基于数据挖掘和变长序列模式匹配的程序行为异常检测被引量：2

Anomaly Detection of Program Behaviors Based on Data Mining and Variable-Length Sequence Matching

下载PDF

导出

摘要异常检测是目前入侵检测领域研究的热点内容。提出一种基于数据挖掘和变长序列模式匹配的程序行为异常检测方法,主要用于Unix或Linux平台上以系统调用为审计数据的主机型入侵检测系统。该方法利用数据挖掘技术中的序列模式对特权程序的正常行为进行建模,根据系统调用序列的支持度在训练数据中提取正常模式,并建立多种模式库来表示一个特权程序的行为轮廓。在检测阶段,考虑到审计数据和特权程序的特点,采用了变长序列模式匹配算法对程序历史行为和当前行为进行比较,并提供了两种判决方案,能够联合使用多个窗长度和判决门限对程序行为进行判决,提高了检测的准确率和灵活性。文中提出的方法已应用于实际入侵检测系统,并表现出良好的检测性能。 Network anomaly detection has been an active research topic in the field of Intrusion Detection for many years. This paper presents a new method for anomaly detection of program behaviors based on data mining and variable-length sequence pattern matching. The method uses sequence patterns in data mining technique to model the normal behavior of a privileged program, extracts normal system call sequences according to their supports in the training data, and constructs multiple dictionaries of sequences of different lengths to represent the behavior profile of the program. At the detection stage, variable length sequences are matched to perform the comparison of the historic normal behaviors and current behaviors, and two different schemes can be used to determine whether the monitored program＇ s behaviors are normal or anomalous while the particularity of program behaviors and audit data is taken into account. The application of the method in practical intrusion detection systems shows that it can achieve high detection performance.

作者田新广李文法段洣毅孙春来邱志明

机构地区北京交通大学计算技术研究所中国科学院计算技术研究所海军装备研究院博士后工作站

出处《信号处理》 CSCD 北大核心 2008年第4期551-555,共5页 Journal of Signal Processing

基金国家“九七三”重点基础研究发展规划项目(2004CB318109) 国家“八六三”高技术研究发展计划项目(863-307-7-5) 国家242信息安全计划项目(2005C39)

关键词入侵检测数据挖掘异常检测系统调用 intrusion detection data mining anomaly detection system call

分类号 TP393.08 [自动化与计算机技术—计算机应用技术] F270.7 [经济管理—企业管理]

引文网络
相关文献

参考文献14

1Lane T, Carla E B. An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection [ J ]. Machine Learning,2003,51 ( 1 ) :73-107.
2Mukkamala S, Sung A H, Abraham A. Intrusion Detection Using an Ensemble of Intelligent Paradigms [ J ]. Journal of Network and Computer Application,2005,28 (2) : 167-182.
3Lane T. Machine Learning Techniques for the Computer Security Domain of Anomaly Detection [ D ]. Purdue University, 2000.
4Yan Qiao, Xie Wei-Xin, Yang Bin, et al. An Anomaly Intrusion Detection Method Based on HMM [ J ]. Electronics Letters,2002,38 (13) :663-664.
5Warrender C, Forrest S, Pearlmutter B. Detecting Intrusions Using System Calls:Alternative Data Models[ A ]. Proceedings of the 1999 IEEE Symposium on Security and Privacy [ C ], 1999 : 133-145.
6Hofmeyr S A, Forrest S, Somayaji A. Intrusion Detection using Sequences of System Calls [ J ]. Journal of Computer Security, 1998(6) : 151-180.
7Lee W, Dong X. Information-Theoretic Measures for Anomaly Detection[ A]. Proceedings of the 2001 IEEE Symposi- um on Security and Privacy s [ C ] , Oakland, USA,2001 : 130-134.
8Forrest S, Hofmeyr S A ,Somayaji A. Computer Immunology [ J ]. Communications of the ACM, 1997,40 ( 10 ) : 88- 96.
9Oh S H, Lee W. A Clustering-Based Anomaly Intrusion Detection for a Host Computer[ J]. IEICE Transactions on Information and Systems,2004, E87-D ( 8 ) :2086-2094.
10Ye N, Emran S M, CHEN Q et al. Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection[ J ]. IEEE Transactions on Computers, 2002, 51 ( 7 ) : 810-820.

二级参考文献22

1[1]Lee Wenke, Stolfo S J. Data mining approaches for intrusion detection. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
2[2]Lee Wenke, Stolfo S J, Mok K W. A data mining framework for building intrusion detection models. In: Proc the 1999 IEEE Symposium on Security and Privacy, Berkely, California, 1999. 120-132
3[3]Lee Wenke. A data mining framework for constructing features and models for intrusion detection systems[Ph D dissertation]. Columbia University, 1999
4[4]Paxson Vern. Bro: A system for detecting network intruders in real-time. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
5[5]Agrawal Rakesh, Srikant Ramakrishnan. Fast algorithms for mining association rules. In: Proc the 20th International Conference on Very Large Databases, Santiago, Chile, 1994
6[6]Agrawal Rakesh, Srikant Ramakrishnan. Mining sequential patterns. IBM Almaden Research Center, San Jose, California:Research Report RJ 9910, 1994
7[7]Chen M, Han J, Yu P. Data mining: An overview from database perspective. IEEE Trans Knowledge and Data Engineeing, 1996,8(6):866-883
8Lane T,Brodley C E. An application of machine learning to anomaly detection. In:Proceedings of the 20th National Informa-tion Systems Security Conference,Baltimore Marylard, USA, 1997.366～377
9Kosoresow A P,Hofmeyr S A. A shape of self for UNIX processes. IEEE Software,1997,14(5):35～42
10Lee W,Stolfo S J. Data mining approaches for intrusion detection. In:Proceedings of the 7th USENIX Security Symposium,San Antonio, Texas, USA, 1998. 66～72

共引文献105

1刘玉葆,蔡嘉荣,印鉴,黄志兰.基于最大访问模式挖掘的数据库异常行为检测[J].计算机研究与发展,2006,43(z3):271-275.
2赵军民,张芳芳.入侵检测系统研究[J].光盘技术,2008(1):33-35.
3陈雅娴,袁津生,郭敏哲.基于行为异常的Symbian蠕虫病毒检测方法[J].计算机系统应用,2008,17(11):49-52. 被引量：5
4胡笑蕾,胡华平,宋世杰.数据挖掘算法在入侵检测系统中的应用[J].计算机应用研究,2004,21(7):88-90. 被引量：7
5马传香,李庆华,蒋盛益.基于异常检测的模糊行为序列挖掘算法研究[J].计算机应用研究,2005,22(1):44-46.
6袁占亭,冯涛,杨鹏.分布式入侵检测系统和防火墙技术结合的研究与实现[J].兰州理工大学学报,2005,31(1):90-92. 被引量：1
7连一峰.分布式入侵检测系统的协作交互研究[J].中国科学院研究生院学报,2005,22(2):202-209. 被引量：4
8谢沙天,方跃春.高密度海量存储器的现实探讨[J].中国科技信息,2005(5):77-77.
9杨天奇.一种基于反馈神经网络的异常检测方法[J].计算机应用,2005,25(4):844-845. 被引量：1
10张巍.基于数据挖掘技术的智能化入侵检测模型[J].计算机工程,2005,31(8):134-136. 被引量：2

同被引文献20

1吕志军,袁卫忠,仲海骏,黄皓,曾庆凯,谢立.基于数据挖掘的异常入侵检测系统研究[J].计算机科学,2004,31(10):61-65. 被引量：6
2李守国,李俊.基于数据挖掘的入侵检测系统设计[J].计算机技术与发展,2006,16(4):212-214. 被引量：5
3VERWORD T, HUNT R. Intrusion detection techniques and approaches[J].Computer Communication,2002,25(15): 1356.1365.
4LANE T. Machine learning techniques for the computer security domain of anomaly detection[D]. Purdue University, 2000.
5MUKKAMALA S, SUNG A H,ABRAHAM A. Intrusion detection using all ensemble of intelligent paradigms[J]. Journal of Network and Computer Application,2005,28(2): 167-182.
6BARFORD P, HIINE J,PLONKA D,et al. A signal analysis of network traffic anomalies[J].Internet Measurement Workshop, 2002,7 : 1 - 82.
7YE N, LI Xiang Yatig, CHEN Qiang. Probabilistic techniques for intrusion detection based on computer audit data[J]. Man and Cybernetics,Part A,IEEE Transactions on 2001 : 31(4) : 266-274.
8YE N,EMRAN S M,CHEN Q, et al. Multivariate statistical analysis of audit trails for host-based intrusion detection[J].IEEE Transactions on Computers, 2002,51(7) : 810-820.
9OH S H, LEE W. A clustering based anomaly intrusion detection for a host computer[J].IEICE Transactions on In. formation and Systems, 2004, E87-D(8) : 2086-2094.
10HOFMEYR S A,FORREST S,SOMAYAJI A. Intrusion detection using sequences of system calls[J]. Journal of Computer Security, 1998(6) : 151 - 180.

引证文献2

1曲萍.一种新的基于数据挖掘技术的异常入侵检测系统研究[J].电子技术应用,2010,36(8):145-149. 被引量：2
2宋国琴,郭元辉.一种改进的基于数据挖掘的网络入侵算法[J].电脑开发与应用,2012,25(5):29-31.

二级引证文献2

1马俊宏.基于数据挖掘的异常检测模型研究初探[J].菏泽学院学报,2017,39(2):44-47. 被引量：1
2李倩,韩斌,汪旭祥.基于模糊孤立森林算法的多维数据异常检测方法[J].计算机与数字工程,2020,48(4):862-866. 被引量：20

1陈云芳,王汝传,柯行斌.基于用户行为分析的入侵检测应用模型的研究[J].微机发展,2004,14(2):121-124. 被引量：6
2田新广,邱志明,李文法,孙春来,段洣毅.基于系统调用和数据挖掘的程序行为异常检测[J].计算机工程,2008,34(2):1-3. 被引量：4
3李晓蓉,庄毅.基于危险理论的异常检测算法[J].清华大学学报（自然科学版）,2012,52(10):1370-1375. 被引量：2
4彭新光,贾宁,王峥.模糊异常度特权程序异常检测[J].计算机工程与应用,2006,42(36):124-126.
5李晓蓉,庄毅.基于免疫的异常检测改进算法[J].微计算机信息,2009,25(30):64-65. 被引量：1
6宋辛科.基于K-Nearest Neighbor分类算法的异常检测模型[J].西安石油大学学报（自然科学版）,2004,19(2):77-79.
7田新广,高立志,孙春来,张尔扬.基于系统调用和齐次Markov链模型的程序行为异常检测[J].计算机研究与发展,2007,44(9):1538-1544. 被引量：19
8吴昊,蒋湘涛.一种有效地检测权限提升攻击的审计机制[J].科学技术与工程,2006,6(7):880-881.
9张晗,杨文飞,陈静.“免疫系统”方法在系统级入侵检测中的应用[J].科学技术与工程,2008,8(1):226-228.
10闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测[J].电子学报,2003,31(10):1486-1490. 被引量：15

信号处理

2008年第4期

浏览历史

内容加载中请稍等...

基于数据挖掘和变长序列模式匹配的程序行为异常检测被引量：2

参考文献14

二级参考文献22

共引文献105

同被引文献20

引证文献2

二级引证文献2

相关作者

相关机构

相关主题

浏览历史

基于数据挖掘和变长序列模式匹配的程序行为异常检测 被引量：2

参考文献14

二级参考文献22

共引文献105

同被引文献20

引证文献2

二级引证文献2

相关作者

相关机构

相关主题

浏览历史

基于数据挖掘和变长序列模式匹配的程序行为异常检测被引量：2