基于系统调用和齐次Markov链模型的程序行为异常检测  被引量：19

作　　者：田新广[1] 高立志[2] 孙春来[3] 张尔扬[1] 

机构地区：[1]国防科学技术大学电子科学与工程学院,长沙410073 [2]清华大学电子工程系,北京100084 [3]北京交通大学计算技术研究所,北京100044

出　　处：《计算机研究与发展》2007年第9期1538-1544,共7页Journal of Computer Research and Development

基　　金：国家"八六三"高技术研究发展计划基金项目(863-307-7-5);北京首信集团重大科研基金项目(050203)

摘　　要：异常检测是目前入侵检测领域研究的热点内容.提出一种新的基于系统调用和Markov链模型的程序行为异常检测方法,该方法利用一阶齐次Markov链对主机系统中特权程序的正常行为进行建模,将Markov链的状态同特权程序运行时所产生的系统调用联系在一起,并引入一个附加状态;Markov链参数的计算中采用了各态历经性假设;在检测阶段,基于状态序列的出现概率对特权程序当前行为的异常程度进行分析,并根据Markov链状态的实际含义和程序行为的特点,提供了两种可选的判决方案.同现有的基于隐Markov模型和基于人工免疫原理的检测方法相比,提出的方法兼顾了计算成本和检测准确度,特别适用于在线检测.该方法已应用于实际入侵检测系统,并表现出良好的检测性能.Anomaly detection is the major direction of research in intrusion detection. Presented in this paper is a new method for anomaly detection of program behaviors, which is applicable to host-based intrusion detection systems using system calls as audit data. The method constructs a one-order homogeneous Markov chain to represent the normal behavior profile of a privileged program, and associates the states of the homogeneous Markov chain with the unique system calls in training data. At the detection stage, the occurrence probabilities of the state sequences of the Markov chain are computed, and two different schemes can be used to determine whether the monitored program＇s behaviors are normal or anomalous while the particularity of program behaviors is taken into account. The method gives attention to both computational efficiency and detection accuracy. It is less computationally expensive than the method based on hidden Markov models introduced by Warrender et al, and is more applicable to on-line detection. Compared with the methods based on system call sequences presented by Hofmeyr and Forrest, the method in this paper can achieve higher detection accuracy. The study empirically demonstrates the promising performance of the method, and it has succeeded in getting application in practical host-based intrusion detection systems.

关 键 词：入侵检测 MARKOV链 异常检测 程序行为 系统调用 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]