基于Windows Native API序列的异常检测模型  被引量:3

Anomaly Detection Model Based on Windows Native API Sequences

在线阅读下载全文

作  者:冯力[1] 孙杰[1] 周晓明[1] 杨力伟[1] 彭勤科[1] 

机构地区:[1]西安交通大学电子与信息工程学院,西安710049

出  处:《西安交通大学学报》2006年第4期406-410,共5页Journal of Xi'an Jiaotong University

基  金:国家杰出青年基金资助项目(60243001);国家自然科学基金资助项目(60243001);国家高技术研究发展计划资助项目(2001AA140213)

摘  要:针对Windows操作系统受到的越来越多的严重攻击,提出一种基于Native API序列的多步一致模型和指数迭代检测算法,实现了从内核空间检测Windows操作系统中的异常入侵.通过设计内核虚拟设备来截获系统服务分配表,从而可实时地获取Native API信息.用被截获的正常Native API数据建立一步和二步一致模型,并以此描述进程的正常行为.在检测过程中,通过指数迭代检测算法,可对不断出现的Native API的正常指数进行度量.采用报警提取算法对正常指数进行分析可惟一地确定对应的攻击,为管理员及时掌握系统的安全状况提供了保证.在不同的Windows操作系统环境下的实验结果表明,该方法有较好的检测精度.In order to detect more and more serious attacks against the Windows operating system (OS), a multi-step consistency model and exponential iteration detection algorithm (EIDA) based on Native API sequences were proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. One step and two steps consistency models are built by the captured normal Native API data to describe the normal behavior of processes. In the detection process, the normal index of emerging Native API is measured continuously by EIDA. The normal indexes are analyzed through an alarm extraction algorithm, which uniquely determines the corresponding attack and provide administrator with guarantee to grasp the security situation of OS in time. The experiments under different Windows OS environment indicate that the proposed method has better accuracy.

关 键 词:异常检测 操作系统 多步一致模型 指数迭代检测算法 

分 类 号:TP393.1[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象