عنوان مقاله
مطالعه تطبیقی مدل مخفی مارکو وماشین بردار پشتیبان در تشخیص نفوذ آنومالی
فهرست مطالب
مقدمه
مدل مخفی مارکو
ماشین بردار پشتیبان
روش ها
نتایج و آزمایشات
نتیجه گیری
بخشی از مقاله
الگوریتم آموزشی Viterbi
الگوریتم VT یک شیوه آلترناتیو برای تخمین پارامترهای مدل می باشد. محتمل ترین مسیر حالت Q* برای هر توالی مشاهداتی نامعلوم O=O1,O2,O3,O4,O5,O6,O7,O8 ازتیپ عادی یا حمله مجموعه داده تست، با استفاده از رمزگشایی Viterbi محاسبه می شود. سپس از این مسیر برای تخمین تعداد تراکنش ها و صدورو نشر سمبول جهت محاسبه مجدد پارامترها با استفاده از معادلات (4) و (5) استفاده می گردد.
کلمات کلیدی:
A Comparative Study of Hidden Markov Model and Support Vector Machine in Anomaly Intrusion Detection Ruchi Jain, Nasser S. Abouzakhar School of Computer Science School of Computer Science University of Hertfordshire, Hatfield, UK University of Hertfordshire, Hatfield, UK Abstract This paper aims to analyse the performance of Hidden Markov Model (HMM) and Support Vector Machine (SVM) for anomaly intrusion detection. These techniques discriminate between normal and abnormal behaviour of network traffic. The specific focus of this study is to investigate and identify distinguishable TCP services that comprise of both normal and abnormal types of TCP packets, using J48 decision tree algorithm. The publicly available KDD Cup 1999 dataset has been used in training and evaluation of such techniques. Experimental results demonstrate that the HMM is able to classify network traffic with approximately 76% to 99% accuracy while SVM classifies it with approximately 80% to 99% accuracy. Keywords-Hidden Markov Model, Support Vector Machine, Distinguishable TCP Services, Anomaly Intrusion Detection 1. Introduction The increase in the number of interconnected networks to the Internet has led to an increase in unlimited security threats and violations. As a shared resource computer networks and communication links allow unauthorized users to gain access to private information and critical resources of organizations. Therefore, information security has become a major concern to various businesses and organizations and requires an intelligent security system that can automatically detect the intrusions. An Intrusion Detection System (IDS) [5] has become popular tool for observing patterns of activities in user accounts and detect malicious behavior. Anomaly detection approach [2] is a key element of intrusion detection that attempts to evaluate the behavior of a user or system and consider intrusive or irregular activities as some deviation from normal patterns. The HMM technique [14] has been attempted by Joshi and Phoha [6] for classifying the TCP network traffic as an attack or normal. They have taken only 12.195% of the total 41 features of the KDD Cup 1999 dataset [19] for developing anomaly intrusion detection model. The model verified that the TCP session is a normal or having anomaly with 79% accuracy. In our previous work [5], we have proposed an HMM based anomaly intrusion detection, and confirmed it's effectiveness. In this paper, the SVM technique [9], [10], [11], [12], [15], [21] is proposed for binary classification of each distinguishable TCP service. The Sequential Minimal Optimization (SMO) algorithm [20], an implementation of Waikato Environment for Knowledge Analysis (Weka) toolkit [22], is used that supports SVM. Two Kernel functions [9], [15] including Polynomial and Radial Basis Function (RBF) are used for mapping the dataset into higher dimensional spaces. A comparison between HMM and SVM, in terms of the classification results, is presented. The remainder of this paper is organized as follows; Section 2 provides a brief explanation of the concepts of HMM. Section 3 briefly presents the basic principal of SVM Section 4 describes the methodology for designing Anomaly Intrusion Detection Model that classifies network traffic as an attack or normal using HMM and SVM. Extensive experiments based on the KDD Cup 1999 dataset are given in detail in Section 5. Finally, concluding remarks with discussions are showed in Section 6.
