Lightweight anomaly detection system with HMM resource modeling

Midori Sugaya, Yuki Ohno, Tatsuo Nakajima

    Research output: Contribution to journalArticle

    4 Citations (Scopus)

    Abstract

    In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

    Original languageEnglish
    Pages (from-to)35-54
    Number of pages20
    JournalInternational Journal of Security and its Applications
    Volume3
    Issue number3
    Publication statusPublished - 2009

    Fingerprint

    Monitoring
    Hidden Markov models
    Learning systems
    Experiments

    Keywords

    • Anomaly detection
    • HMM
    • Model
    • Operating system
    • Security
    • System resource

    ASJC Scopus subject areas

    • Computer Science(all)

    Cite this

    Lightweight anomaly detection system with HMM resource modeling. / Sugaya, Midori; Ohno, Yuki; Nakajima, Tatsuo.

    In: International Journal of Security and its Applications, Vol. 3, No. 3, 2009, p. 35-54.

    Research output: Contribution to journalArticle

    @article{100433918bf2493aafc22683ebb93050,
    title = "Lightweight anomaly detection system with HMM resource modeling",
    abstract = "In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1{\%}) system overhead, without previously defined anomaly models.",
    keywords = "Anomaly detection, HMM, Model, Operating system, Security, System resource",
    author = "Midori Sugaya and Yuki Ohno and Tatsuo Nakajima",
    year = "2009",
    language = "English",
    volume = "3",
    pages = "35--54",
    journal = "International Journal of Security and its Applications",
    issn = "1738-9976",
    publisher = "Science and Engineering Research Support Society",
    number = "3",

    }

    TY - JOUR

    T1 - Lightweight anomaly detection system with HMM resource modeling

    AU - Sugaya, Midori

    AU - Ohno, Yuki

    AU - Nakajima, Tatsuo

    PY - 2009

    Y1 - 2009

    N2 - In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

    AB - In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

    KW - Anomaly detection

    KW - HMM

    KW - Model

    KW - Operating system

    KW - Security

    KW - System resource

    UR - http://www.scopus.com/inward/record.url?scp=78649608994&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=78649608994&partnerID=8YFLogxK

    M3 - Article

    VL - 3

    SP - 35

    EP - 54

    JO - International Journal of Security and its Applications

    JF - International Journal of Security and its Applications

    SN - 1738-9976

    IS - 3

    ER -