Abstract

Intrusion detection has emerged as an important approach to network security. A new method for anomaly intrusion detection is proposed based on linear prediction and Markov chain model. Linear prediction is employed to extract features from system calls sequences of the privileged processes which are used to make up of the character database of those processes, and then the Markov chain model is founded based on those features. The observed behavior of the system is analyzed to infer the probability that the Markov chain model of the norm profile supports the observed behavior. A low probability of support indicates an anomalous behavior that may result from intrusive activities. The experiments show this method is effective and efficient, and can be used in practice to monitor the computer system in real time.