Lightweight anomaly detection system with HMM resource modeling

Midori Sugaya*, Yuki Ohno, Tatsuo Nakajima

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

4 Citations (Scopus)


In this paper, a lightweight anomaly detection infrastructure named Anomaly Detection by Resource Monitoring is presented for Information Appliances. We call it Ayaka for short. It provides a monitoring function for detecting anomalies, especially attacks which are a symptom of resource abuse, by using the resource patterns of each process. Ayaka takes a completely application black-box approach, based on machine learning methods. It uses the clustering method to quantize the resource usage vector data and then learn the normal patterns with a hidden Markov Model. In the running phase, Ayaka finds anomalies by comparing the application resource usage with the learned model. This reduces the general overhead of the analyzer and makes it possible to monitor the process in real-time. The evaluation experiment indicates that our prototype system is able to detect anomalies such as SQL injection and buffer overrun with a minimum of false positives and small (about 1%) system overhead, without previously defined anomaly models.

Original languageEnglish
Pages (from-to)35-54
Number of pages20
JournalInternational Journal of Security and its Applications
Issue number3
Publication statusPublished - 2009


  • Anomaly detection
  • HMM
  • Model
  • Operating system
  • Security
  • System resource

ASJC Scopus subject areas

  • Computer Science(all)


Dive into the research topics of 'Lightweight anomaly detection system with HMM resource modeling'. Together they form a unique fingerprint.

Cite this