关键词: 异常检测, 协议行为建模, 协议交叉检测, 隐马尔可夫模型（HMM）

Abstract:

With the diversification of the form of network attacks, the existing protocol anomaly detection work faces new challenges in terms of accuracy and real-time. Most of the current protocol anomaly detection methods only detect malicious attacks from single protocol, but never consider the association between protocols. In this paper, an HMM-based protocol anomaly cross-detection algorithm is proposed. The semantic sequence and time stamp of multiple protocols are used to construct the message sequence as the training set of the model. The protocol-state-merge algorithm and the Baum-Welch algorithm are used to train and generate a complete HMM, and it uses the subsequence repeat number collected from the progress of serialization of protocol message to help the HMM to detect the attacks with a large number of loop operations. Experiments in the IP-camera network prove that the detection algorithm can detect multiple malicious attacks more accurately than the existing HMM anomaly detection methods, and the algorithm also has certain universality.

Key words: anomaly detection, protocol behavior modeling, cross-protocol detection, Hidden Markov Model（HMM）