Intrusion detection based on system calls and homogeneous Markov chains 被引量：8

Intrusion detection based on system calls and homogeneous Markov chains

下载PDF

导出

摘要 A novel method for detecting anomalous program behavior is presented, which is applicable to hostbased intrusion detection systems that monitor system call activities. The method constructs a homogeneous Markov chain model to characterize the normal behavior of a privileged program, and associates the states of the Markov chain with the unique system calls in the training data. At the detection stage, the probabilities that the Markov chain model supports the system call sequences generated by the program are computed. A low probability indicates an anomalous sequence that may result from intrusive activities. Then a decision rule based on the number of anomalous sequences in a locality frame is adopted to classify the program＇s behavior. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for on-line detection. It has been applied to practical host-based intrusion detection systems. A novel method for detecting anomalous program behavior is presented, which is applicable to hostbased intrusion detection systems that monitor system call activities. The method constructs a homogeneous Markov chain model to characterize the normal behavior of a privileged program, and associates the states of the Markov chain with the unique system calls in the training data. At the detection stage, the probabilities that the Markov chain model supports the system call sequences generated by the program are computed. A low probability indicates an anomalous sequence that may result from intrusive activities. Then a decision rule based on the number of anomalous sequences in a locality frame is adopted to classify the program＇s behavior. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for on-line detection. It has been applied to practical host-based intrusion detection systems.

作者 Tian Xinguang Duan Miyi Sun Chunlai Li Wenfa

机构地区 Inst. of Computing Technology Inst. of Computing Technology

出处《Journal of Systems Engineering and Electronics》 SCIE EI CSCD 2008年第3期598-605,共8页 系统工程与电子技术（英文版）

基金 the National Grand Fundamental Research "973" Program of China (2004CB318109) the High-Technology Research and Development Plan of China (863-307-7-5) the National Information Security 242 Program ofChina (2005C39).

关键词 intrusion detection Markov chain anomaly detection system call. intrusion detection, Markov chain, anomaly detection, system call.

分类号 TP30 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献16

1Yan Q, Xie W X, Yang B. An anomaly intrusion detection method based on HMM. Electronics Letters, 2002, 38 (13): 663-664.
2Lane T, Carla E B. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning, 2003, 51(1): 73-107.
3Lane T. Machine learning techniques for the computer security domain of anomaly detection. Purdue University, 2000.
4Mukkamala S, Sung A H, Abraham A. Intrusion detection using an ensemble of intelligent paradigms. Journal of Network and Computer Application, 2005, 28(2):167-182.
5Hofmeyr S A, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998(6):151-180.
6Maxion R A, Townsend T N. Masquerade detection using truncated command lines. Prec. of International Conference on Dependable Systems and Networks, Washington, DC, USA, 2002: 219-228.
7Sehonlau M, DuMouchel W. Computer intrusion: detecting masquerades. Statistical Science, 2001, 16(1):58-74.
8Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: alternative data models. Proc.of the IEEE Symposium on Security and Privacy, Berkely, USA: IEEE Computer Society, 1999: 133-145.
9Oh S H, Lee W. A clustering-based anomaly intrusion detection for a host computer. IEICE Trans. on Information and Systems, 2004, 87(8):2086-2094.
10Verwoerd T, Hunt R. Intrusion detection techniques and approaches.Computer Communication, 2002, 25(15):1356- 1365.

同被引文献75

1杨智君,田地,马骏骁,隋欣,周斌.入侵检测技术研究综述[J].计算机工程与设计,2006,27(12):2119-2123. 被引量：45
2TIAN Xin-guang,GAO Li-zhi,SUN Chun-lai,DUAN Mi-yi,ZHANG Er-yang.A Method for Anomaly Detection of User Behaviors Based on Machine Learning[J].The Journal of China Universities of Posts and Telecommunications,2006,13(2):61-65. 被引量：4
3李涛.基于免疫的网络监控模型[J].计算机学报,2006,29(9):1515-1522. 被引量：53
4ZHANG Xuejun.An Improved Traitor Tracing Scheme Based on Bilinear Map[J].Wuhan University Journal of Natural Sciences,2007,12(1):5-8. 被引量：2
5仵博,刘兴东,吴敏.基于GSM的通用远程报警控制器的研制[J].计算机工程与应用,2007,43(8):92-94. 被引量：14
6俞研,黄皓.面向入侵检测的基于多目标遗传算法的特征选择[J].计算机科学,2007,34(3):197-200. 被引量：9
7俞研,黄皓.基于改进多目标遗传算法的入侵检测集成方法(英文)[J].软件学报,2007,18(6):1369-1378. 被引量：21
8BAJCSY R, KESIDIS G, LEVITT K, et al. Cyber Defense Technology Networking and Evaluation [ J]. Communications of the ACM, 2004, 47 (3) : 58-61.
9ALGIRDAS A, JEAN-CLAUDE L, BRIAN R, et al. Basic Concepts and Taxonomy of Dependable and Secure Computing [J]. IEEE Transactions on Dependable and Secure Computing, 2004, 1 (1) : 11-33.
10SZYMANSKI B K, ZHANG Y Q. Recursive Data Mining for Masquerade Detection and Author Identification [ C ] //Proceedings of the 5th IEEE System, Man and Cybernetics Information Assurance Workshop. NY: [ s. n. ], 2004: 424-431.

引证文献8

1田新广,程学旗,段洣毅,廖睿,刘悦.基于双向核实机制的移动通信终端防伪验证[J].吉林大学学报（信息科学版）,2009,27(4):366-370.
2苏景志,田新广.军工行业信息系统安全风险分析与评估[J].信息安全与通信保密,2010,7(1):64-66. 被引量：1
3田新广,段洣毅,程学旗.基于shell命令和多重行为模式挖掘的用户伪装攻击检测[J].计算机学报,2010,33(4):697-705. 被引量：20
4田新广,程学旗,陈小娟,段洣毅,许洪波.面向Unix和Linux平台的网络用户伪装入侵检测[J].计算机科学与探索,2010,4(6):500-510. 被引量：2
5杨云,宓佳,党宏社.嵌入式入侵检测系统的设计与实现[J].计算机工程与设计,2011,32(1):21-23. 被引量：8
6刘辉,王俊峰,佘春东.基于频繁子图挖掘的异常入侵检测新方法[J].计算机应用研究,2011,28(3):1122-1126. 被引量：1
7姚巧鸽,王彩峰.光纤周界入侵振动信号嵌入式实时检测[J].激光杂志,2017,38(7):24-27.
8张凤斌,范学林,席亮.免疫入侵检测多目标优化克隆选择算法研究[J].计算机工程与科学,2018,40(2):261-267. 被引量：1

二级引证文献33

1肖喜,田新广,翟起滨,叶润国.基于shell命令和Markov链模型的用户伪装攻击检测[J].通信学报,2011,32(3):98-105. 被引量：6
2肖喜,翟起滨,田新广,陈小娟,叶润国.基于Shell命令和多阶Markov链模型的用户伪装攻击检测[J].电子学报,2011,39(5):1199-1204. 被引量：6
3张旭阳,文政颖.Solaris系统入侵检测研究[J].网络安全技术与应用,2011(11):16-17.
4刘明,高玉琢.一种基于Snort规则和神经网络的混合入侵检测模型[J].广西大学学报（自然科学版）,2011,36(A01):110-115. 被引量：1
5肖喜,翟起滨,田新广,陈小娟.基于Shell命令和DTMC模型的用户行为异常检测新方法[J].计算机科学,2011,38(11):54-58. 被引量：2
6XIAO Xi,XIA Shu-tao,TIAN Xin-guang,ZHAI Qi-bin.Anomaly detection of user behavior based on DTMC with states of variable-length sequences[J].The Journal of China Universities of Posts and Telecommunications,2011,18(6):106-115. 被引量：1
7彦逸,施勇,薛质.基于传统匿名网的通道优化[J].信息安全与通信保密,2012,10(1):89-90.
8王奇志,方莉.基于混合字符串加密的动态口令研究[J].长江大学学报（自科版）（上旬）,2012,9(6):117-119.
9李超,田新广,肖喜,段洣毅.基于Shell命令和共生矩阵的用户行为异常检测方法[J].计算机研究与发展,2012,49(9):1982-1990. 被引量：10
10高玉喜.计算机数据库入侵检测技术探析[J].计算机光盘软件与应用,2012,15(16):166-167. 被引量：6

1Meng Jiangtao Lu Xianliang Dong Guishan.Prototype for logging system calls and its overhead analysis[J].Journal of Systems Engineering and Electronics,2007,18(3):661-666.
2TIAN Xinguang,DUAN Miyi,LI Wenfa,SUN Chunlai.Anomaly Detection of User Behavior Based on Shell Commands and Homogeneous Markov Chains[J].Chinese Journal of Electronics,2008,17(2):231-236. 被引量：12
3Xinkui ZHAO,Jianwei YIN,Zuoning CHEN,Sheng HE.vSpec： workload-adaptive operating system specialization for virtual machines in cloud computing[J].Science China(Information Sciences),2016,59(9):43-58.
4Dai Xiaoming, Sun Rang, Zou Runmin2, Xu Chao & Shao Huihe(. Dept. of Auto., School of Electric and Information, Shanghai Jiaotong University, Shanghai 200030, P. R. China,College of Information Science and Enginereing, Central South University, Changsha.Global Convergence Analysis of Non-Crossover Genetic Algorithm and Its Application to Optimization[J].Journal of Systems Engineering and Electronics,2002,13(2):84-91. 被引量：3

Journal of Systems Engineering and Electronics

2008年第3期

浏览历史

内容加载中请稍等...

Intrusion detection based on system calls and homogeneous Markov chains 被引量：8

参考文献16

同被引文献75

引证文献8

二级引证文献33

相关作者

相关机构

相关主题

浏览历史