基于自适应滑窗的桌面异常行为阻断模型

Blocking model of anomaly behavior based on adaptive sliding window

导出

摘要针对传统杀毒软件采用的基于特征的检测与单点片断式阻断方式的不足,提出了一种基于自适应滑动窗口的桌面异常行为阻断模型.以多阶一致指数迭代检测算法为基础,对Windows内核系统调用序列进行分析和检测,设计了带滑动窗口的自适应式阻断机制,提出了正常密集度和异常密集度两项衡量进程安全状态的指标,并以此确定滑动窗口步长修正的时机.利用网络熵理论确定滑动窗口步长修正的幅度.实验表明:不同于杀毒软件的行为阻断方式,该模型可更早发现并追踪入侵行为,且较之固定窗口阻断模型,平均阻断时间缩减近半. Considering the shortcomings of traditional anti-virus software characteristics based detection and single point block mode,this paper proposes a novel desktop secure blocking model based on an adaptive sliding window to trace and block the whole process of a certain malware. On the basis of multi-step consistency exponential iteration detection algorithm, it develops an adaptive blocking mechanism using sliding window by analyzing Windows native API （application programming interface） sequences in kernel space. The two indices, normal-density and abnormal-density, are also proposed to measure the security status of an observed process and calculates the time when to change the sliding window step. The length of sliding window step is determined by network entropy theory. Experimental results show that the model can detect intrusion behavior earlier than anti-virus software and track them with well performance and the average blocking period time of this model is nearly half of traditional ones using fixed windows.

作者孙潮义王静冯力程雄

机构地区武汉数字工程研究所

出处《华中科技大学学报（自然科学版）》 EI CAS CSCD 北大核心 2010年第11期44-47,共4页 Journal of Huazhong University of Science and Technology(Natural Science Edition)

基金国家高技术研究发展计划资助项目(2007AA01Z464) 国防'十一五'预研计划资助项目船舶工业国防科技预研项目

关键词桌面安全行为阻断自适应滑窗系统调用密集度指标 desktop security behavior blocking adaptive sliding window native API （application programming interface） density index

分类号 TP309 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献9

1Forrest S, Hofmeyr S A, Somayaji A, et al. A sense of self for UNIX proeesses[C]// IEEE Symposium on Security and Privacy. Washington: IEEE Computer Society Press, 1996: 120-128.
2Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: alternative data models [C]//Proceedings of the IEEE Symposium on Security and Privacy. Los Alamitos: IEEE Computer Society Press, 1999: 133-145.
3Yu Zhenwei, Tsai J J P, Weigert T. An automatically tuning intrusion detection system[J]. IEEE Trans actions on Systems, Man, and Cybernetics--Part B Cybernetics, 2007, 37(2): 373-384.
4Han S J, Cho S B. Evolutionary neural networks for anomaly detection based on the behavior of a program [J]. IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics, 2006, 36(3):559- 570.
5Cho S B, Park H J. Efficient anomaly detection by modeling privilege flows using hidden Maekov model [J]. Computer & Science, 2003, 22(1): 45-55.
6Michael C, Ghosh A. Simple, state-based approaches to program-based anomaly detection [J]. ACM Transactions on Information and System Security, 2002, 5(3): 203-237.
7Wu Naiqi, Qian Yanming, Chen Guiqing. A novel approach to trojan horse detection by process tracing [C] //Proceedings of the 2006 IEEE International Conference on Networking, Sensing and Control. Fort Lauderdale.. IEEE, 2006: 721-726.
8肖海军,王小非,洪帆,崔国华.基于特征选择和支持向量机的异常检测[J].华中科技大学学报（自然科学版）,2008,36(3):99-102. 被引量：10
9张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法[J].通信学报,2004,25(11):158-165. 被引量：55

二级参考文献22

1包潘晴,杨明福.基于KPCA和SVM的网络入侵检测[J].计算机应用与软件,2006,23(2):125-127. 被引量：19
2The International Organization for Standardization. Common Criteria for Information Technology Security Evaluation-Part 1:Introduction and General Model, ISO/IEC 15408-1:1999(E)[S]. 1999.
3The International Organization for Standardization. Common Criteria for Information Technology Security Evaluation-Part 2:Security Function Requirements, ISO/IEC 15408-2:1999(E)[S]. 1999.
4The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation-Part 3:Security Assurance Requirements, ISO/IEC 15408-3: 1999(E)[S]. 1999.
5BRESLAU L, ESTRIN D, FALL K. Advances in network simulation[J]. IEEE Computer, 2000, 35(5): 59-67.
6候定丕,王战军.非线性评估的理论探索与应用[M]合肥:中国科学技术大学出版社,2001.
7Canada. Communications Security Establishment, Canadian Trusted Computer Product Evaluation Criteria (V3.0e) [S]. 1993.
8System security engineering capability maturity model (SSE-CMM) [EB/OL]. http://www.se-cat.com/download/download.shtml.
9Trusted Computer System Evaluation Criteria[S]. US National Computer Security Center, NCSC 5200.28-STD, 1985.
10Information Technology Security Evaluation Criteria[S]. Provisional Harmonized Criteria of France, Germany, Netherlands, and United Kingdom, Commission of the European Communities, 1991.

共引文献63

1刘渊,冯兴兵,王晓锋,邓赵红.面向虚实互联网络的链路采集技术研究[J].系统仿真学报,2020,32(3):421-429. 被引量：4
2王会梅,江亮,鲜明,王国玉.计算机网络攻击效果灰色评估模型和算法[J].通信学报,2009,30(S2):17-22. 被引量：14
3张晓惠,林柏钢.基于特征选择和多分类支持向量机的异常检测[J].通信学报,2009,30(S1):68-73. 被引量：20
4薛萍,金鸿章,王双.应用最大熵原理分析通信系统脆性风险[J].电机与控制学报,2007,11(1):74-78. 被引量：1
5赵冬梅,马建峰,王跃生.信息系统的模糊风险评估模型[J].通信学报,2007,28(4):51-56. 被引量：63
6王会梅,王永杰,张义荣,鲜明.粗糙集理论在网络攻击效果评估中的应用研究[J].计算机应用研究,2007,24(6):118-120. 被引量：11
7陈峰,罗养霞,陈晓江,龚晓庆,房鼎益.网络攻击技术研究进展[J].西北大学学报（自然科学版）,2007,37(2):208-212. 被引量：15
8李杰,龚俭.一种基于效果评估反馈的入侵响应决策模型[J].计算机工程,2007,33(15):160-162.
9周鲁东,黄遵国.多样化服务器的多网络布置算法[J].计算机工程与应用,2007,43(31):130-133.
10胡影,郑康锋,杨义先.一种基于原子功能的网络攻击效果评估指标体系[J].计算机工程与科学,2008,30(10):1-4. 被引量：7

1邹晓燕,殷建.基于改进镜头边界检测算法的视频检索系统[J].铁路计算机应用,2011,20(6):8-10.
2蒋萌辉,詹仕华.路由器与Iptables和入侵检测系统联动技术的研究[J].福建电脑,2010,26(7):3-4.
3蒋李兵,王壮.基于置信区间与形态重构的自适应滑窗新方法[J].遥感技术与应用,2011,26(3):315-321.
4刘东玉,周巍,张锦春,何荣茂.C^3Ⅰ系统抗攻击能力评估研究[J].舰船电子工程,2007,27(3):46-47.
5吴建刚,鲁士文.针对恶意代码的行为阻断方法研究[J].微电子学与计算机,2004,21(2):78-80. 被引量：4
6宫霄霖,毛瑞全,刘开华.基于自适应邻域系数的小波图像阈值降噪[J].计算机工程,2010,36(11):206-208. 被引量：6
7周从军,杜成龙,聂菊荣..NET平台下自适应式光滑进度条[J].电脑编程技巧与维护,2006(7):12-15.
8李明富.IT建设需深耕细作[J].金融电子化,2009(6):11-12.
9吕明.内网安全产品慎用ARP欺骗阻断[J].网管员世界,2010(5):24-25. 被引量：1
10张雪霞.基于计算机网络的自适应式远程教育模式的研究[J].科技信息,2007(20):24-24.

华中科技大学学报（自然科学版）

2010年第11期

浏览历史

内容加载中请稍等...

基于自适应滑窗的桌面异常行为阻断模型

参考文献9

二级参考文献22

共引文献63

相关作者

相关机构

相关主题

浏览历史