Lightweight anomaly detection system with HMM resource modeling

Midori Sugaya, Yuki Ohno, Tatsuo Nakajima

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

Original languageEnglish
Pages (from-to)35-54
Number of pages20
JournalInternational Journal of Security and its Applications
Volume3
Issue number3
Publication statusPublished - 2009
Externally publishedYes

Fingerprint

Monitoring
Hidden Markov models
Learning systems
Experiments

Keywords

  • Anomaly detection
  • HMM
  • Model
  • Operating system
  • Security
  • System resource

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Lightweight anomaly detection system with HMM resource modeling. / Sugaya, Midori; Ohno, Yuki; Nakajima, Tatsuo.

In: International Journal of Security and its Applications, Vol. 3, No. 3, 2009, p. 35-54.

Research output: Contribution to journalArticle

@article{d966845bb08641f4b7f432db1988ba95,
title = "Lightweight anomaly detection system with HMM resource modeling",
abstract = "In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1{\%}) system overhead, without previously defined anomaly models.",
keywords = "Anomaly detection, HMM, Model, Operating system, Security, System resource",
author = "Midori Sugaya and Yuki Ohno and Tatsuo Nakajima",
year = "2009",
language = "English",
volume = "3",
pages = "35--54",
journal = "International Journal of Security and its Applications",
issn = "1738-9976",
publisher = "Science and Engineering Research Support Society",
number = "3",

}

TY - JOUR

T1 - Lightweight anomaly detection system with HMM resource modeling

AU - Sugaya, Midori

AU - Ohno, Yuki

AU - Nakajima, Tatsuo

PY - 2009

Y1 - 2009

N2 - In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

AB - In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

KW - Anomaly detection

KW - HMM

KW - Model

KW - Operating system

KW - Security

KW - System resource

UR - http://www.scopus.com/inward/record.url?scp=78649608994&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78649608994&partnerID=8YFLogxK

M3 - Article

VL - 3

SP - 35

EP - 54

JO - International Journal of Security and its Applications

JF - International Journal of Security and its Applications

SN - 1738-9976

IS - 3

ER -