摘要
程序行为的异常检测是网络异常检测中的重要部分,针对传统隐马尔科夫模型中状态转移概率及观测值概率仅与前一状态有关的不足,而导致误报率高、检测效率低的问题。文章提出一种改进的基于隐马尔科夫模型的检测方法,该方法重点是利用系统调用局部规律性来建模;同时为了减少模型训练时间,该模型采用更为简单快捷的参数重估方法。最后,通过仿真实验,与传统HMM模型和二阶HMM做横向对比,证明了该模型的实用性。
Anomaly detection of program behavior is an important part of network anomalydetection. In traditional HMM, the probability of transition and the probability of the observed value is only related to the previous state, which leads to high false alarm rate and low detection rate. In this paper an improved 2HMM detection method is proposed, which is based on local regularity of the system calls. And in order to reduce the training time, the model uses a more simple parameter estimation algorithm. Finally, through the experiment, compared with the traditional HMM and traditional 2HMM,the superiority of the model is proved.
出处
《信息网络安全》
2016年第9期108-112,共5页
Netinfo Security
