| 基于隐马尔可夫模型的IDS程序行为异常检测 |
| |
| 引用本文: | 孙宏伟,田新广,邹涛,张尔扬.基于隐马尔可夫模型的IDS程序行为异常检测[J].国防科技大学学报,2003,25(5):63-67. |
| |
| 作者姓名: | 孙宏伟 田新广 邹涛 张尔扬 |
| |
| 作者单位: | 国防科技大学电子科学与工程学院,湖南,长沙,410073 |
| |
| 基金项目: | 北京首信集团重大科研项目(020015) |
| |
| 摘 要: | 提出一种新的基于隐马尔可夫模型的程序行为异常检测方法,此方法利用系统调用序列,并基于隐马尔可夫模型来描述程序行为,根据程序行为模式的出现频率对其进行分类,并将行为模式类型同隐马尔可夫模型的状态联系在一起。由于各状态对应的观测值集合互不相交,模型训练中采用了运算量较小的序列匹配方法,与传统的Baum Welch算法相比,训练时间有较大幅度的降低。考虑到模型中状态的特殊含义以及程序行为的特点,将加窗平滑后的状态序列出现概率作为判决依据。实验表明,此方法具有很高的检测准确性,其检测效率也优于同类方法。
|
| 关 键 词: | 入侵检测系统 异常检测 隐马尔可夫模型 系统调用 |
| 文章编号: | 1001-2486(2003)05-0063-05 |
| 收稿时间: | 2003/1/13 0:00:00 |
| 修稿时间: | 2003年1月13日 |
Anomaly Detection of the Program Behaviors for IDS Based on Hidden Markov Models |
| |
| SUN Hongwei,TIAN Xinguang,ZOU Tao and ZHANG Eryang.Anomaly Detection of the Program Behaviors for IDS Based on Hidden Markov Models[J].Journal of National University of Defense Technology,2003,25(5):63-67. |
| |
| Authors: | SUN Hongwei TIAN Xinguang ZOU Tao and ZHANG Eryang |
| |
| Institution: | College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China;College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China;College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China;College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China |
| |
| Abstract: | A new method for anomaly detection of the program behaviors based on hidden Markov models is presented. The method uses system calls to represent the behavior profiles of programs based on hidden Markov models. The behavior patterns of programs are classified according to their frequency distributions, and the states of the hidden Markov models are associated with the classes of the behavior patterns. Because the collections of observations corresponding to different states are mutually disjoint, the models can be trained with a sequence matching algorithm which requires lower computational complexity and less computation time than the classical Baum-Welch algorithm. A decision rule based on the probabilities of short state sequences is adopted while the particularity of the model states is taken into account. The performance of the method is tested by computer simulation. The results show it maintains higher detection accuracy and efficiency than other alternative approaches. |
| |
| Keywords: | IDS anomaly detection hidden Markov model system call |
| 本文献已被 CNKI 万方数据 等数据库收录! |
| 点击此处可从《国防科技大学学报》浏览原始摘要信息 |
| 点击此处可从《国防科技大学学报》下载免费的PDF全文 |
|
