Anomaly Detection Method Based on HMMs Using System Call and Call Stack Information

  • Cheng Zhang
  • Qinke Peng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3802)


Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.


Hide Markov Model Intrusion Detection Anomaly Detection System Call Markov Chain Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Forrest, S., Hofmery, S.A., Somayaji, A.: A Sense of Self For Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, California, pp. 120–128 (1996)Google Scholar
  2. 2.
    Ghosh, A.K., Schwartzbard, A.: Learning program behavior profiles for intrusion detection. In: Proceedings: 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, pp. 51–62 (1999)Google Scholar
  3. 3.
    Lee, W., Stolfo, S.J.: Data Mining Approaches for intrusion detection. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, pp. 79–94 (1998) 26-29Google Scholar
  4. 4.
    Wespi, A., Dacier, M., Debar, H.: Intrusion Detection using Variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 110. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Ye, N.: A Markov chain model of temporal behavior for anomaly detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 166–169. IEEE, Oakland (2000)Google Scholar
  6. 6.
    Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Trans. SMC-A 31(4), 266–274 (2001)Google Scholar
  7. 7.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 9-12, pp. 133–145 (1999)Google Scholar
  8. 8.
    Qiao, Y., Xin, X.W., Bin, Y., Ge, S.: Anomaly intrusion detection method based on HMM. Electronics Letters 38(13), 663–664 (2002)CrossRefGoogle Scholar
  9. 9.
    Wei, W., Hong, G.X., Liang, Z.X.: Modeling program behaviors by hidden Markov models for Intrusion Detection. In: Proceedings of 3rd International Conference on Machine Learning and Cybernetics, August 26-29, pp. 2830–2835 (2004)Google Scholar
  10. 10.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast autiomation-based method for detection anomalous program behaviors. In: Proceedings of IEEE symposium on Security and Privacy, Oakland, California, pp. 144–155 (2001)Google Scholar
  11. 11.
    Femg, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of IEEE symposium on Security and Privacy, Berkeley, California (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Cheng Zhang
    • 1
  • Qinke Peng
    • 1
  1. 1.State Key Laboratory for Manufacturing Systems and School of Electronic and Information EngineeringXi’an Jiaotong UniversityXi’anChina

Personalised recommendations