Computer Engineering and Applications ›› 2020, Vol. 56 ›› Issue (8): 81-86.DOI: 10.3778/j.issn.1002-8331.1812-0214

Previous Articles     Next Articles

Cross-Protocol Anomaly Detection Algorithm Based on HMM

WU Chutian, CHEN Yongle, CHEN Junjie   

  1. College of Information and Computer, Taiyuan University of Technology, Taiyuan 030024, China
  • Online:2020-04-15 Published:2020-04-14



  1. 太原理工大学 信息与计算机学院,太原 030024


With the diversification of the form of network attacks, the existing protocol anomaly detection work faces new challenges in terms of accuracy and real-time. Most of the current protocol anomaly detection methods only detect malicious attacks from single protocol, but never consider the association between protocols. In this paper, an HMM-based protocol anomaly cross-detection algorithm is proposed. The semantic sequence and time stamp of multiple protocols are used to construct the message sequence as the training set of the model. The protocol-state-merge algorithm and the Baum-Welch algorithm are used to train and generate a complete HMM, and it uses the subsequence repeat number collected from the progress of serialization of protocol message to help the HMM to detect the attacks with a large number of loop operations. Experiments in the IP-camera network prove that the detection algorithm can detect multiple malicious attacks more accurately than the existing HMM anomaly detection methods, and the algorithm also has certain universality.

Key words: anomaly detection, protocol behavior modeling, cross-protocol detection, Hidden Markov Model(HMM)



关键词: 异常检测, 协议行为建模, 协议交叉检测, 隐马尔可夫模型(HMM)