Post on 08-Feb-2017
TECHNICAL SEMINAR ON“APPLICATION LAYER ANOMALY DETECTION
BASED ON HSMM”
UNDER THE GUIDANCE
OF Mr. Annappa Swamy D R
PRESENTED BY
Akash D 4MT12CS008
OBJECTIVE
Detect unknown attacks occur at application layer.
Describe the user’s application layer behaviours.
Detect the potential attacker based on their average
log likelihoods.
ABSTRACT Today more network-based attacks occur at
application layer.
Traditional security techniques can only detect
some known attacks.
A new application layer anomaly detection method
which based on HSMM is proposed to detect
unknown attacks.
HIDDEN SEMI-MARKOV MODEL The HSMM is a finite set of states, where each of states and
the transitions among them is associated with a probability
distribution.
The probability of there being a change in the hidden state
depends on the amount of time that has elapsed since entry
into the current state.
EXAMPLE:-
HSMM is a finite state machine, specified by
{A,B,P,π}, where
A is the state transition matrix.
B is the observation probability matrix.
P is the state duration matrix.
π is the initial state matrix.
A={amn}, 1≤m, n≤M, M is the total number of hidden
states.
B={bm(vk)}, 1≤k≤K, K is the size of observable output
set.
P={pm(d)}, 1≤d≤D, D is the maximum interval
between any two consecutive state transitions.
π={πm}, 1≤m≤M.
λ=({amn}, {bm(vk)}, {pm(d)}, {πm}) where λ stand for
the complete set of model parameters.
HSMM can be used for classification and pattern
matching by solving learning evaluation decoding
These problems can be solved by forward-backward algorithm
Forward-backward algorithm steps
1) Computing forward probabilities
2) Computing backward probabilities
3) Computing smoothed values
ARCHITECTURE DESIGN
APPLICATION LAYER ANOMALY DETECTION BASED ON HSMM
The similarities in characteristics of normal
user’s behaviour is taken as profile of the normal
users.
User’s behaviour can be considered as a series
of application layer protocol keywords.
o Application layer protocol keywords sequences
describe the user’s application layer behaviour.
fig.1 HTTP keyword sequence
Fig. http keyword sequences
The change in user’s behavior will make the
distribution of keywords to be different.
The different behaviours can be considered as the
different states.
The state transitions process can be considered as a
Markov process.
States can’t be observed directly and is hidden
Markov process.
WORKING MODULE
1. DETERMINATION THE MODEL
Assume user’s behaviour has M discrete states,
namely S1, S2,...,SM..
Let A stand for the state transition probability
matrix, A={amn},1≤m,n≤M.
Assuming the protocol has K keywords, which can
be expressed as: word1, word2, ..., wordK
Let P denote the state duration probability
matrix, P={pm(d)}, 1≤d≤D
Let π stand for the initial probability matrix,
π={πm}, 1≤m≤M.`
Let ot stand for the observable output at t from
the network gateway i.e ot=(wt,rt).
Let O=o1,o2,...,oT =o1T, where T is the number of
samples in the observed sequence
Let B stand for the observation probability
matrix,
2. TRAINING PHASE
Train the model to determine the parameters of
the HSMM.
retaining the best parameters of legitimate
HSMM leads to more accurate results.
3. DETECTION PHASE
Check whether the observation sequences from a user is
similar to most of the normal users.
To compare different sequences' likelihood average log
likelihood(ALL) is used.
If a user's observation sequence's ALL locates in the
confident interval, the user will be consider as normal user.
Otherwise the user will be considered as potential attacker
that should be controlled.
APPLICATION DOMAIN Application layer distributed denial of service
attacks for popular websites.
Coping with the attacks launched by dynamic
webpage (e.g., script) in web user’s behaviour.
CONCLUSION
Hidden semi markov model is used to describe the
user’s application layer behavior.
Observation sequence’s average log likelihood
against the normal model is calculated.
Detect the potential attacker based on their average
log like hood.
Thank you