摘要
针对入侵检测中普遍存在误报与漏报过高的问题,提出了一种基于隐马尔可夫模型的程序行为异常检测新方法.该方法以程序正常执行过程中产生的系统调用序列为研究对象,建立计算机的正常程序行为模型.在入侵检测时,先对测试的系统调用数据用滑动窗口划分得到短序列,再根据正常程序行为的隐马尔可夫模型求得每个测试短序列的输出概率,如果系统调用短序列的输出概率低于给定阈值,则将该短序列标定为“不匹配”,如果测试数据中不匹配的短序列数占总短序列数的百分比超过另一给定阈值,该模型就认为此程序行为异常.实验结果表明,与Forrest和Lee的方法相比,所提方法的检测率的最大提高率可达590%.
To improve detection accuracy, a new intrusion detection method with high efficiency was presented. The method is based on hidden Markov model (HMM) to profile normal program behaviors using traces of system calls generated during the normal execution of processes. At the stage of anomaly detection, a testing trace of system calls is divided into short system call sequences by moving along the trace with a sliding window. The output probability of a short system call sequence embedded in the testing trace is calculated based on the normal model. If the output probability of a short system call sequence exceeds a preset threshold, the short system call sequence is identified as a “mismatch”. If the ratio of the number of mismatch system call sequences to the number of all sequences embedded in the trace exceeds another preset threshold, the trace is then considered as an intrusion. Experimental results show that the proposed method improves the detection accuracy by at most 590 % compared to both Forrest's and Lee's methods.
出处
《西安交通大学学报》
EI
CAS
CSCD
北大核心
2005年第10期1056-1059,共4页
Journal of Xi'an Jiaotong University
基金
国家杰出青年科学基金资助项目(60243001)
国家自然科学基金资助项目(60243001)
国家高技术研究发展计划资助项目(2001AA140213)
关键词
入侵检测
隐马尔可夫模型
异常检测
系统调用
intrusion detection
hidden Markov model
anomaly detection
system call
