摘要
提出一种新的基于隐马尔可夫模型的程序行为异常检测方法,此方法利用系统调用序列,并基于隐马尔可夫模型来描述程序行为,根据程序行为模式的出现频率对其进行分类,并将行为模式类型同隐马尔可夫模型的状态联系在一起。由于各状态对应的观测值集合互不相交,模型训练中采用了运算量较小的序列匹配方法,与传统的Baum Welch算法相比,训练时间有较大幅度的降低。考虑到模型中状态的特殊含义以及程序行为的特点,将加窗平滑后的状态序列出现概率作为判决依据。实验表明,此方法具有很高的检测准确性,其检测效率也优于同类方法。
A new method for anomaly detection of the program behaviors based on hidden Markov models is presented. The method uses system calls to represent the behavior profiles of programs based on hidden Markov models. The behavior patterns of programs are classified according to their frequency distributions, and the states of the hidden Markov models are associated with the classes of the behavior patterns. Because the collections of observations corresponding to different states are mutually disjoint, the models can be trained with a sequence matching algorithm which requires lower computational complexity and less computation time than the classical BaumWelch algorithm. A decision rule based on the probabilities of short state sequences is adopted while the particularity of the model states is taken into account. The performance of the method is tested by computer simulation. The results show it maintains higher detection accuracy and efficiency than other alternative approaches.
出处
《国防科技大学学报》
EI
CAS
CSCD
北大核心
2003年第5期63-67,共5页
Journal of National University of Defense Technology
基金
北京首信集团重大科研项目(020015)
