In recent years, with the increasing number of attacks against user privacy in web services, researchers put a significant effort on realizing more and more sophisticated Intrusion Detection Systems in order to identify potentially malicious activities. Among such systems, Anomaly Detection Systems rely on a baseline given by a normal behavior and consider every deviation from such behavior as an intrusion. In this paper, we propose a novel Anomaly Detection System to detect intrusions in users’ private areas in on-line web services. Such services usually record logs of user activity from different points: access, actions in a session and system responses. We design an ad-hoc mathematical model for each of these logs to build a profile for a normal behavior. In particular, we model users’ accesses through a Hidden Markov Model (HMM) and Users’ activity with a Continuous Time Markov Chain (CTMC). We propose a novel Anomaly Detection System algorithm that takes into consideration the deviation from the above Markov Processes. Finally, we evaluate our proposal with a thorough set of experiments, which results confirm the feasibility and effectiveness of our solution.