of any computer network. Despite significant advances having been made on network-based intrusion prevention and detection, ongoing attacks penetrating network-based security mechanisms have been reported. It is being realized that network-based security mechanisms such as firewalls or intrusion detection systems (IDS) are not effective in detecting certain attacks such as insider attacks and attacks without generating significant network traffic. The trend of network security will be to merge host-based IDS (HIDS) and networkbased IDS (NIDS). This chapter will provide the fundamentals of host-based anomaly IDS as well as their developments. A new architectural framework is proposed for intelligent integration of multiple detection engines. The novelty of this framework is that it provides a feedback loop so that one output from a detection engine can be used as an input for another detection engine. It is also illustrated how several schemes can be derived from this framework. New research topics for future research are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 349.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 449.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 599.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. A.S. Tanenbaum, A.S. Woodhull: Operating Systems: Design and Implementation, 3rd edn. (Pearson, NJ, USA 2006)

    Google Scholar 

  2. J.M. Garrido: Principles of modern operating systems (Jones and Barlett, MA, USA 2008)

    Google Scholar 

  3. A.S. Tanenbaum: Computer Networks, 3rd edn. (Prentice-Hall, NJ, USA 1996)

    Google Scholar 

  4. W.R. Stevens: TCP/IP Illustrated: the protocols (Addison Wesley Longman, MA, USA 1994)

    Google Scholar 

  5. J. Joshi, P. Krishnamurthy: Network Security. In: Information Assurance: Dependability and Security in Networked Systems, ed. by Y. Qian (Elsevier, Amsterdam, The Netherlands 2008), Chap. 2

    Google Scholar 

  6. B. Schneier: Applied Cryptography, Protocols, Algorithms, and Source Code in C (Wiley, NJ, USA 1996)

    Google Scholar 

  7. Y. Wang, J. Hu, D. Philips: A fingerprint orientation model based on 2D Fourier expansion (FOMFE) and its application to singular-point detection and fingerprint indexing, IEEE Trans. Pattern Anal. Mach. Intell. 29(4), 13 (2007)

    Google Scholar 

  8. K. Xi, J. Hu: Introduction to bio-cryptography. In: Springer Handbook on Communication and Information Security, ed. by P. Stavroulakis (Springer, Berlin, Germany 2009), Chap. 6

    Google Scholar 

  9. J. Hu, P. Bertok, Z. Tari: Taxonomy and framework for integrating dependability and security. In: Information Assurance: Dependability and Security in Networked Systems, ed. by Y. Qian (Elsevier, Berlin, Germany 2008), Chap. 6

    Google Scholar 

  10. P.E. Proctor: The Practical Intrusion Detection Handbook (Prentice Hall PTR, NJ, USA 2001)

    Google Scholar 

  11. CNN.com: Worm strikes down Windows 200 systems (2005), available from: http://www.cnn.com/2005/TECH/internet/08/16/computer:worm/ (last accessed November 25, 2008)

  12. Sophos: Breaking news: worm attacks CNN, ABC, The Financial Times, and The New York Times (2005), http://www.sophos.com/pressoffice/news/articles/2005/08/va_breakingnews.html (last accessed November 25, 2008)

  13. D. Denning: An intrusion detection model, IEEE Symposium on Security and Privacy (IEEE, NJ, USA 1986) pp. 118–131

    Google Scholar 

  14. J. Hu, Q. Dong, X. Yu, H.H. Chen: A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection, IEEE Netw. 23(1), 42–47 (2009)

    Article  Google Scholar 

  15. R.R. Kompella, S. Singh, G. Varghese: On scalable attack decision in the network, IEEE/ACM Trans. Netw. 15(1), 14–25 (2007)

    Article  Google Scholar 

  16. S.A. Hofmeyr, S. Forrest, A. Somayaji: Intrusion detection using sequences of system calls, J. Comput. Secur. 6(3), 151–180 (1998)

    Google Scholar 

  17. D. Hoang, J. Hu, P. Bertok: Intrusion detection based on data mining, 5th Int. Conference on Enterprise Information Systems (Angers 1998) pp. 341–346

    Google Scholar 

  18. X.D. Hoang, J. Hu: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls, IEEE Int. Conference on Networks (ICON 2004) (Singapore 2004) pp. 470–474

    Google Scholar 

  19. X.D. Hoang, J. Hu, P. Bertok: A multi-layer model for anomaly intrusion detection using program sequences of system calls, 11th IEEE Int. Conference on Network (ICON 2003) (Sydney 2003) pp. 531–536

    Google Scholar 

  20. W. Lee, S.I. Stolfo: A framework for constructing features and models for intrusion detection systems, ACM Trans. Inf. Syst. Secur. 3(4), 227–261 (2000)

    Article  Google Scholar 

  21. W. Lee, S.J. Stolfo: Data mining approaches for intrusion detection, Proc. 7th USENIX Security Symposium (San Antonio 1998)

    Google Scholar 

  22. C. Warrender, S. Forrest, B. Perlmutter: Detecting intrusions using system calls: alternative data models, IEEE Computer Society Symposium on Research in Security and Privacy (1999) pp. 257–286

    Google Scholar 

  23. J.L. Gauvain, C.H. Lee: Bayesian learning of Gaussian mixture densities for hidden Markov models, Proc. DARPA Speech and Natural Language Workshop (1991)

    Google Scholar 

  24. S. Forrest: A sense of self for Unix processes, IEEE Symposium on Computer Security and Privacy (1996)

    Google Scholar 

  25. X.H. Dau: E-Commerce Security Enhancement and Anomaly Intrusion Detection Using Machine Learning Techniques. Ph.D. Thesis (RMIT University, Melbourne 2006)

    Google Scholar 

  26. L.R. Rabiner: A tutorial on hidden Markov model and selected applications in speech recognition, Proc. IEEE 77(2), 257–286 (1989)

    Article  Google Scholar 

  27. X.H. Dau: Intrusion detection, School of Computer Science and IT (RMIT University, Melbourne 2007)

    Google Scholar 

  28. J. Langford: Optimizing hidden Markov model learning, Technical Report (Toyota Technological Institute at Chicago, Chicago 2007)

    Google Scholar 

  29. R. Dugad, U.B. Desai: A tutorial on hidden Markov models, Technical Report No: SPANN-96.1, Indian Institute of Technology, Bombay (1996)

    Google Scholar 

  30. J.L. Gauvain, C.H. Lee: MAP estimation of continuous density HMM: Theory and Applications, Proceedings of the DARPA Speech and Natural Language Workshop (1992)

    Google Scholar 

  31. J.L. Gauvain, C.H. Lee: A posteriori estimation for multivariate Gaussian mixture observations of Markov chains, IEEE Trans. Speech Audio Process. 1(2), 291–298 (1994)

    Article  Google Scholar 

  32. Y. Gotoh, M.M. Hochberg, H.F. Silverman: Efficient training algorithm for HMM’s using incremental estimation, IEEE Trans. Speech Audio Process. 6(6), 539–548 (1998)

    Article  Google Scholar 

  33. R.I.A. Davis, B.C. Lovell, T. Caelli: Improved estimation of hidden Markov model parameters from multiple observation sequences, 16th Int. Conference on Pattern Recognition (2002) pp. 168–171

    Google Scholar 

  34. X. Li, M. Parizean, R. Plamondon: Training hidden Markov models with multiple observations–A combinatorial method, IEEE Trans. Pattern Anal. Mach. Int. 22(4), 371–377 (2000)

    Article  Google Scholar 

  35. R.J. Rummel: Understanding correlation (Department of Political Science University of Hawaii, Honolulu 1976)

    Google Scholar 

  36. H. Mannila, H. Toivonen, I. Verkamo: Discovery of frequent episodes in event sequences, Data Mining and Knowledge Discovery, Vol. 1 (Springer, MA, USA 1997)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and IT, RMIT University, 3001, Melbourne, VIC, Australia

    Jiankun Hu

Authors
  1. Jiankun Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technical University of Crete, 73132, Chania, Crete, Greece

    Peter Stavroulakis

  2. Dept. Computer Science, San Jose State University, One Washington Square, 95192, San Jose, CA, USA

    Mark Stamp

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Hu, J. (2010). Host-Based Anomaly Intrusion Detection. In: Stavroulakis, P., Stamp, M. (eds) Handbook of Information and Communication Security. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04117-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04117-4_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04116-7

  • Online ISBN: 978-3-642-04117-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation