摘要
针对现有异常应用协议行为检测主要针对某种特定应用,缺乏通用性的问题,提出一种基于条件随机场的异常应用协议行为检测方法,从网络数据流中提取应用协议关键字及其时间间隔作为状态特征,同时考虑关键字的频率分布特征,应用条件随机场模型对协议行为进行建模,将偏离模型的协议行为判定为异常。相比于传统的基于隐马尔可夫模型建模方法,该方法不必对特征量作严格的独立性假设,具有能够融合多特征的优势。实验结果表明,该方法在检测协议异常时准确率高、误报率低。
Aiming at the problem that the traditional protocol anomaly behavior detection is designed for specific protocol or application and is not interchangeable,this paper proposed a conditional random field( CRF) based protocol anomaly behavior detection algorithm. It extracted application protocol keywords and their intervals from network data stream as state feature,then took into account the frequent distribution of key words,finally modeled application behavior based on CRF and determined the behavior deviated from the model to be abnormal. Compared to the traditional model based on hidden Markov modeling method,this method does not have to make the feature quantity strict independence assumption and has multi-feature integration advantages. Experimental results show that the proposed method can detect the abnormal application behavior with high accuracy and low false alarm rate.
出处
《计算机应用研究》
CSCD
北大核心
2016年第6期1867-1870,1876,共5页
Application Research of Computers
基金
国家"863"计划资助项目(2012AA012704)
郑州市科技领军人才资助项目(131PLJRC644)
