检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:王琼[1] 倪桂强[1] 潘志松[1] 缪志敏[1] 胡谷雨[1]
机构地区:[1]解放军理工大学指挥自动化学院,南京210007
出 处:《数据采集与处理》2009年第4期508-513,共6页Journal of Data Acquisition and Processing
基 金:国家自然科学基金(60603029)资助项目;江苏省自然科学基金(BK2005009)资助项目
摘 要:针对隐马尔可夫模型计算开销过高的问题,提出了一种新的基于隐马尔可夫模型(Hidden Markov model,HMM)的异常检测方法,利用系统调用执行迹具有的局部规律性,用改进的HMM(Improved HMM,IHMM)学习算法来构建程序正常行为模型。在检测时,首先对待测系统调用数据用滑动窗口划分,并通过正常行为模型来判定异常,根据异常短序列占所有短序列的百分比来判断该进程是否行为异常。实验结果显示该方法训练耗时仅为传统方法的1%。当阈值在一个较大范围内变化时,模型的检测性能始终保持稳定。表明本文方法通过避免对大量相同短序列的重复计算,显著减少了训练时间和计算开销,在实际应用中具有良好的可操作性。A highly efficient HMM-based anomaly intrusion detection scheme is given. Firstly, distinct short sequences are extracted from normal traces of system calls and a normal program behavior model is established with the improved HMM (IHMM) training algorithm. At the stage of anomaly detection, a slide window is used by the test sequence and the generated short sequences through the normal model. The short sequence is considered mismatch if the output probability is lower than a preset threshold. The identification of abnormal behavior lies on the ratio between the numbers of the matched short sequences and that of all short sequences in the test trace. Experimental results show that the training time of the method is 1% of the traditional method compared with the conventinal training. The HMM-based model has stable performance with threshold fluctuating, thus it is more feasible in practice.
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.63