Abstract
With the recent advances in computer networking applications, Intrusion Detection Systems (IDS) are widely used to detect the
malicious connections in computer networks. IDS provide a high level security between organizations while preventing misuses
and intrusions in data communication through internet or any other network. Adherence to network usage policies is crucial since a
system or network administrator needs to be informed whether the information is compromised, if the resources are appropriately
used or if an attacker exploits a comprised service. Server flow authentication via protocol detection analyzes penetrations to
a communication network. Generally, port numbers in the packet headers are used to detect the protocols. However, it is easy
to re-map port numbers via proxies and changing the port number via compromised host services. Using port numbers may be
misleading for a system administrator to understand the natural flow of communications through network. It is also difficult to
understand the user behavior when the traffic is encrypted since there is only packet level information to be considered. In this
paper, we present a novel approach via Hidden Markov Models to detect user behavior in network traffic. We perform the detection
process on timing measures of packets. The results are promising and we obtained classification accuracies between %70 and