在現今網路相連、攻擊模式日益複雜的環境下, 一般網管採用防火牆為資訊安全的保
障措施, 只能進行被動的封包過濾防禦, 無法因應現今複雜多變的攻擊模式; 因而建構
輔助防火牆的入侵偵測系統, 是當今提升資訊安全的不二法門。一般來說, 隱藏式馬可
夫模型多用來處理入侵偵測的工作, 因為這一類型的資料集大多是序列資料, 特別來
說我們也可以建立一個正常行為模型的異常入侵偵測系統, 其中用來建立正常行為模
型的資料集, 可以來自是系統根據使用者行為所產生豐富的系統呼叫, 另一方面由於一
般隱藏式馬可夫模型對於在每一個狀態下產生純量符號的表現較佳, 我們引進簡單馬
可夫模型。在許多的案例中, 簡單貝式網路分類器對於處理多維度資料集, 有著簡單、
快速、又有效的特性。所以, 在本篇論文中, 我們提出了一個結合隱藏式馬可夫模型與
簡單貝氏網路分類器作為入侵偵測系統架構的核心技術。最後, 於實驗的部分中, 我們
的系統將使用KDD Cup 99 資料集來評估。經過評估之後, 我們的系統對於U2R
與R2L 這兩類攻擊的偵測率與KDD Cup 99 winner 相比之下來的高。

Under the internet and attacks modes are complicated environment
day by day now, the general network management adopts
the firewall as the guarantee measure of the information safety.
Generally speaking, Hidden Markov Models detected intrusion detection
for more, because it is mostly sequence datasets, especially
the anomaly detection systems that we can set up a normal behavior
models and the datasets collection of the normal behavior
model come from it is system call that generated by users. General
on the other hand the Hidden Markov Models model is relatively
good to producing the pure behavior of measuring the symbol under
every state, so our using simple Hidden Markov Models. In a
lot of cases, the Na¨ıve Bayes Classifiers are for dealing multidimension
datasets, there are simple , fast , and effective characteristics.
Among this page thesis, we propose methods combine with Hiddne
Markov Models and Na¨ıve Bayes Classifiers. Finally, in the part of
the experiment, our system will use KDD Cup 99 datasets. After
assessing, our system has better detection rate toward U2R and
R2L connections than KDD Cup 99 winner.

[1] N. Abouzakhar, A. Gani, G. Manson, and D. King. Bayesian
learning networks approach to cybercrime detection. In Post-
Graduate Symposium PGNET 2003, John Moore University,
Liverpool, June 2003.
[2] N. B. Amor, S. Benferhat, and Z. Elouedi. Naive bayes vs
decision trees in intrusion detection systems. Proceedings of
the 2004 ACM symposium on Applied computing, pages 420–
424, 2004.
[3] J. P. Anderson. Computer security threat monitoring and
surveillance. Technical Report, James P. Anderson Co., Fort
Washington, Pennsylvania., 1980.
[4] J. A. Bilmes. A gentle tutorial of em algorithm and its application
to parameter estimation for gaussian mixture and hidden
markov models. Technical Report, University of Berkeley,
ICSI-TR-97-021, 1997.
[5] S. T. BRUGGER. Data mining methods for network intrusion
detection. ACM Computing Surveys, 2005.
[6] G. A. Churchill. Stochastic models for heterogeneous dna sequences.
Bull. Math. Biol., (51):79–94, 1989.
[7] A. P. Dempster, N. M. Laird, and D. B. Rubin. Maximum
likelihood from incomplete data via the em algorithm. J.Roy.
Stat. Soc., 39(1):1–38, 1977.
[8] D. E. Denning. An intrusion-detection model. IEEE Transactions
on Software Engineer, SE-13(2), Feb 1987.
[9] D. E. Denning, D. Edwards, R. Jagannathan, T. Lunt, and
P. Neumann. A prototype ides: A real-time intrusion detection
expert system. SRI International, 1987.
[10] K. L. Eikvil and R. B. Huseby. Applications of hidden markov
chains in image analysis. The Journal of Pattern Recognition
Society, (32):703–713, 1999.
[11] R. J. Elliott, L. Aggoun, and J. B. Moore. Hidden markov
models: Estimation and control. New York: Springer, 1995.
[12] U. M. Fayyad and K. B. Irani. Multi-interval discretization of
continuous-valued attributes for classification learning. Proc.
13th Int. Joint Conf. AI (IJCAI-93), Chamberry, France,
Aug./ Sep. 1993.
[13] P. Frasconi, G. Soda, and A. Vullo. Text categorization for
multi-page documents: a hybrid naive bayes hmm approach.
Proceedings of the 1st ACM/IEEE-CS joint conference on
Digital libraries., pages 11–20, 2001.
[14] H. Hartley. Maximum likelihood estimation from incomplete
data. Biometrics, 14:174–194, 1958.
[15] L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, and
D. Wolber. A network security monitor. Proceedings of the
IEEE Symposium on Research in Security and Privacy, 1990.
[16] M. I. Jordan. Learning in Graphical Models. Kluwer Academic
Publishers, 1998.
[17] A. Korgh, M. Brown, I. S. Mian, k. Sjolander, and D. Haussler.
Hidden markov models in computational biology: applications
to protein modeling. J. Mol. Biol., (235):1501–1513, 1994.
[18] Y.-J. Lee and O. L. Mangasarian. SSVM: A smooth
support vector machine. Computational Optimization
and Applications, 20:5–22, 2001. Data Mining Institute,
University of Wisconsin, Technical Report 99-03.
ftp://ftp.cs.wisc.edu/pub/dmi/tech-reports/99-03.ps.
[19] T. Lunt and R. Jagannathan. A prototype real-time intrusion
detection expert system. Proceedings of the 1988 IEEE
Symposium on Security and Privacy, Oakland,CA, 1988.
[20] S. J. Mckenna, S. Gong, and Y. Raja. Tracking colour objects
using adaptive mixture models. Image and Vision Computing,
17(3-4):225–231, 1999.
[21] T. P. Minka. Expectation-maximization as lower bound maximization.
1998.
[22] L. Rabiner and B. Huang. Fundamentals of speech recongnition.
Englewood Cliffs, NJ:Prentice-Hall, 1993.
[23] L. R. Rabiner. A tutorial on hidden markov models and selected
applications in speech recognition. Proceedings of the
IEEE, 77(22):257–286, 1989.
[24] M. Sabhmani and G. Serpen. An application of machine learning
algorithms to kdd intrusion detection dataset within misuse
detection context. In Proceedings of the International
Conference on Machine Learning, Models, Technologies and
Applications (MLMTA 2003), pages 209–215, 2003.
[25] M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst. Expert
systems in intrusion detection: A case study. Proceedings
of the 11th National Computer Security Conference, 1988.
[26] J. Sherif and T. Dearmond. Intrusion detection: Systems and
models. in proc. of the Eleventh IEEE International Workshops
on Enabling Technologies: Infrastructure for Collaborative
Enterprises (WETICE 02)., pages 1–19, 2002.
[27] S. E. Smaha. Haystack: An intrusion detection system. Proceedings
Fourth Aerospace, Orlando, Florida, 1988.
[28] C. Tomasi. Estimating gaussian mixture densities with em - a
tutorial. 2003.
[29] V. Vapnik. Estimation of dependencies based on empirical
data. Springer, 1982.
[30] V. N. Vapnik. The nature of statistical learning theory.
Springer-Verlag, New York, 1995.
[31] L. K. Yang. A cascading intrusion detection framework using
ocsvm and ssvm. 2005.