WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION

Juan Manuel García, Tomás Navarrete, Carlos Orozco

2006

Abstract

We present an approach to anomaly detection based on the construction of a Hidden Markov Model trained on processor workload data. Based on processor load measurements, a HMM is constructed as a model of the system normal behavior. Any observed sequence of processor load measurements that is unlikely generated by the HMM is then considered as an anomaly. We test our approach taking real data of a mail server processor load to construct a HMM and then we test it under several experimental conditions including a simulated DoS attacks. We show some evidence suggesting that this method could be successful to detect attacks or misuse that directly affects processor performance.

Paper Citation

in Harvard Style

Manuel García J., Navarrete T. and Orozco C. (2006). WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 56-60. DOI: 10.5220/0002099700560060

in Bibtex Style

@conference{secrypt06,
author={Juan Manuel García and Tomás Navarrete and Carlos Orozco},
title={WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={56-60},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002099700560060},
isbn={978-972-8865-63-4},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION
SN - 978-972-8865-63-4
AU - Manuel García J.
AU - Navarrete T.
AU - Orozco C.
PY - 2006
SP - 56
EP - 60
DO - 10.5220/0002099700560060