WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION

Juan Manuel García, Tomás Navarrete, Carlos Orozco

Abstract

We present an approach to anomaly detection based on the construction of a Hidden Markov Model trained on processor workload data. Based on processor load measurements, a HMM is constructed as a model of the system normal behavior. Any observed sequence of processor load measurements that is unlikely generated by the HMM is then considered as an anomaly. We test our approach taking real data of a mail server processor load to construct a HMM and then we test it under several experimental conditions including a simulated DoS attacks. We show some evidence suggesting that this method could be successful to detect attacks or misuse that directly affects processor performance.

References

  1. Axelsson, S. (2000). The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186-205.
  2. Burgess, M. (1998). Computer immunology. In LISA 7898: Proceedings of the 12th Conference on Systems Administration, pages 283-298, Berkeley, CA, USA. USENIX Association.
  3. Burgess, M., Haugerud, H., Straumsnes, S., and Reitan, T. (2002). Measuring system normality. ACM Trans. Comput. Syst., 20(2):125-160.
  4. Coull, S., Branch, J., Szymanski, B., and Breimer, E. (2003). Intrusion detection: A bioinformatics approach. In ACSAC 7803: Proceedings of the 19th Annual Computer Security Applications Conference, page 24, Washington, DC, USA. IEEE Computer Society.
  5. Denning, D. E. (1987). An intrusion-detection model. IEEE Trans. Softw. Eng., 13(2):222-232.
  6. Forrest, S., Hofmeyr, S. A., and Somayaji, A. (1997). Computer immunology. Commun. ACM, 40(10):88-96.
  7. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. In SP 7896: Proceedings of the 1996 IEEE Symposium on Security and Privacy, page 120, Washington, DC, USA. IEEE Computer Society.
  8. Ghahramani, Z. (2002). An introduction to hidden markov models and bayesian networks. Hidden Markov models: applications in computer vision, pages 9-42.
  9. Gosh, A. K., Wanken, J., and Charron, F. (1998). Detecting anomalous and unknown intrusions against programs. In ACSAC 7898: Proceedings of the 14th Annual Computer Security Applications Conference, page 259, Washington, DC, USA. IEEE Computer Society.
  10. Jordan, M. I., Ghahramani, Z., Jaakkola, T. S., and Saul, L. K. (1999). An introduction to variational methods for graphical models. Mach. Learn., 37(2):183-233.
  11. Ko, C., Ruschitzka, M., and Levitt, K. (1997). Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In SP 7897: Proceedings of the 1997 IEEE Symposium on Security and Privacy, page 175, Washington, DC, USA. IEEE Computer Society.
  12. Lane, T. and Brodley, C. E. (1999). Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Secur., 2(3):295-331.
  13. Lee, W. and Stolfo, S. J. (2000). A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur., 3(4):227-261.
  14. Lee, W., Stolfo, S. J., and Mok, K. W. (1999). Mining in a data-flow environment: experience in network intrusion detection. In KDD 7899: Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, pages 114-124, New York, NY, USA. ACM Press.
  15. MacFaden, M., Partain, D., Saperia, J., and Tackabury, W. (2003). Configuring Networks and Devices with Simple Network Management Protocol (SNMP), RFC3512. RFC Editor, United States.
  16. Michael, C. C. and Ghosh, A. (2002). Simple, statebased approaches to program-based anomaly detection. ACM Trans. Inf. Syst. Secur., 5(3):203-237.
  17. Presuhn, R. (2002). Management Information Base (MIB) for the Simple Network Management Protocol (SNMP), RFC 3418. RFC Editor, United States.
  18. Wagner, D. and Soto, P. (2002). Mimicry attacks on hostbased intrusion detection systems. In CCS 7802: Proceedings of the 9th ACM conference on Computer and communications security, pages 255-264, New York, NY, USA. ACM Press.
  19. Wright, C., Monrose, F., and Masson, G. M. (2004). Hmm profiles for network traffic classification. In VizSEC/DMSEC 7804: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 9-15, New York, NY, USA. ACM Press.
  20. Yin, Q., Zhang, R., and Li, X. (2004). An new intrusion detection method based on linear prediction. In InfoSecu 7804: Proceedings of the 3rd international conference on Information security, pages 160-165, New York, NY, USA. ACM Press.
Download


Paper Citation


in Harvard Style

Manuel García J., Navarrete T. and Orozco C. (2006). WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 56-60. DOI: 10.5220/0002099700560060


in Bibtex Style

@conference{secrypt06,
author={Juan Manuel García and Tomás Navarrete and Carlos Orozco},
title={WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={56-60},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002099700560060},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - WORKLOAD HIDDEN MARKOV MODEL FOR ANOMALY DETECTION
SN - 978-972-8865-63-4
AU - Manuel García J.
AU - Navarrete T.
AU - Orozco C.
PY - 2006
SP - 56
EP - 60
DO - 10.5220/0002099700560060