Computer Engineering and Applications ›› 2010, Vol. 46 ›› Issue (23): 79-81.DOI: 10.3778/j.issn.1002-8331.2010.23.022

• 网络、通信、安全 • Previous Articles     Next Articles

Applying probabilistic suffix tree to intrusion detection

ZHENG Qi1,2,JIANG Sheng-yi2,TANG Yong1   

  1. 1.Sun Yat-sen College of Medical Science,Sun Yat-sen University,Guangzhou 510080,China
    2.School of Informatics,Guangdong University of Foreign Studies,Guangzhou 510006,China
  • Received:2009-05-12 Revised:2009-07-29 Online:2010-08-11 Published:2010-08-11
  • Contact: ZHENG Qi

概率后缀树在入侵检测中的应用研究

郑 琪1,2,蒋盛益2,汤 庸1   

  1. 1.中山大学 中山医学院,广州 510080
    2.广东外语外贸大学 信息科学与技术学院,广州 510006
  • 通讯作者: 郑 琪

Abstract: System call trace is one of the behavior characters of system process.Each system call of the trace depends on a few previous system calls.Thus,probabilistic suffix tree is used to model the system call trace,and capture the probabilistic characteristic of the system call.Two definitions of abnormal metric are given.When detecting the abnormal trace,train the PST with normal system call traces,and then calculate the abnormal metric of each trace,which is used to compare with a given limit.Experiment shows that this measurement can well distinct normal process from abnormal process.

Key words: intrusion detect, system call trace, probabilistic suffix tree

摘要: 系统调用序列能够反映系统进程的行为特征。而系统调用序列中每个调用的出现都与它之前出现的若干个调用相关。因此可以利用概率后缀树(PST)对系统调用序列建模,反映系统调用基于上下文的概率特性。提出了系统调用序列异常度的定义。在进行序列的异常检测时,先利用正常系统调用序列训练PST模型,然后通过该模型,利用计算未知系统调用序列的异常度,根据给定的阈值判断该序列是否异常。实验表明这一度量对于正常进程与异常进程有着良好的区分效果。

关键词: 入侵检测, 系统调用序列, 概率后缀树

CLC Number: