基于LSTM的多维度进程异常行为检测  

作　　者：周楝淞[1] 唐彰国[2] 王远强 郭钢 咸凛 杨洁[3] ZHOU Liansong;TANG Zhangguo;WANG Yuanqiang;GUO Gang;XIAN Lin;YANG Jie(No.30 Institute of CETC,Chengdu Sichuan 610041,China;Institute of Computer Network&Communication Technology,Sichuan Normal University,Chengdu Sichuan 610101,China;Sichuan Electric Power Corporation,Chengdu Sichuan 610016,China)

机构地区：[1]中国电子科技集团公司第三十研究所,四川成都610041 [2]四川师范大学网络与通信技术研究所,四川成都610101 [3]四川省电力公司,四川成都610016

出　　处：《通信技术》2024年第6期598-608,共11页Communications Technology

基　　金：国家自然科学基金(U20B2048)。

摘　　要：恶意进程是威胁系统安全的一个重要因素,通过检测系统调用序列能有效发现恶意进程。不同的进程类型产生的调用序列会出现长度等方面的差异,因此单一化的检测方法无法在多种进程类型的检测上保持较高的准确率。针对这个问题,提出了基于长短时记忆(Long Short-Term Memory,LSTM)神经网络的多维度进程异常行为检测方法,在时间维度的基础上通过N-gram算法增加数据的信息维度,在多维数据形式中选取特征表现更好的维度进行异常判决。在UNM和ADFA-LD数据集上的实验结果表明,多维度的方法可以丰富调用序列的特征表现,以此减小不同进程类型的特征差异,且在多种进程类型下均有较好检测效果,使检测泛化能力得到提升。该方法在ADFA-LD数据集上与常用机器学习模型相比,准确率比支持向量机(Support Vector Machine,SVM)高11个百分点且误报率降低了70%,且相对于其他模型,检测效果均有所提升。Malicious process is an important factor threatening system security,and it could be found effectively by detecting system call sequences.Since call sequences generated by different process types could vary in length and other aspects,single detection method cannot maintain a high accuracy rate on the detection of multiple process types.To address this problem,a multi-dimensional process abnormal behavior detection method based on LSTM(Long Short-Term Memory)neural network is proposed,which increases the information dimension of the data through N-gram algorithm on the basis of time dimension,and selects the dimension with better feature performance in the multi-dimensional data form for abnormal judgment.Experimental results on UNM and ADFA-LD datasets indicate that the multi-dimensional method can enrich the feature representation of call sequences,reduce the feature differences of different process types,and have better detection effects under various process types,which lead to enhanced detection generalization.Compared with commonly used machine learning models on the ADFA-LD dataset,the accuracy of this method is 11%higher than that of SVM(Support Vector Machine),and the false alarm rate is reduced by 70%,which is an improvement over the detection of other models.

关 键 词：系统调用 多维度 信息增益 长短时记忆 异常检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]