First-order versus high-order stochastic models for computer intrusion detection

This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.