一种面向生产系统的控制流异常检测算法

目前,针对生产系统的入侵攻击行为朝着规模化、分布化、复杂化等方向演变,传统的基于漏洞库、病毒库、规则匹配等被动式防护手段难以应付隐藏在生产系统内部的攻击行为。从生产系统的业务程序控制流出发,提出了一种基于路径匹配的生产系统控制流异常检测算法CFCPM。首先提出了一种基于关键路径匹配的基本组划分方法,通过扩大控制流分析的基本研究单元,降低了断言标签式控制流分析方法对系统运行造成的性能负担；然后,分别介绍了CFCPM算法的标准路径集获取阶段和路径匹配阶段,通过判断当前控制流路径是否偏离标准路径集,察觉生产系统所处的异常工作状态。最后,通过异常检测能力分析证明了该算法对业务程序控制流异常检测的有效性。

A Production System OrientedControl Flow Anomaly Detection Algorithm

With the rapid development of computer systems, intrusion attack methods have become large-scale, distributed and complex. Traditional protection means such as vulnerability database, virus database and rule matching can not cope with the attacks hidden inside the terminals. This paper proposed a production system oriented control flow anomaly detection algorithm CFCPM from the control flow of the business programs. Firstly a basic group partition mehod based on key paths was proposed to reduce the performance burden caused by tabbed-assert control flow analysis method through expanding basic research units. Then the algorithm phases of standard path set acquisition and path matching were introduced. By judging whether the current control flow path deviating from the standard set, the abnormal operating conditions of production systems can be detected. Finally, the effectiveness of CFCPM was demonstrated by anomaly detection analysis.