How to find states given TCP flags as observable states in HMM

0
votes

I am implementing HMM(Hidden markov model).I have obtained a dataset of TCP flags such as Synchronized, Reset, Acknowledgement, FIN/ACK, PUSH/ACK. The problem is I have to find the number of states so that I can calculate the conditional probabilities, transition probabilities, emission probabilities.

I have assumed random number of states considering the TCP flags as observables. Using Baum-Welch algorithm calculated the transition as well as emission probabilities. But taking random number of states we do not know whether the output is accurate.

So we are trying to find a better way to find out number of states and specifically which are the states to be used. We are trying to implement the following paper Adaptive IDS using hybrid approach.

Any help would be appreciated.

Thanks in advance!

1
tcpmachine-learningprobabilityhidden-markov-models

1 Answers

0
votes

Thinks are easier or I do not understand the question.

SYN, SYN/ACK, ... are TCP flags. Interpret them as a first classification of TCP messages, so, as TCP message types. These are the events in the TCP finite-state machine.

The states of TCP finite state machine are CLOSE_WAIT, FIN_WAIT_1, ... . In total, 12 states.

If you look for "tcp state machine" in google images, you will easily find a draw of the state machine. By example: http://www.ssfnet.org/Exchange/tcp/Graphics/tcpStateDiagram1.gif

Synchronized is not a TCP flag nor state.