| 基于HMM的系统调用异常检测 |
| |
| 引用本文: | 闫巧,谢维信,宋歌,喻建平.基于HMM的系统调用异常检测[J].电子学报,2003,31(10):1486-1490. |
| |
| 作者姓名: | 闫巧 谢维信 宋歌 喻建平 |
| |
| 作者单位: | 1. 深圳大学信息工程学院,广东深圳518060;2. 西安电子科技大学电子工程学院,陕西西安710071 |
| |
| 基金项目: | 国家“8 63”项目 (No.2 0 0 1AA1 4 2 1 0 0B) |
| |
| 摘 要: | 我们利用隐马尔可夫模型来描述特权进程正常运行时局部系统调用之间存在的规律性.具体方法是将UNIX特权程序的系统调用轨迹通过隐马尔可夫模型处理得到系统状态转移序列,再经滑窗后得到系统状态转移短序列.初步的实验证明这样得到的系统状态转移短序列比TIDE方法提出的系统调用短序列能更加简洁和稳定地表示系统的正常状态,采用这种状态短序列建立的正常轮廓库比较小,而且对训练数据的不完整性不太敏感.在同等的训练数据下,检测时本方法比TIDE方法的检测速度快,虚警率低.
|
| 关 键 词: | 入侵检测 异常检测 隐马尔可夫模型 系统调用 正常轮廓 |
| 文章编号: | 0372-2112(2003)10-1486-05 |
| 收稿时间: | 2001-12-17 |
System Call Anomaly Detection Method Based on HMM |
| |
| YAN Qiao ,XIE Wei xin ,SONG Ge ,YU Jian Ping.System Call Anomaly Detection Method Based on HMM[J].Acta Electronica Sinica,2003,31(10):1486-1490. |
| |
| Authors: | YAN Qiao XIE Wei xin SONG Ge YU Jian Ping |
| |
| Affiliation: | 1. Institute of Information Engineering,Shenzhen University,Shenzhen,Guangdong 518060 China;2. Institute of Electronic Engineering,Xidian University,Xi'an,Shaanxi 710071 China |
| |
| Abstract: | An anomaly intrusion detection method based on a HMM is given.We pass the system call trace of unix privileged process into a HMM to get state transition sequences.Preliminary experiments prove the state transition sequences can express the different mode between normal action and intrusion behavior more stably and more simply than the short sequence in TIDE can do.Although building a HMM is computationally expensive,we can get three advantages,that is,smaller profile database,needing smaller training data,and greater difference between normal data and abnormal data.So we can detect more quickly and with lower false positive rate. |
| |
| Keywords: | intrusion detection anomaly detection HMM system call normal profile |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《电子学报》浏览原始摘要信息 |
|
点击此处可从《电子学报》下载全文 |
