摘要
提出一个高效准确的基于程序行为的异常入侵检测模型,该模型对于静态链接的程序部分以及函数递归基于优化的堆栈遍历技术获得调用堆栈状态信息;对于程序循环,使用代码插入和Null挤压技术来高效地获得系统调用上下文信息;基于动态通知技术,处理非标准的控制转移;从而,能够获得完备的系统调用上下文信息,提高了模型的准确度.给出了模型的描述和实施,分析了其优点.在Linux程序上的实验表明,该模型可保持检测的高效率.
An accurate efficient program behavior-based anomaly detection model is proposed. For statically-linked program portion and function recursive, optimized call stack walk is adopted to gain call stack state information, code insertion and Null call squelching is used to deal with loop function. Dynamic notifying technique is used to deal with non-standard control transfer. Thereby, it can gain complete system call context information, which improve the model's precision. Formal description of the new model is given, its enforcement is detailed and its advantages are discussed. Performance evaluations on Linux programs show that the new model is efficient.
出处
《小型微型计算机系统》
CSCD
北大核心
2008年第11期2070-2073,共4页
Journal of Chinese Computer Systems
