Hidden Markov Models for Intrusion Detection Under Background Activity

Abstract: Detecting a malicious hacker intruding on a network system can be difficult. This challenge is made even more complex by the network activity generated by normal users and by the fact that it is impossible to know the hacker’s exact actions. Instead, the defender of the network system has to infer the hacker’s actions by statistics collected by the intrusion detection system, IDS. This thesis investigates the performance of hidden Markov models, HMM, to detect an intrusion automatically under different background activities generated by normal users. Furthermore, background subtraction techniques with inspiration from computer vision are investigated to see if normal users’ activity can be filtered out to improve the performance of the HMMs.The results suggest that the performance of HMMs are not sensitive to the type of background activity but rather to the number of normal users present. Furthermore, background subtraction enhances the performance of HMMs slightly. However, further investigations into how background subtraction performs when there are many normal users must be done before any definitive conclusions.