摘要
针对现有的基于系统调用的异常入侵检测方法使用单一轨迹模式无法准确反映进程行为的问题,基于系统调用轨迹的顺序和频率模式对进程行为进行建模,设计了一个数据驱动的异常检测框架。该框架可以同时检测系统调用轨迹的顺序异常和定量异常,借助组合窗口机制,通过满足离线训练和线上检测对提取轨迹信息的不同需求,可以实现离线细粒度学习和线上异常实时检测。在ADFA-LD入侵检测标准数据集上进行了针对未知异常检测性能的对比实验,结果表明,相比4类传统机器学习方法和4类深度学习方法,该框架的综合检测性能提高了10%左右。
The existing system call-based anomaly intrusion detection methods can’t accurately describe the behavior of the process by a single trace pattern.In this paper,the process behavior is modeled based on the sequence and frequency patterns of system call trace,and a data-driven anomaly detection framework is designed.The framework could detect both sequential and quantitative anomalies of the system call trace simultaneously.With the help of combinational window mechanism,the framework could realize offline fine-grained learning and online anomaly real-time detection by meeting different requirements of offline trai-ning and online detection for extracting trace information.Performance comparison experiments of unknown anomalies detection are conducted on the ADFA-LD intrusion detection standard dataset.The results show that,compared with the four traditional machine learning methods and four deep learning methods,the comprehensive detection performance of the framework improves by about 10%.
作者
魏辉
陈泽茂
张立强
WEI Hui;CHEN Ze-mao;ZHANG Li-qiang(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China)
出处
《计算机科学》
CSCD
北大核心
2022年第6期350-355,共6页
Computer Science
基金
湖北省重点研发项目(2020BAA001)。
关键词
基于主机型入侵检测系统
系统调用
深层神经网络
长短期记忆神经网络
Host-based intrusion detection systems
System calls
Deep neural network
Long and short-term memory neural network