基于两层隐马尔可夫模型的入侵检测方法*

在基于系统调用的入侵检测研究中,如何提取系统调用序列模式是一个重要问题.提出一种利用进程堆栈中的函数返回地址链信息来提取不定长模式的方法.同王福宏的不定长模式提取方法相比,该方法可以取得更完备的模式集.在此基础上,基于系统调用序列及其对应的不定长模式序列构建了一个两层隐马尔可夫模型来检测异常行为,与仅利用系统调用序列信息的经典隐马尔可夫方法相比,该方法可以取得更低的误报率和漏报率.     

基于特征模式的马尔可夫链异常检测模型

为提高检测精度,同时保持算法复杂度在可接受范围内,提出基于特征模式的马尔可夫链异常检测模型。提取所有支持度大于阈值的系统调用短序列为特征模式,在此基础上建立改进的马尔可夫模型CPMC。在检测时,用程序轨迹匹配特征模式,计算其在CPMC模型下的概率,概率小则代表异常。实验表明,该方法的检测精度高于目前常见的几种单一方法,与DBCPIDS方法的精度近似相等,但其计算复杂度更低。     

基于线性预测与马尔可夫模型的入侵检测技术研究

入侵检测技术是现代计算机系统安全技术中的重要组成部分．该文提出了基于线性预测与马尔可夫模型相结合的入侵检测方法．首先提取特权进程的行为特征,引入时间序列分析技术——用线性预测技术对特权进程产生的系统调用序列提取特征向量来建立正常特征库,并在此基础上建立了马尔可夫模型．由马尔可夫模型产生的状态序列计算状态概率,根据状态序列概率来评价进程行为的异常情况．然后,利用马尔可夫信源熵与条件熵进行参数选取,对模型进行优化,进一步提高了检测率．实验表明该算法准确率高、实时性强、占用系统资源少．     

基于粗糙集值约简改进算法的进程异常检测

提出一种新的基于粗糙集值约简和系统调用的进程异常检测方法。为了提高约简效率,改进了基于差别矩阵的粗糙集值约简算法。另外创建了一种新的检测模型,能在判断进程是否异常的基础上进一步识别异常种类。它以系统调用短序列中k个位置作为条件属性集,以进程类型作为决策属性,建立决策表;然后使用改进的值约简算法提取规则集,并对规则匹配的结果作统计;最后判断进程类别。实验表明该方法能高效准确地识别异常进程的种类。     

基于马尔科夫链的主机异常检测方法研究

提出了基于马尔科夫链模型的主机异常检测方法,首先提取特权进程的行为特征,并在此基础上构造Markov模型。由Markov模型产生的状态序列计算状态概率,根据状态序列概率来评价进程行为的异常情况。利用Markov模型的构造充分提取特权进程的局部行为特征的相互关系。实验表明该模型算法简单、实时性强、检测率高、误报率低、适合用于在线检测。     

基于系统调用入侵检测的马氏链模型

研究了利用马氏链提取基于系统调用序列的进程特征,实现入侵检测的方法;并通过实验说明了此方法的可行性和有效性, 实验表明一阶马氏链模型的检测效果要比二阶马氏链模型的检测效果好。     

基于不定长系统调用序列模式的入侵检测方法

提出了一种不定长序列模式的寻找算法,目标是从训练序列中找出一组基本的、相对独立的不定长序列模式。并在模式集的更新过程中自动定义了模式间的前后次序关系,以此构建了一个描述进程执行模式的DFA。针对已有基于不定长序列模式的模式匹配算法需要向前预测若干个系统调用号的缺点,文章设计了一个更好的模式匹配算法。实验结果表明,算法在模式寻找过程中是稳定的,并在保持一组规模很小的模式集的情况下,取得了很低的误报率和漏报率。     

利用Windows Native API调用序列和基于决策树算法的主机异常检测*

主要研究Windows平台下的异常检测方法,提出一种利用Windows Native API调用序列和基于决策树算法的主机服务进程模式抽取算法,并通过在模式中引入通配符而大大缩减了模式集的规模。进一步引入了表征模式间关系的转移概率,建立了模式序列的全局马尔可夫链模型,并给出了相应的异常检测算法。实验结果表明：该算法可以抽取一个规模较小且泛化能力较强的模式集,相应的检测算法可以有效地检测异常。     

一个两层马尔可夫链异常入侵检测模型

在现有的单层马尔科夫链异常检测模型基础上,提出一种崭新的两层模型.将性质上有较大差异的两个过程,不同的请求和同一请求内的系统调用序列,分为两层,分别用不同的马尔可夫链来处理.两层结构可以更准确地刻画被保护服务进程的动态行为,因而能较大地提高异常的识别率,降低误警报率.而且异常检测出的异常将被限制在相应的异常真正发生的请求区内.检测模型适合于针对特权进程(特别是基于请求?反应型的特权进程)的异常入侵检测.     

基于隐马尔可夫模型的内部威胁检测方法

提出了一种基于隐马尔可夫模型的内部威胁检测方法.针对隐马尔可夫模型评估问题的解法在实际应用中存在利用滑动窗口将观测事件序列经过放大处理导致误报率偏高的缺陷,在Windows平台上设计并实现了一个基于系统调用的内部威胁检测原型系统,利用截获Windows Native API的方法,通过程序行为的正常轮廓库来检测程序异常行为模式.实验结果表明,新方法以程序的内在运行状态作为处理对象,正常轮廓库较小,克服了传统评估方法因P(O|λ)值太小而无法有效区分正常与异常的问题,检测性能更好.     

Evaluating Variable-Length Markov Chain Models for Analysis of User Web Navigation Sessions

Markov models have been widely used to represent and analyze user Web navigation data. In previous work, we have proposed a method to dynamically extend the order of a Markov chain model and a complimentary method for assessing the predictive power of such a variable-length Markov chain. Herein, we review these two methods and propose a novel method for measuring the ability of a variable-length Markov model to summarize user Web navigation sessions up to a given length. Although the summarization ability of a model is important to enable the identification of user navigation patterns, the ability to make predictions is important in order to foresee the next link choice of a user after following a given trail so as, for example, to personalize a Web site. We present an extensive experimental evaluation providing strong evidence that prediction accuracy increases linearly with summarization ability     

Exact Schema Theory and Markov Chain Models for Genetic Programming and Variable-length Genetic Algorithms with Homologous Crossover

Genetic Programming (GP) homologous crossovers are a group of operators, including GP one-point crossover and GP uniform crossover, where the offspring are created preserving the position of the genetic material taken from the parents. In this paper we present an exact schema theory for GP and variable-length Genetic Algorithms (GAs) which is applicable to this class of operators. The theory is based on the concepts of GP crossover masks and GP recombination distributions that are generalisations of the corresponding notions used in GA theory and in population genetics, as well as the notions of hyperschema and node reference systems, which are specifically required when dealing with variable size representations.In this paper we also present a Markov chain model for GP and variable-length GAs with homologous crossover. We obtain this result by using the core of Vose's model for GAs in conjunction with the GP schema theory just described. The model is then specialised for the case of GP operating on 0/1 trees: a tree-like generalisation of the concept of binary string. For these, symmetries exist that can be exploited to obtain further simplifications.In the absence of mutation, the Markov chain model presented here generalises Vose's GA model to GP and variable-length GAs. Likewise, our schema theory generalises and refines a variety of previous results in GP and GA theory.     

Denoising and recognition using hidden Markov models with observation distributions modeled by hidden Markov trees

Hidden Markov models have been found very useful for a wide range of applications in machine learning and pattern recognition. The wavelet transform has emerged as a new tool for signal and image analysis. Learning models for wavelet coefficients have been mainly based on fixed-length sequences, but real applications often require to model variable-length, very long or real-time sequences. In this paper, we propose a new learning architecture for sequences analyzed on short-term basis, but not assuming stationarity within each frame. Long-term dependencies will be modeled with a hidden Markov model which, in each internal state, will deal with the local dynamics in the wavelet domain, using a hidden Markov tree. The training algorithms for all the parameters in the composite model are developed using the expectation-maximization framework. This novel learning architecture could be useful for a wide range of applications. We detail two experiments with artificial and real data: model-based denoising and speech recognition. Denoising results indicate that the proposed model and learning algorithm are more effective than previous approaches based on isolated hidden Markov trees. In the case of the ‘Doppler’ benchmark sequence, with 1024 samples and additive white noise, the new method reduced the mean squared error from 1.0 to 0.0842. The proposed methods for feature extraction, modeling and learning, increased the phoneme recognition rates in 28.13%, with better convergence than models based on Gaussian mixtures.     

A structural approach for modelling the hierarchical dynamic process of Web workload in a large-scale campus network

A new structural approach based on hidden Markov model is proposed to describe the hierarchical nature of dynamic process of Web workload. The proposed approach includes two latent Markov chains and one observable process. One of the latent Markov chains is called macro-state process which is used to describe the large-scale trends of Web workload. The remaining latent Markov chain is called sub-state process which is used to describe the small-scale fluctuations that are happening within the duration of a given macro-state. An efficient parameter re-estimation algorithm and a workload simulation algorithm are derived for the proposed discrete model. Experiments based on a real workload of a large-scale campus network are implemented to validate the proposed model.     

Non-stationary fuzzy Markov chain

This paper deals with a recent statistical model based on fuzzy Markov random chains for image segmentation, in the context of stationary and non-stationary data. On one hand, fuzzy scheme takes into account discrete and continuous classes through the modeling of hidden data imprecision and on the other hand, Markovian Bayesian scheme models the uncertainty on the observed data. A non-stationary fuzzy Markov chain model is proposed in an unsupervised way, based on a recent Markov triplet approach. The method is compared with the stationary fuzzy Markovian chain model. Both stationary and non-stationary methods are enriched with a parameterized joint density, which governs the attractiveness of the neighbored states. Segmentation task is processed with Bayesian tools, such as the well known MPM (Mode of Posterior Marginals) criterion. To validate both models, we perform and compare the segmentation on synthetic images and raw optical patterns which present diffuse structures.     

An auto-framing method for stochastic process signal by using a hidden Markov model based approach

In this paper, an “auto-framing” method, an algorithmic method to divide stochastic time-series process data into appropriate intervals, is developed based on the approach of hidden Markov model (HMM). While enormous amounts of process time-series data are being measured and collected today, their use is limited by the high costs to gather, store, and analyze them. “Data-framing” refers to the task of dividing stochastic signal data into time frames of distinct patterns so that the data can be stored and analyzed in an efficient manner. Data-framing is typically carried out manually, but doing so can be both laborious and ineffective. For the purpose of automating the data-framing task, stochastic signals of switching patterns are modeled using a hidden Markov model (HMM) based jump linear system (JLS), which switches the stochastic model probabilistically in accordance with the underlying Markov chain. Based on the model, an estimator is constructed to estimate from the collected signal data the state sequence of the underlying Markov chain, which is subsequently used to decide on the framing points. An Expectation Maximization (EM) algorithm, which is composed of two optimal estimators, fixed interval Kalman smoother and Viterbi algorithm, is used to estimate for the state estimation. We demonstrate the effectiveness of the HMM-based approach for auto-framing using simulated data constructed based on real industrial data.     

基于隐马尔可夫模型的符号序列自组织聚类

本文提出一种基于模型的、适合变长符号序列的自组织聚类算法。隐马尔可夫模型被用于表达各个聚类,批处理自组织特征被用于符号序列的聚类过程。实验结果表明该算法能有效发现变长符号序列中的聚类模式。     

基于UML的软件Markov链使用模型的构建

构建软件的使用模型是进行软件可靠性测试及软件可靠性评估的基础.近年来,如何由软件的UML模型构造软件的使用模型成为研究热点.对于大型的软件系统来说,应用现有方法构建的软件Markov链使用模型的状态空间过于庞大,模型描述困难,不利于测试用例的自动生成及软件可靠性评估.针对以上问题,提出了一种由UML模型构建Markov链使用模型的方法.该方法将场景的前置条件和后置条件作为Markov链使用模型的状态,将场景的执行及执行概率作为状态之间的转移及转移概率.与现有方法相比,新方法构建的Markov链使用模型的状态空间小且无需人为干预,而且可以很方便地生成测试输入从而进行可靠性测试.针对UML模型的有效性,提出了经过可靠性评估扩展的UML模型生成Markov链使用模型的验证算法.最后通过一个卫星控制系统的实例对新方法的性能进行了验证.     

Fuzzy Markov random fields versus chains for multispectral image segmentation

This paper deals with a comparison of recent statistical models based on fuzzy Markov random fields and chains for multispectral image segmentation. The fuzzy scheme takes into account discrete and continuous classes which model the imprecision of the hidden data. In this framework, we assume the dependence between bands and we express the general model for the covariance matrix. A fuzzy Markov chain model is developed in an unsupervised way. This method is compared with the fuzzy Markovian field model previously proposed by one of the authors. The segmentation task is processed with Bayesian tools, such as the well-known MPM (mode of posterior marginals) criterion. Our goal is to compare the robustness and rapidity for both methods (fuzzy Markov fields versus fuzzy Markov chains). Indeed, such fuzzy-based procedures seem to be a good answer, e.g., for astronomical observations when the patterns present diffuse structures. Moreover, these approaches allow us to process missing data in one or several spectral bands which correspond to specific situations in astronomy. To validate both models, we perform and compare the segmentation on synthetic images and raw multispectral astronomical data     

基于静态马尔可夫链模型的实时异常检测

马尔可夫链模型可以用来描述系统的正常行为模式，文中提出了一种基于静态马尔可夫链的异常检测方法，在此基础上进行了算法实现。实验结果表明该方法实现简单，准确率较高，可适用于不同环境下的实时检测。