基于程序行为的异常检测技术研究与实现

【作者】 唐浩；

【导师】 周东清；

【作者基本信息】 大连理工大学 ， 计算机应用技术， 2004， 硕士

【摘要】 随着Internet技术的迅速发展，网络入侵问题也越发严重，入侵检测已成为网络防护安全体系中的重要组成部分。入侵检测系统通过从计算机网络或计算机系统中的若干关键点收集信息并对其进行分析，以发现网络或系统中是否有违反安全策略的行为和遭到袭击的迹象。 异常检测作为入侵检测的一个重要分支，也越来越受到人们的重视。由于Linux进程可由一系列的系统调用序列来表征，通过分析其系统调用序列可以了解进程的行为模式，据此本文分别探讨了对Linux进程的系统调用序列进行模式提取和异常检测的两种方法： 1．基于HMM／MLP混合模型的异常检测方法。在这个方法中，多层感知机(MLP)用作HMM的概率估计器，以克服HMM方法的不足，建立了一个基于系统调用的混合HMM／MLP异常检测模型用来对正常行为进行建模以实现异常检测，并给出了该模型的训练和检测算法。实验结果表明该混合系统的漏报率和误报率都低于HMM方法。 2．基于RBF神经网络的异常检测方法。提出了用RBF神经网络来构建异常检测中正常行为的特征轮廓。通过与BP网络和HMM方法实现的异常检测效果相比较，我们可以看出，RBF方法的检测率较高，误报率较低，训练时间短。 本文用新墨西哥大学提供的综合仿真数据进行了实验仿真和比较，证明两种方法都提高了入侵检测系统的性能。 论文的最后对下一步的工作进行了探讨，并且对入侵检测的进一步发展和应用进行了展望。更多还原

【Abstract】 With the rapid development of Internet, network intrusion is becoming a serious problem, and intrusion detection becomes a critical component of network security administration. Intrusion detection system is a combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred.As an important branch of intrusion detection, anomaly detection attracts more and more attentions. Since a sequence of system calls gives a stable signature for a Linux process, behavior of the process can be explored by analyzing the system call sequences. So, in this thesis, two methods are investigated for detection of abnormal process behavior under Linux using system call sequences:One is to learn behavior patterns and to detect anomaly behavior using a hybrid HMM/MLP model. In this method, the Multiple Layer Perceptron (MLP) is used as probability estimators in HMM framework to alleviate the limitations of the HMM based system. A hybrid HMM/MLP anomaly detection model based on system calls is proposed, and the training algorithm and detection algorithm are presented. The practical implementation of this hybrid system is also illustrated. Experimental results show that the false negative rate and the false positive rate of the hybrid system are both lower than the HMM based system.The other is to use RBF neural networks to model normal behavior based on system calls. Compared with the BP neural networks and the HMM based method, the method based on RBF networks has higher detection rate, lower false positive rate and shorter training time.The two methods are both tested on the data provided by University of New Mexico. The results of our preliminary experiments have shown that both methods have improved the performance of intrusion detection system.Finally, some problems to be further studied are discussed and the further development of intrusion detection is discussed.更多还原