| 主机型异常检测的隐半马尔可夫模型方法 |
| |
| 引用本文: | 彭竹苗,张正道. 主机型异常检测的隐半马尔可夫模型方法[J]. 计算机工程与应用, 2008, 44(33): 115-118. DOI: 10.3778/j.issn.1002-8331.2008.33.036 |
| |
| 作者姓名: | 彭竹苗 张正道 |
| |
| 作者单位: | 江南大学,通信与控制工程学院,江苏,无锡,214122;江南大学,通信与控制工程学院,江苏,无锡,214122 |
| |
| 摘 要: | 提出基于HSMM模型的主机型入侵检测系统框架。以BSM审计数据作为数据源,提取正常主机行为的特权流系统调用序列,利用HSMM模型对正常主机行为进行建模,然后将当前主机行为与之比较,判定当前主机行为是否异常。选取特权流变化事件作为研究对象以缩短建模时间,同时滤去了过多的无用信息,一定程度上提高了检测效率。实验结果表明,提出的HSMM方法比HMM优越,同时该方法建模的系统不仅节省训练时间,而且在提高检测率的同时可以降低误报率。
|
| 关 键 词: | 异常检测 隐半马尔可夫模型 BSM审计数据 特权流 |
| 收稿时间: | 2007-12-17 |
| 修稿时间: | 2008-4-2 |
Host oriented anomaly detection system based on hidden semi-Markov model |
| |
| PENG Zhu-miao,ZHANG Zheng-dao. Host oriented anomaly detection system based on hidden semi-Markov model[J]. Computer Engineering and Applications, 2008, 44(33): 115-118. DOI: 10.3778/j.issn.1002-8331.2008.33.036 |
| |
| Authors: | PENG Zhu-miao ZHANG Zheng-dao |
| |
| Affiliation: | School of Communication and Control Engineering,Southern Yangtze University,Wuxi,Jiangsu 214122,China |
| |
| Abstract: | A host oriented anomaly detection system framework based on hidden semi-Markov model is given.BSM audit data are used as research data sources.Firstly select the privilege flow system calls series of the normal host behavior.Then the normal behavior of computer is modeled using HSMM.Then by comparing the current computer behavior with the model,we can determine whether the current behavior is normal.This paper selects the privilege flow events of BSM audit data as the research target so as to shorten the time of modeling to some extent and improve detection performance as well by filtering useless data.The experiment result reveals that the proposed method is better than HMM method,for the former not only can shorten the training time but also decrease false-positive error while increasing detection rate. |
| |
| Keywords: | anomaly detection hidden semi-Markov model BSM audit data privilege flow |
| 本文献已被 万方数据 等数据库收录! |
| 点击此处可从《计算机工程与应用》浏览原始摘要信息 |
|
点击此处可从《计算机工程与应用》下载免费的PDF全文 |
