Hidden Markov Model-based Network Intrusion Detection System

Today, Internet has already been an indispensable part of people's daily life as the computer network has developed rapidly; at the same time, the security of network draws more and more attention of people. At present, there are many technologies of network safeguard, for example, firewall, access control, data encryption; But all of these technologies are staticly defensive tools, which can not totally assure the security of network and resist the attack of hacker. Under this background, Intrusion Detection System has been a new direction, which can initiatively and dynamically provide security safeguard and supply the limitation traditional network security technologies.The Hidden Markov Model has many excellent feature, for instance its mature algorithm, high efficiency, easy training etc; so it has extensive application in a lot of fields, such as phonetic recognition. The Hidden Markov Model can reduce the false-positive rate and increase the detection rate in anomaly intrusion detection. At present, the data resource of anomaly intrusion detection based on Hidden Markov Model stem from the host computer (for example, system call). The system has obtained the good experimental result.Network intrusion detection is used to detect intrusion by catching network packet and drawing characteristics (IP address, port, etc.). The main diffculty in the application of Hiden Markov Model in network anomaly intrusion detection is to decide the observation symbols of HMM.In this paper, we have proposed the method to confirm observation symbols of Hidden Markov Model, and then apply HMM to network anomaly intrusion detection. On the basis of confirming model observation symbols of Hidden Markov Model, this paper has proposed a network anomaly intrusion detection system model based on HMM, which adopts both misuse detection and anomaly detection and is realized.The last experiment result shows that the system has relatively high detection rate and can detect unknown attack under some circumstance of network.