First-order versus high-order stochastic models for computer intrusion detection

Nong Ye, Timothy Ehiabor, Yebin Zhang

Research output: Contribution to journalArticlepeer-review

22 Scopus citations


This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.

Original languageEnglish (US)
Pages (from-to)243-250
Number of pages8
JournalQuality and Reliability Engineering International
Issue number3
StatePublished - May 2002


  • Anomaly detection
  • Computer security
  • Intrusion detection
  • Markov models

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Management Science and Operations Research


Dive into the research topics of 'First-order versus high-order stochastic models for computer intrusion detection'. Together they form a unique fingerprint.

Cite this