融合注意力与卷积的系统调用异常检测  

作　　者：陈仲磊 伊鹏[1] 陈祥 胡涛[1] CHEN Zhongei;YI Peng;CHEN Xiang;HU Tao(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001

出　　处：《信息工程大学学报》2023年第4期475-483,共9页Journal of Information Engineering University

基　　金：国家重点研发计划资助项目(2019YFB802505,2020YFB806402)。

摘　　要：基于系统调用数据是实施主机异常检测的一种有效手段,然而现有检测技术无法有效应对混淆攻击。提出一种融合注意力与卷积的系统调用异常检测模型,能够同时关注到系统调用序列展现的进程全局行为与每一个时间窗口的局部行为。首先,设计了一种混淆攻击数据模拟生成方法解决样本数据不平衡问题,提出基于进程行为特征的序列补齐方法增强系统调用语义特征;其次,融合注意力机制与一维权重卷积网络同时从系统调用序列的全局与局部提取数据特征;最后,基于单一变量原则和交叉验证方式获得最优异常检测模型,进而得到异常检测结果。与其他传统异常检测方法对比得出,所提模型具有更高的准确率(96.6%)和较低的误报率(1.9%),同时此模型具有抵抗混淆攻击的能力。It is an effective method to implement host intrusion detection based on system calls that reflect the most primitive and fine-grained behavior information of host.However,existing detection techniques cannot effectively deal with obfuscation attacks.In this paper,an anomaly detection model based on system calls combining attention and convolution is proposed,which can pay attention to both the global process behavior and the local behavior of each time window.First,a method for simulating and generating obfuscation attack data is designed to solve the problem of the data imbalance,and a sequence completion method based on process behavior characteristics is proposed to enhance the semantic characteristics of system calls.Then,the attention mechanism and one-dimensional weighted convolution network are combined to simultaneously extract data features from the global and local aspect.Finally,based on the single variable principle and cross validation method,the optimal constant detection model is obtained,and then the anomaly detection results are obtained.Compared with other traditional anomaly detection methods,the proposed model has higher accuracy(96.6%) and lower false positive rate(1.9%),and has the ability to resist obfuscation attacks.

关 键 词：一维权重卷积 系统调用 多头注意力 位置编码 异常检测 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]