Hybrid intrusion detection model based on ordered sequences

Abstract

An algorithm for designing hybrid intrusion detection system based on behavior analysis technique is proposed. This system can be used to generate attack signatures and to detect anomalous behavior. The approach can distinguish the order of attack behavior, and overcome the limitation of the methods based on mismatch or frequencies, which performs statistical analysis against attack behavior with association rules or frequent episode algorithms. The preprocessed data of the algorithm are the connection records extracted from DARPA's tcp-dump data. The algorithm complexity is analyzed against a very known algorithm, and its complexity is decreased greatly. Using the proposed algorithm with transactions of known attacks, we found out that our algorithm describes attacks more accurately, and it can detect those attacks of limited number of transactions. Thus, any important sequence is considered and discovered, even if it's a single sequence because the extraction will cover all possible sequences combinations within the attack transactions. Four types of attacks are examined to cover all DARPA attack categories. © Springer-Verlag Berlin Heidelberg 2005.