Download - HIDDEEN SEMI MARKOV MODEL(HSMM)
![Page 1: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/1.jpg)
TECHNICAL SEMINAR ON“APPLICATION LAYER ANOMALY DETECTION
BASED ON HSMM”
UNDER THE GUIDANCE
OF Mr. Annappa Swamy D R
PRESENTED BY
Akash D 4MT12CS008
![Page 2: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/2.jpg)
OBJECTIVE
Detect unknown attacks occur at application layer.
Describe the user’s application layer behaviours.
Detect the potential attacker based on their average
log likelihoods.
![Page 3: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/3.jpg)
ABSTRACT Today more network-based attacks occur at
application layer.
Traditional security techniques can only detect
some known attacks.
A new application layer anomaly detection method
which based on HSMM is proposed to detect
unknown attacks.
![Page 4: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/4.jpg)
HIDDEN SEMI-MARKOV MODEL The HSMM is a finite set of states, where each of states and
the transitions among them is associated with a probability
distribution.
The probability of there being a change in the hidden state
depends on the amount of time that has elapsed since entry
into the current state.
![Page 5: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/5.jpg)
EXAMPLE:-
![Page 6: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/6.jpg)
HSMM is a finite state machine, specified by
{A,B,P,π}, where
A is the state transition matrix.
B is the observation probability matrix.
P is the state duration matrix.
π is the initial state matrix.
![Page 7: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/7.jpg)
A={amn}, 1≤m, n≤M, M is the total number of hidden
states.
B={bm(vk)}, 1≤k≤K, K is the size of observable output
set.
P={pm(d)}, 1≤d≤D, D is the maximum interval
between any two consecutive state transitions.
π={πm}, 1≤m≤M.
λ=({amn}, {bm(vk)}, {pm(d)}, {πm}) where λ stand for
the complete set of model parameters.
![Page 8: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/8.jpg)
HSMM can be used for classification and pattern
matching by solving learning evaluation decoding
These problems can be solved by forward-backward algorithm
![Page 9: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/9.jpg)
Forward-backward algorithm steps
1) Computing forward probabilities
2) Computing backward probabilities
3) Computing smoothed values
![Page 10: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/10.jpg)
ARCHITECTURE DESIGN
APPLICATION LAYER ANOMALY DETECTION BASED ON HSMM
The similarities in characteristics of normal
user’s behaviour is taken as profile of the normal
users.
User’s behaviour can be considered as a series
of application layer protocol keywords.
![Page 11: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/11.jpg)
o Application layer protocol keywords sequences
describe the user’s application layer behaviour.
fig.1 HTTP keyword sequence
Fig. http keyword sequences
![Page 12: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/12.jpg)
The change in user’s behavior will make the
distribution of keywords to be different.
The different behaviours can be considered as the
different states.
The state transitions process can be considered as a
Markov process.
States can’t be observed directly and is hidden
Markov process.
![Page 13: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/13.jpg)
WORKING MODULE
1. DETERMINATION THE MODEL
Assume user’s behaviour has M discrete states,
namely S1, S2,...,SM..
Let A stand for the state transition probability
matrix, A={amn},1≤m,n≤M.
Assuming the protocol has K keywords, which can
be expressed as: word1, word2, ..., wordK
![Page 14: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/14.jpg)
Let P denote the state duration probability
matrix, P={pm(d)}, 1≤d≤D
Let π stand for the initial probability matrix,
π={πm}, 1≤m≤M.`
Let ot stand for the observable output at t from
the network gateway i.e ot=(wt,rt).
![Page 15: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/15.jpg)
Let O=o1,o2,...,oT =o1T, where T is the number of
samples in the observed sequence
Let B stand for the observation probability
matrix,
![Page 16: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/16.jpg)
2. TRAINING PHASE
Train the model to determine the parameters of
the HSMM.
retaining the best parameters of legitimate
HSMM leads to more accurate results.
![Page 17: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/17.jpg)
3. DETECTION PHASE
Check whether the observation sequences from a user is
similar to most of the normal users.
To compare different sequences' likelihood average log
likelihood(ALL) is used.
If a user's observation sequence's ALL locates in the
confident interval, the user will be consider as normal user.
Otherwise the user will be considered as potential attacker
that should be controlled.
![Page 18: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/18.jpg)
APPLICATION DOMAIN Application layer distributed denial of service
attacks for popular websites.
Coping with the attacks launched by dynamic
webpage (e.g., script) in web user’s behaviour.
![Page 19: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/19.jpg)
CONCLUSION
Hidden semi markov model is used to describe the
user’s application layer behavior.
Observation sequence’s average log likelihood
against the normal model is calculated.
Detect the potential attacker based on their average
log like hood.
![Page 20: HIDDEEN SEMI MARKOV MODEL(HSMM)](https://reader033.vdocument.in/reader033/viewer/2022042722/589a6c351a28ab0b788b4c97/html5/thumbnails/20.jpg)
Thank you