| 基于系统调用与进程堆栈信息的入侵检测方法 |
| |
| 引用本文: | 张诚,彭勤科. 基于系统调用与进程堆栈信息的入侵检测方法[J]. 计算机工程, 2007, 33(7): 139-142 |
| |
| 作者姓名: | 张诚 彭勤科 |
| |
| 作者单位: | 西安交通大学电子与信息工程学院,西安,710049;西安交通大学电子与信息工程学院,西安,710049 |
| |
| 基金项目: | 国家自然科学基金 , 国家高技术研究发展计划(863计划) |
| |
| 摘 要: | 提出一种利用动态提取进程堆栈中的信息来寻找不定长模式的方法。该方法以进程中产生系统调用的函数返回地址链作为提取不定长模式的依据,根据函数的结构关系对模式集进行精简,得到一组不定长模式集。在此基础上,以不定长模式作为基本单位构建了一个马尔可夫链模型来检测异常行为。实验结果表明,该方法的检测性能要优于传统的不定长模式方法和一阶马尔可夫链模型方法,能够获得更高的检测率和更低的误报率。
|
| 关 键 词: | 入侵检测 系统调用 调用堆栈 函数返回地址 不定长序列模式 马尔可夫链 |
| 文章编号: | 1000-3428(2007)07-0139-04 |
| 修稿时间: | 2006-04-22 |
Intrusion Detection Based on System Calls and Call Stack Log |
| |
| ZHANG Cheng,PENG Qinke. Intrusion Detection Based on System Calls and Call Stack Log[J]. Computer Engineering, 2007, 33(7): 139-142 |
| |
| Authors: | ZHANG Cheng PENG Qinke |
| |
| Affiliation: | (School of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an 710049) |
| |
| Abstract: | A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates. |
| |
| Keywords: | Intrusion detection System call Call stack Function return addresses Variable-length patterns Markov chain |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机工程》浏览原始摘要信息 |
|
点击此处可从《计算机工程》下载免费的PDF全文 |
