| 利用Windows Native API调用序列和基于决策树算法的主机异常检测* |
| |
| 引用本文: | 李乃捷,彭勤科. 利用Windows Native API调用序列和基于决策树算法的主机异常检测*[J]. 计算机应用研究, 2007, 24(1): 258-260 |
| |
| 作者姓名: | 李乃捷 彭勤科 |
| |
| 作者单位: | 西安交通大学,电子与信息工程学院,陕西,西安,710049 |
| |
| 基金项目: | 国家“863”计划资助项目(2003AA142060);国家自然科学基金资助项目(60373107) |
| |
| 摘 要: | 主要研究Windows平台下的异常检测方法,提出一种利用Windows Native API调用序列和基于决策树算法的主机服务进程模式抽取算法,并通过在模式中引入通配符而大大缩减了模式集的规模。进一步引入了表征模式间关系的转移概率,建立了模式序列的全局马尔可夫链模型,并给出了相应的异常检测算法。实验结果表明:该算法可以抽取一个规模较小且泛化能力较强的模式集,相应的检测算法可以有效地检测异常。
|
| 关 键 词: | 主机异常检测 Windows Native API 决策树 间断模式 |
| 文章编号: | 1001-3695(2007)01-0258-03 |
| 修稿时间: | 2005-08-02 |
Decision Tree Algorithm based Host Anomaly Detection Using Windows Native API Sequences |
| |
| LI Nai jie,PENG Qin ke. Decision Tree Algorithm based Host Anomaly Detection Using Windows Native API Sequences[J]. Application Research of Computers, 2007, 24(1): 258-260 |
| |
| Authors: | LI Nai jie PENG Qin ke |
| |
| Abstract: | Anomaly detection algorithm for Windows platform is studied. A host process pattern extraction algorithm using Windows Native API sequences and based on decision tree is presented, and a wildcard is introduced in patterns, so the size of pattern set is reduced considerably. More over, transition probabilities between patterns are computed to build a global Markov Chain Model of pattern sequences, and related anomaly detection algorithm is presented. Experiments demonstrate that the algorithms can extract a pattern set of small size and high generalization ability, and can detect anomalies effectively. |
| |
| Keywords: | Host Anomaly Detection Windows Native API Decision Tree Spaced Pattern |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机应用研究》浏览原始摘要信息 |
|
点击此处可从《计算机应用研究》下载全文 |
