Adaptive network intrusion detection system using a hybrid approach
Citations
232 citations
160 citations
121 citations
Cites methods from "Adaptive network intrusion detectio..."
...In the same year, R Rangaduari [9] introduces a Adaptive NIDS using a Hybrid Approach which uses two stage approach: in the first stage, a probabilistic classifier is used where as in second stage, a HMM based traffic model is used....
[...]
118 citations
95 citations
Cites methods from "Adaptive network intrusion detectio..."
...[141] use probability to describe an adaptive network-based IDS with a two-stage architecture....
[...]
References
21,819 citations
272 citations
155 citations
120 citations
59 citations
Related Papers (5)
Frequently Asked Questions (13)
Q2. What are the two algorithms used to model and use the HMM?
States of the model are called hidden or latent variables and are used to describe the underlying distribution generating the data.
Q3. How did the authors overcome the high false positive rate?
In order to overcome this high false positive rate, the authors employed multi-stage combination of models to improve the base classifier’s performance.
Q4. Why is HMM model added to NB model?
The addition of HMM model to NB model is intended to narrow down on the attacking IPs present in flagged traffic rather than to improve the performance of it.
Q5. What would be the main drawbacks of the proposed hybrid model?
HMM model would then perform source separation for the connections present in the flagged traffic and classifies the connections as either attack or normal.
Q6. What is the procedure used to test the probability of occurrence of the sequence of numbers?
The TCP flag sequence is converted into a sequence of numbers and the probability of occurrence of this sequence is tested over the model.
Q7. What is the implementation of this approach?
Implementation details of this approach: Low probability legitimate streams that were flagged suspicious by all the base classifiers are fed as input to a separate HMM model.
Q8. What is the simplest way to classify incoming traffic?
In their implementation, if there were five consecutive attack flags raised by the NB model, and incoming traffic from then on would be buffered and fed as input to the HMM model.
Q9. What is the reason for the low false positive rate?
Any practical system designed to detect intrusions should have low false positive rate, i.e., rate at which a legitimate user is wrongly classified as attack should be very low.
Q10. How can the authors compute the number of states to be used for a server?
Using HMM with larger states gave us exact results and the number of states to be chosen for a server can be computed empirically.
Q11. What is the purpose of the above study?
In order to overcome the above said shortcoming, the authors performed source separation on training/testing traffic according to destination ports of the server and then upon source/destination IP address.
Q12. What is the number of windows to consider during time out mechanism?
The number of windows to consider during time out mechanism is implementation specific, depending upon traffic characteristics of a server.
Q13. What is the test phase of the above approach?
The testing phase of the above said approach is depicted in Figure 2.DARPA data set for intrusion detection [3] is used for training and testing their HMM model.