基于数据挖掘和变长序列模式匹配的程序行为异常检测

异常检测是目前入侵检测领域研究的热点内容.提出一种基于数据挖掘和变长序列模式匹配的程序行为异常检测方法,主要用于Unix或Linux平台上以系统调用为审计数据的主机型入侵检测系统.该方法利用数据挖掘技术中的序列模式对特权程序的正常行为进行建模,根据系统调用序列的支持度在训练数据中提取正常模式,并建立多种模式库来表示一个特权程序的行为轮廓.在检测阶段,考虑到审计数据和特权程序的特点,采用了变长序列模式匹配算法对程序历史行为和当前行为进行比较,并提供了两种判决方案,能够联合使用多个窗长度和判决门限对程序行为进行判决,提高了检测的准确率和灵活性.文中提出的方法已应用于实际入侵检测系统,并表现出良好的检测性能.

Anomaly Detection of Program Behaviors Based on Data Mining and Variable-Length Sequence Matching

Network anomaly detection has been an active research topic in the field of Intrusion Detection for many years.This pa- per presents a new method for anomaly detection of program behaviors based on data mining and variable-length sequence pattern matc- hing.The method uses sequence patterns in data mining technique to model the normal behavior of a privileged program,extracts normal system call sequences according to their supports in the training data,and constructs multiple dictionaries of sequences of different lengths to represent the behavior profile of the program.At the detection stage,variable length sequences are matched to perform the comparison of the historic normal behaviors and current behaviors,and two different schemes can be used to determine whether the moni- tored program's behaviors are normal or anomalous while the particularity of program behaviors and audit data is taken into account.The application of the method in practical intrusion detection systems shows that it can achieve high detection performance.