Markov Models for Malware and Intrusion Detection: A Survey


  • Evgeniya Nikolova Faculty of Computer Science and Engineering, Burgas Free University, Bulgaria and Institute of Mathematics and Informatics, Bulgarian Academy of Sciences, Bulgaria



Markov model, hidden Markov model, malware, intrusion detection system


Malicious attacks are one of the main threats facing today's most used Android and Windows operating systems, as well as the Internet of Things (IoT) and web environments. Markov models and hidden Markov models have been used successfully over the past few decades to identify a variety of malicious activity, including as viruses, worms, Trojan horses, rootkits, ransomware, and phishing assaults. But they have their limits. One of their main limitations is that they are unable to detect subtle changes in malicious behaviour. This paper presents Markov models and hidden Markov models as a tool for detecting malicious attacks and briefly reviews different studies from the past five years that use these models as a detection tool. This review, based on publications drawn from three databases, outlines the continuing interest of security researchers in these models. Most of the chosen research papers show that these models are applied to create systems that have a detection accuracy of malicious attacks above 94%. This study can be helpful to beginners who are interested in starting their research in the field of detecting malicious attacks.