检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]中国科学院软件研究所信息安全国家重点实验室,北京100039
出 处:《计算机学报》2006年第9期1572-1578,共7页Chinese Journal of Computers
基 金:国家"九七三"重点基础研究发展规划项目基金(G1999035802);国家杰出青年基金项目(60025205);国家自然科学基金(60273027)资助.
摘 要:基于进程行为的入侵检测技术是主机防范入侵和检测恶意代码的重要技术手段之一.该文提出了一种基于可执行文件静态分析的入侵检测模型,该模型通过对应用程序可执行文件的静态分析,建立应用程序所有可能执行的定长系统调用集合,通过实时监控进程执行的系统调用序列是否在该集合中实施检测.该模型不需要源文件、大规模训练数据,通用性和易用性好;在应用程序可执行文件完整的情况下,误报率为0,抵抗模仿攻击的能力更强,漏报率更低.Intrusion Detection based on process' behaviors is one of the mainstream techniques for defend against intrusion and malicious code. In this paper, an intrusion detection model based on executable static analysis has been brought forward. The model statically analyzes the executable files of the application to construct the set When monitoring in real time, it splits the of all the possible N-length system call sequences. system call sequence the process triggered into N-length sequences by N-length slide window. If there is one in the N-length sequences not in the set, the process is marked as intrusive. The model needs not source code or large numbers of training data, and is much more universal and applicable. When the executable files of the application are complete, the rate of false positive is 0. It's much stronger for defending against mimicry attacks and its rate of false negative is much less.
分 类 号:TP309[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.21.34.100