HMMs based masquerade detection for network security on with parallel computing

Abstract Masquerade detection is currently an active research topic in the field of network security. This paper presents a novel method for detecting masquerade attacks based on hidden Markov models (HMMs), which applies to host-based intrusion detection systems using Unix or Linux shell commands as audit data. The method employs multiple command sequences of different lengths to represent the behavioral patterns of a legitimate user and constructs a specific HMM to characterize the normal behavior profile of the user. Moreover, the adaptability and precision of user profiling are definitely taken into account. During training, the parameters of the HMM are calculated by parallel computing that is less computationally expensive than the classic Baum-Welch algorithm. At the detection stage, the occurrence probabilities of short state sequences are first computed to analyze behavior deviations that may indicate masquerade attacks, and two alternative decision schemes can be used to classify the monitored user’s behavior as normal or anomalous. The method addresses both detection accuracy and computational efficiency and is especially suitable for online detection. Our study empirically demonstrates the promising performance of the method.