国防科技大学学报

引用本文:	孙宏伟,田新广,邹涛,等.基于隐马尔可夫模型的IDS程序行为异常检测.[J].国防科技大学学报,2003,25(5):63-67.[点击复制]
	SUN Hongwei,TIAN Xinguang,ZOU Tao,et al.Anomaly Detection of the Program Behaviors for IDS Based on Hidden Markov Models[J].Journal of National University of Defense Technology,2003,25(5):63-67[点击复制]

【打印本页】【在线阅读全文】【下载PDF全文】【查看/发表评论】【下载PDF阅读器】【关闭】

←前一篇|后一篇→

过刊浏览高级检索

本文已被：浏览 6579次下载 5895次

基于隐马尔可夫模型的IDS程序行为异常检测

孙宏伟, 田新广, 邹涛, 张尔扬

(国防科技大学电子科学与工程学院，湖南长沙 410073)

摘要:

提出一种新的基于隐马尔可夫模型的程序行为异常检测方法，此方法利用系统调用序列，并基于隐马尔可夫模型来描述程序行为，根据程序行为模式的出现频率对其进行分类，并将行为模式类型同隐马尔可夫模型的状态联系在一起。由于各状态对应的观测值集合互不相交，模型训练中采用了运算量较小的序列匹配方法，与传统的Baum-Welch算法相比，训练时间有较大幅度的降低。考虑到模型中状态的特殊含义以及程序行为的特点，将加窗平滑后的状态序列出现概率作为判决依据。实验表明，此方法具有很高的检测准确性，其检测效率也优于同类方法。

关键词: 入侵检测系统异常检测隐马尔可夫模型系统调用

DOI：

投稿日期：2003-01-13

基金项目:北京首信集团重大科研项目(020015)

Anomaly Detection of the Program Behaviors for IDS Based on Hidden Markov Models

SUN Hongwei, TIAN Xinguang, ZOU Tao, ZHANG Eryang

(College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China)

Abstract:

A new method for anomaly detection of the program behaviors based on hidden Markov models is presented. The method uses system calls to represent the behavior profiles of programs based on hidden Markov models. The behavior patterns of programs are classified according to their frequency distributions, and the states of the hidden Markov models are associated with the classes of the behavior patterns. Because the collections of observations corresponding to different states are mutually disjoint, the models can be trained with a sequence matching algorithm which requires lower computational complexity and less computation time than the classical Baum-Welch algorithm. A decision rule based on the probabilities of short state sequences is adopted while the particularity of the model states is taken into account. The performance of the method is tested by computer simulation. The results show it maintains higher detection accuracy and efficiency than other alternative approaches.

Keywords: IDS anomaly detection hidden Markov model system call