The Research Of Anomaly Intrusion Detection Method Based On Markov Chain Model

Anomaly detection doesn't observe known intrusion behavior but anomaly phenomenon in researched communication processes which are accomplished through detecting system's behavior and the change of service condition. Before anomaly intrusion model is built, first building statistic probability model and determining the normal condition of the observed objects , then deciding what is an anomaly behavior and how to make concrete decision. Markov chain model is an important statistic analysis method applied to anomaly intrusion detection. Nowadays many researches are about Markov chain model, but there are defects in it more or less.The thesis summarizes intrusion detection technology, and introduces anomaly detection, system call and privileged process in detail. By making an intensive study of anomaly detection methods based on Markov chain model which have had found: in anomaly detection, single step Markov chain model is simpler, and it isn't established strictly for system call sequence, especially if the sliding window is longer; the memory and calculation in more steps Markov chain model are rather large; the calculation of parameters in Hidden Markov Model is more complex, and the parameters need to be updated and calculated too when data is updated. So the thesis puts forward a new method of anomaly detection method based on Markov chain model. To do experiment by making use of the data offered by New Mexico University and analyze results of the experiment.The new method in the thesis, first building Markov chain model; second, analyzing and detecting data on the model: to get two kinds of probability sequence by two different sequence analysis methods of single step Markov chain model, then divide the probability sequence into many short probability sequences by sliding window analysis method and get two kinds of determinant values by making use of an especial formula; at last analyzing the two kinds of determinant value curves which distinguish normal data and abnormal data, meanwhile, after analyzing the determinant values, setting rational threshold value which distinguishes normal data and abnormal data again.In the thesis, after analyzing and choosing parameters through experiment, the result of the experiment is satisfied. And many kinds of methods are contrasted and analyzed.