计算机工程与应用 ›› 2008, Vol. 44 ›› Issue (33): 115-118.DOI: 10.3778/j.issn.1002-8331.2008.33.036

• 网络、通信、安全 • 上一篇    下一篇

主机型异常检测的隐半马尔可夫模型方法

彭竹苗,张正道   

  1. 江南大学 通信与控制工程学院,江苏 无锡 214122
  • 收稿日期:2007-12-17 修回日期:2008-04-02 出版日期:2008-11-21 发布日期:2008-11-21
  • 通讯作者: 彭竹苗

Host oriented anomaly detection system based on hidden semi-Markov model

PENG Zhu-miao,ZHANG Zheng-dao   

  1. School of Communication and Control Engineering,Southern Yangtze University,Wuxi,Jiangsu 214122,China
  • Received:2007-12-17 Revised:2008-04-02 Online:2008-11-21 Published:2008-11-21
  • Contact: PENG Zhu-miao

摘要: 提出基于HSMM模型的主机型入侵检测系统框架。以BSM审计数据作为数据源,提取正常主机行为的特权流系统调用序列,利用HSMM模型对正常主机行为进行建模,然后将当前主机行为与之比较,判定当前主机行为是否异常。选取特权流变化事件作为研究对象以缩短建模时间,同时滤去了过多的无用信息,一定程度上提高了检测效率。实验结果表明,提出的HSMM方法比HMM优越,同时该方法建模的系统不仅节省训练时间,而且在提高检测率的同时可以降低误报率。

关键词: 异常检测, 隐半马尔可夫模型, BSM审计数据, 特权流

Abstract: A host oriented anomaly detection system framework based on hidden semi-Markov model is given.BSM audit data are used as research data sources.Firstly select the privilege flow system calls series of the normal host behavior.Then the normal behavior of computer is modeled using HSMM.Then by comparing the current computer behavior with the model,we can determine whether the current behavior is normal.This paper selects the privilege flow events of BSM audit data as the research target so as to shorten the time of modeling to some extent and improve detection performance as well by filtering useless data.The experiment result reveals that the proposed method is better than HMM method,for the former not only can shorten the training time but also decrease false-positive error while increasing detection rate.

Key words: anomaly detection, hidden semi-Markov model, BSM audit data, privilege flow