Multi Hidden Markov Models for Improved Anomaly Detection Using System Call Analysis

Abstract

Intrusion Detection systems are used for detecting attacks on a system. The host-based intrusion detection system (HIDS) detect the ongoing attacks on a Host system. HIDS model is proposed using System Call Analysis consisting of two modules, an Anomaly Detection module and a Multi-HMM module for state prediction. Anomaly Detection module uses Long Short-term memory (LSTM) architecture, a special type of Recurrent Neural Network, for detection of anomalies in system call traces. It models the normal behaviour of the system using system call patterns which enables it to detect even ‘Zero-day’ attacks. The State prediction module is based on Multiple Hidden Markov Model (Multi-HMM), in which each HMM model a known attack. It takes a sequence of system calls as input and predicts next ‘N’ most probable system calls during the attack. After performing a number of experiments, results show that the model has high recognition rate and low false alarm rate.