Garcia, Juan Manuel , Navarrete, Tomas , Orozco, Carlos , INSTICC

No

Secrypt 2006: Proceedings Of The International Conference On Security And Cryptography

Proceedings Paper

Científica

✗

✗

01/01/2006

000241938000016

We present an approach to anomaly detection based on the construction of a Hidden Markov Model trained on processor workload data. Based on processor load measurements, a HMM is constructed as a model of the system normal behavior. Any observed sequence of processor load measurements that is unlikely generated by the HMM is then considered as an anomaly. We test our approach taking real data of a mail server processor load to construct a HMM and then we test it under several experimental conditions including a simulated DoS attacks. We show some evidence suggesting that this method could be successful to detect attacks or misuse that directly affects processor performance.

intrusion detection; anomaly detection; time series analysis; Markov processes