一个两层马尔可夫链异常入侵检测模型

微信服务号

微信订阅号

2025年5月14日 14:22 星期三

首页 > 过刊浏览>2005年第16卷第2期 >276-285

一个两层马尔可夫链异常入侵检测模型
DOI:
                        
                    
CSTR:
                        
                    
作者:
                        徐明徐明
浙江大学,计算机科学与技术学院,浙江,杭州,310027;杭州电子科技大学,计算机学院,浙江,杭州,310018
在期刊界中查找
在百度中查找
在本站中查找
陈纯陈纯
浙江大学,计算机科学与技术学院,浙江,杭州,310027
在期刊界中查找
在百度中查找
在本站中查找
应晶应晶
浙江大学,计算机科学与技术学院,浙江,杭州,310027
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:Supported by the National High-Tech Research and Development Plan of China under Grant No.2003AA1Z2120 (国家高技术研究发展计划(863)); the Natural Science Foundation of Zhejiang Province of China under Grant No.Y104426 (浙江省自然科学基金); the Scientific Research Fund of Zhe

A Two-Layer Markov Chain Anomaly Detection Model

Author:

XU Ming
XU Ming

在期刊界中查找
在百度中查找
在本站中查找
CHEN Chun
CHEN Chun

在期刊界中查找
在百度中查找
在本站中查找
YING Jing
YING Jing

在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [18]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

在现有的单层马尔科夫链异常检测模型基础上,提出一种崭新的两层模型.将性质上有较大差异的两个过程,不同的请求和同一请求内的系统调用序列,分为两层,分别用不同的马尔可夫链来处理.两层结构可以更准确地刻画被保护服务进程的动态行为,因而能较大地提高异常的识别率,降低误警报率.而且异常检测出的异常将被限制在相应的异常真正发生的请求区内.检测模型适合于针对特权进程(特别是基于请求?反应型的特权进程)的异常入侵检测.

关键词:马尔可夫链;系统调用;请求;异常检测;入侵检测

Abstract:

On the basis of the current single layer Markov chain anomaly detection model, this paper proposes a new two-layer model. Two distinctly different processes, the different requests and the system call sequence in the same request section, are classified as two layers and dealt with by different Markov chains respectively. The two-layer frame can depict the dynamic activity of the protected process more exactly than the single layer frame, so that the two-layer detection model can promote the detection rate and degrade the false alarm rate. Furthermore, the detected anomaly will be limited in the corresponding request sections where anomaly happens. The new detection model is suitable for privileged processes, especially for those based on request-response.

Key words:Markov chain; system call; request; anomaly detection; intrusion detection

参考文献

[1]Mukherjee B, Heberlein LT, Levitt KN. Network intrusion detection. IEEE Network, 1994,8(3):26-41.

[2]Denning DE. An intrusion-detection model. IEEE Trans. On Software Engineering, 1987,13(2):222-232.

[3]Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. On Software Engineering, 1995,21(3):181-199.

[4]Lee W, Stolfo SJ, Chan Pk. Learning patterns from UNIX process execution traces for intrusion detection. In: Proc. Of the AAAI97 Workshop on AI Methods in Fraud and Risk Management. Menlo Park: AAAI Press, 1997. 50-56.

[5]Helmer GG, Wong JSK, Honavar V, Miller L. Intelligent agents for intrusion detection. In: Proc. Of the IEEE Information Technology Conf. Syracuse: IEEE Computer Society Press, 1998. 121-124.

[6]Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for UNIX processes. In: Proc. Of the 1996 IEEE Symp. On Security and Privacy. Oakland: IEEE Computer Society Press, 1996. 120-128.

[7]Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: Alternative data models. In: Proc. Of the 1999 IEEE Symp. On Security and Privacy. Oakland: IEEE Computer Society Press, 1999. 133-145.

[8]Okazaki Y, Sato I, Goto S. A new intrusion detection method based on process profiling. In: Proc. Of the Symp. On Applications and the Internet. Nara: IEEE Computer Society Press, 2002. 82-90.

[9]DuMouchel W. Computer intrusion detection based on Bayes factors for comparing command transition probabilities. Technical Report, TR91, National Institute of Statistical Sciences, 1999. Http://www.niss.org

[10]Ju WH, Vardi Y. A hybrid high-order Markov chain model for computer intrusion detection. Technical Report, TR92, National Institute of Statistical Sciences, 1999. Http://www.niss.org

[11]Schonlau M, DuMouchel W, Ju WH. Computer intrusion: Detecting masquerades. Technical Report, TR95, National Institute of Statistical Sciences, 1999. Http://www.niss.org

[12]Scott SL. Detecting network intrusion using a Markov modulated nonhomogeneous Poisson process. Http://www-rcf.usc.edu/～sls/ fraud.ps

[13]Ye N, Li XY, Chen Q, Emran SM, Xu M. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. On Systems, Man, and Cybernetics-Part A: Systems and Humans, 2001,31(4):266-274.

[14]Jha S, Tan K, Maxion RA. Markov chains, classifiers, and intrusion detection. In: Proc. Of the14th IEEE Computer Security Foundations Workshop. Cape Breton: IEEE Computer Society Press, 2001. 206-219.

[15]Welz M, Hutchison A. Interfacing trusted applications with intrusion detection systems. In: Lee W, Mé L, Wespi A, eds. Proc. Of the Recent Advances in Intrusion Detection 2001. LNCS 2212, New York, Heidelberg: Springer-Verlag, 2001. 37-53.

[16]Ye N. A Markov chain model of temporal behavior for anomaly detection. In: Proc. Of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop. New York: IEEE Computer Society Press, 2000. 171-174.

[17]Jones AK, Lin Y. Application intrusion detection using language library calls. In: Proc. Of the 17th Annual Computer Security Applications Conf. New Orleans: IEEE Computer Society Press, 2001.

[18]Marty R. Snort - lightweight intrusion detection for networks. In: Proc. Of the 13th Conf. On Systems Administration. Washington: USENIX, 1999. 229-238.

引用本文

徐明,陈纯,应晶.一个两层马尔可夫链异常入侵检测模型.软件学报,2005,16(2):276-285

复制

文章指标

点击次数:4701
下载次数: 5846
HTML阅读次数: 0
引用次数: 0

历史

收稿日期:2002-12-17
最后修改日期:2003-11-07
录用日期:
在线发布日期:
出版日期:

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码