共查询到19条相似文献,搜索用时 218 毫秒
1.
2.
3.
4.
基于系统调用和齐次Markov链模型的程序行为异常检测 总被引:7,自引:0,他引:7
异常检测是目前入侵检测领域研究的热点内容.提出一种新的基于系统调用和Markov链模型的程序行为异常检测方法,该方法利用一阶齐次Markov链对主机系统中特权程序的正常行为进行建模,将Markov链的状态同特权程序运行时所产生的系统调用联系在一起,并引入一个附加状态;Markov链参数的计算中采用了各态历经性假设;在检测阶段,基于状态序列的出现概率对特权程序当前行为的异常程度进行分析,并根据Markov链状态的实际含义和程序行为的特点,提供了两种可选的判决方案.同现有的基于隐Markov模型和基于人工免疫原理的检测方法相比,提出的方法兼顾了计算成本和检测准确度,特别适用于在线检测.该方法已应用于实际入侵检测系统,并表现出良好的检测性能. 相似文献
5.
在形式化定义正常、异常和环境依赖系统调用短序列概念的基础上,以模糊理论为基础,采用模糊片段异常度刻画系统调用短序列的局部行为状态。通过对特权程序Sendmail在正常和各种攻击模式下的系统调用跟踪数据集进行实验,结果证明采用模糊概念抽象归属不明确的局部行为,明显地提高了特权程序异常检测模型的灵活性、适应性和对各种异常行为的识别能力。 相似文献
6.
7.
针对基于系统调用的异常入侵检测方法中较难抽取正常系统调用序列的特征库问题,提出将正常系统调用序列抽取出的子序列的频率特征转换为频率特征向量,并以此作为系统调用序列的局部和全局特征;为了保证对大规模数据集检测的准确率和速度,采用一类分类支持向量机(SVM)分类器进行学习建模,利用先前建立的特征库进行训练,建立入侵检测分类模型,最后对于待检测序列进行异常检测。在多个真实数据集上与已有的异常入侵检测方法进行比较实验,结果表明本文提出的方法的多个异常检测指标都都优于已有方法。 相似文献
8.
李秦 《网络安全技术与应用》2007,(11):39-41
本文提出了一种有效的频繁模式挖掘算法,通过研究Sendmail各进程中的系统调用号之间的关联关系,建立正常以及异常行为序列库,利用该频繁模式挖掘算法对各序列库进行频繁模式挖掘,以关联规则的形式获得能区分正常进程与正常进程的典型模式,继而找出所有满足置信度的分类规则,从而检测各进程序列中的入侵行为。 相似文献
9.
提出了一种改进的基于系统调用序列分析的入侵检测方法,该方法对审计数据首先进行MLSI现象的检测,在发现MLSI之后,再与正常库进行匹配,以检测是否有入侵行为.理论分析和实验表明,MLSI能够有效地标识入侵,通过查找MLSI,再进行异常检测的方法可以大大地降低系统的开销,这些都说明该方法是有效和可行的. 相似文献
10.
基于系统调用序列的入侵检测是分析主机系统调用数据进而发现入侵的一种安全检测技术,其关键技术是如何能够更准确地抽取系统调用序列的特征,并进行分类。为此,引进LDA(Latent Dirichlet Allocation)文本挖掘模型构建新的入侵检测分类算法。该方法将系统调用短序列视为word,利用LDA模型提取进程系统调用序列的主题特征,并结合系统调用频率特征,运用kNN(k-Nearest Neighbor)分类算法进行异常检测。针对DAPRA数据集的实验结果表明,该方法提高了入侵检测的准确度,降低了误报率。 相似文献
11.
Xinguang TIAN Xueqi CHENG Miyi DUAN Rui LIAO Hong CHEN Xiaojuan CHEN 《Frontiers of Computer Science》2010,4(4):522
Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage, a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion detection systems, and has achieved high detection performance. 相似文献
12.
13.
Xinguang Tian Xueqi Cheng Miyi Duan Rui Liao Hong Chen Xiaojuan Chen 《Frontiers of Computer Science in China》2010,4(4):522-528
Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a
novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring
system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and
extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage,
a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic
normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr
et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes
could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency
and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion
detection systems, and has achieved high detection performance. 相似文献
14.
Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency. 相似文献
15.
The existing host-based intrusion detection methods are mainly based on recording and analyzing the system calls of the invasion processes (such as exploring the sequences of system calls and their occurring probabilities). However, these methods are not efficient enough on the detection precision as they do not reveal the inherent intrusion events in detail (e.g., where are the system vulnerabilities and what causes the invasion are both not mentioned). On the other hand, though the log-based forensic analysis can enhance the understanding of how these invasion processes break into the system and what files are affected by them, it is a very cumbersome process to manually acquire information from logs which consist of the users’ normal behavior and intruders’ illegal behavior together.This paper proposes to use provenance, the history or lineage of an object that explicitly represents the dependency relationship between the damaged files and the intrusion processes, rather than the underlying system calls, to detect and analyze intrusions. Provenance more accurately reveals and records the data and control flow between files and processes, reducing the potential false alarm caused by system call sequences. Moreover, the warning report during intrusion can explicitly output system vulnerabilities and intrusion sources, and provide detection points for further provenance graph based forensic analysis. Experimental results show that this framework can identify the intrusion with high detection rate, lower false alarm rate, and smaller detection time overhead compared to traditional system call based method. In addition, it can analyze the system vulnerabilities and attack sources quickly and accurately. 相似文献
16.
17.
针对Windows系统入侵检测的不足,研究并借鉴Linux下基于系统调用序列进行入侵检测的方法,提出一种采用BP神经网络算法对Windows Native API序列学习和分类的内核级主机入侵检测方案。通过实验,验证了采用Windows Native API序列进行系统入侵的可行性。Native API是Windows系统内核模式下的API,可以类比于Linux下的系统调用。通过训练神经网络学习Native API序列,建立一个对正常和异常Native API序列进行分类的BP神经网络。在入侵检测时,利用训练后的神经网络对不断出现的Windows Native API 序列进行分类,判断系统是否出现异常入侵。 相似文献
18.
现代计算机系统在稳定性和安全方面存在许多问题,大部分是由于异常的程序行为所导致,主机入侵检测系统能有效的检测程序异常活动.通过对Linux2.4内核的研究,以内核补丁的形式设计与实现了一个原型系统NUMEN,该系统采用前向序列对方法对系统调用序列进行分析,当检测到进程行为异常时,它将延迟该进程发起的系统调用请求,如果异常的出现是由于安全违规活动而引起的,NUMEN在破坏发生之前阻止攻击活动,确保系统的安全性. 相似文献
19.
异常检测中正常行为规则性的度量 总被引:1,自引:0,他引:1
异常检测是防范新型攻击的基本手段,正常行为的规则性是影响检测能力的基本因素.在使用信息熵作为分析工具的基础上,提出了一种度量异常检测中正常行为规则程度的方法,并将这种方法用于对两个异常检测实例的分析,从理论上分析了如何改造特征以获得更多的规则性信息.在此理论的基础上,针对不同的数据类型提出了两种新的异常检测算法. 相似文献