摘要
由于系统调用信息可以在一定程度上反映程序的行为特性,因此利用系统调用来对程序行为进行建模是目前入侵检测领域的研究热点。以静态建模、动态建模和混合建模这3种不同的建模方式为切入点,按照时间顺序将基于系统调用的软件行为模型的发展划分为3个阶段:初期阶段、发展阶段和综合发展阶段。然后剖析了各阶段内的模型的发展轨迹以及它们之间的内在联系,并对它们做了横向对比分析。研究表明,基于系统调用的软件行为建模技术的发展趋势应是结合静态和动态建模技术以及结合系统调用的控制流信息和数据流信息,并综合考虑其他实时信息,如环境变量和上下文信息等,开发出检测能力更强、完备性更高以及实际可行性高的软件行为模型。
Modeling program behavior based on system call has become the hot topic in intrusion detection since system call can reflect the program behavior in some degree. This paper studied three different types of modeling methods that are dynamically modeling, statically modeling and hybridly modeling as the breakthrough point, and concluded that the development process of behavior models can be divided into three stages: initial stage, developmental stage and synthetical stage. The evaluation and comparison experiments were done to find the inherent relations and development track of some typical models in different stages. The whole analysis in this paper indicates that the future trend of behavior modeling methods is to develop a software behavior model with high detection capability, completeness, and actual feasibility through the combination consideration of the static techniques with dynamic techniques, the control flow with data flow,and the other real-time information such as environment variables and context information.
出处
《计算机科学》
CSCD
北大核心
2010年第4期151-157,共7页
Computer Science
基金
863国家重点基金项目(2007AA01Z411)
国家自然科学基金(90718005)资助
关键词
行为模型
入侵检测
系统调用
Behavior model, Intrusion detection, System call
