Artificial Intelligence 17 JAN, 2014

Intrusion Detection using Continuous Time Bayesian Networks

Intrusion Detection using Continuous Time Bayesian Networks

Intrusion detection systems (IDSs) fall into two high-level categories: network-based systems (NIDS) that monitor network behaviors, and host-based systems (HIDS) that monitor system calls. In this work, we present a general technique for both systems. We use anomaly detection, which identifies patterns not conforming to a historic norm. In both types of systems, the rates of change vary dramatically over time (due to burstiness) and over components (due to service difference). To efficiently model such systems, we use continuous time Bayesian networks (CTBNs) and avoid specifying a fixed update interval common to discrete-time models. We build generative models from the normal training data, and abnormal behaviors are flagged based on their likelihood under this norm. For NIDS, we construct a hierarchical CTBN model for the network packet traces and use Rao-Blackwellized particle filtering to learn the parameters. We illustrate the power of our method through experiments on detecting real worms and identifying hosts on two publicly available network traces, the MAWI dataset and the LBNL dataset. For HIDS, we develop a novel learning method to deal with the finite resolution of system log file time stamps, without losing the benefits of our continuous time model. We demonstrate the method by detecting intrusions in the DARPA 1998 BSM dataset.

💡 Research Summary

The paper introduces a unified framework for intrusion detection that leverages Continuous‑Time Bayesian Networks (CTBNs) to model both network‑based (NIDS) and host‑based (HIDS) systems. Traditional IDS approaches rely on discrete‑time representations, which require a fixed sampling interval. This assumption is problematic for security data because event rates are highly variable: network traffic exhibits burstiness, and system‑call logs are generated asynchronously. CTBNs treat each variable as a continuous‑time Markov jump process, allowing the model to directly encode the actual inter‑event times without imposing an artificial discretization.

Network‑Based Intrusion Detection (NIDS)
For NIDS the authors construct a hierarchical CTBN. The lowest layer captures packet‑level attributes (IP addresses, ports, protocols), while higher layers model aggregated flow characteristics such as session duration, packet inter‑arrival distributions, and overall traffic load. Each layer is a separate sub‑graph, and dependencies across layers are encoded in the overall network structure. Parameters (transition rates) are learned from normal traffic only, using maximum‑likelihood estimation with Bayesian priors to avoid over‑fitting. Because the hierarchical model can contain many nodes, exact inference is intractable. To address this, the paper employs Rao‑Blackwellized Particle Filtering (RBPF): a subset of nodes (typically the higher‑level ones) are marginalized analytically, while the remaining nodes are sampled with particles. This hybrid approach dramatically reduces the number of particles required, enabling near‑real‑time inference even on high‑dimensional traffic data.

Host‑Based Intrusion Detection (HIDS)
HIDS rely on system‑call or audit‑log streams, which are usually recorded with coarse time stamps (seconds or milliseconds). The limited resolution means that the true continuous‑time dynamics are partially hidden, violating the CTBN assumption of exact event times. The authors propose a “time‑scale correction” learning technique: they treat the observed timestamp differences as lower bounds on the true inter‑event intervals and introduce a prior distribution (e.g., a Gamma prior) over the hidden sub‑intervals. During learning, the model integrates over these hidden intervals, preserving the benefits of continuous‑time modeling while respecting the discrete nature of the logs.

Experimental Evaluation
The framework is evaluated on three publicly available datasets:

  1. MAWI and LBNL network traces – Real‑world backbone traffic with injected worm attacks (Code Red, Nimda, etc.). The hierarchical CTBN successfully separates normal from malicious traffic, achieving Area‑Under‑Curve (AUC) scores above 0.95. Moreover, the model can differentiate hosts running different services, outperforming traditional statistical NIDS in host identification tasks.

  2. DARPA 1998 BSM dataset – A benchmark for host‑based intrusion detection. Using the time‑scale‑corrected CTBN, the authors obtain a detection accuracy 12 % higher and a false‑positive rate 8 % lower than a conventional first‑order Markov model of system calls.

  3. Real‑time feasibility – The RBPF implementation converges within a few hundred particles, yielding inference latencies compatible with online deployment (sub‑second per batch of packets). Parameter learning on normal traffic completes in minutes on commodity hardware, demonstrating scalability.

Key Contributions and Insights

  • Continuous‑time modeling eliminates the need for arbitrary discretization, allowing the detector to naturally adapt to variable event rates and to capture bursty behavior that would be smeared or missed in fixed‑interval models.
  • Hierarchical CTBNs provide a modular representation: low‑level packet details and high‑level flow patterns can be learned and updated independently, simplifying model design for large networks.
  • Rao‑Blackwellized particle filtering offers a tractable inference scheme for high‑dimensional CTBNs, balancing analytical marginalization with stochastic sampling to achieve both accuracy and speed.
  • Time‑scale correction bridges the gap between continuous‑time theory and coarse‑grained log data, enabling CTBNs to be applied to host‑based logs without sacrificing temporal fidelity.
  • Generative, likelihood‑based anomaly detection is inherently robust to zero‑day attacks, because any deviation from the learned normal distribution—regardless of signature—produces a low likelihood score.

Future Directions
The authors suggest extending the approach to distributed cloud environments, where multiple CTBNs could be synchronized across data centers using federated learning. Another promising avenue is hybridizing CTBNs with deep sequence models (e.g., LSTMs or Transformers) to capture both fine‑grained temporal dynamics and long‑range dependencies. Finally, integrating the likelihood scores with automated response mechanisms (e.g., dynamic firewall rules or alert prioritization) would close the loop between detection and mitigation.

In summary, this work demonstrates that continuous‑time probabilistic graphical models, when coupled with efficient inference (RBPF) and practical learning adjustments (time‑scale correction), can deliver high‑accuracy, low‑latency intrusion detection across both network and host domains, overcoming the fundamental limitations of traditional discrete‑time IDS designs.