摘要
基于进程行为的入侵检测技术是主机防范入侵和检测恶意代码的重要技术手段之一.该文提出了一种基于可执行文件静态分析的入侵检测模型,该模型通过对应用程序可执行文件的静态分析,建立应用程序所有可能执行的定长系统调用集合,通过实时监控进程执行的系统调用序列是否在该集合中实施检测.该模型不需要源文件、大规模训练数据,通用性和易用性好;在应用程序可执行文件完整的情况下,误报率为0,抵抗模仿攻击的能力更强,漏报率更低.
Intrusion Detection based on process' behaviors is one of the mainstream techniques for defend against intrusion and malicious code. In this paper, an intrusion detection model based on executable static analysis has been brought forward. The model statically analyzes the executable files of the application to construct the set When monitoring in real time, it splits the of all the possible N-length system call sequences. system call sequence the process triggered into N-length sequences by N-length slide window. If there is one in the N-length sequences not in the set, the process is marked as intrusive. The model needs not source code or large numbers of training data, and is much more universal and applicable. When the executable files of the application are complete, the rate of false positive is 0. It's much stronger for defending against mimicry attacks and its rate of false negative is much less.
出处
《计算机学报》
EI
CSCD
北大核心
2006年第9期1572-1578,共7页
Chinese Journal of Computers
基金
国家"九七三"重点基础研究发展规划项目基金(G1999035802)
国家杰出青年基金项目(60025205)
国家自然科学基金(60273027)资助.
关键词
入侵检测
系统调用
静态分析
intrusion detection
system call
static analysis
