Computer Engineering and Applications ›› 2008, Vol. 44 ›› Issue (18): 109-112.

• 网络、通信、安全 • Previous Articles     Next Articles

Host intrusion detection based on sequence of Windows Native API

ZHU Ying-ying1,YE Mao1,LIU Nai-qi1,LI Zheng2,ZHENG Kai-yuan1   

  1. 1.College of Computer,University of Electronic Science and Technology of China,Chengdu 610054,China
    2.College of Communication and Inf. Eng.,University of Electronic Science and Technology of China,Chengdu 610054,China
  • Received:2007-09-19 Revised:2007-11-30 Online:2008-06-21 Published:2008-06-21
  • Contact: ZHU Ying-ying

基于Windows Native API序列的系统行为入侵检测

朱莺嘤1,叶 茂1,刘乃琦1,李 筝2,郑凯元1   

  1. 1.电子科技大学 计算机学院,成都 610054
    2.电子科技大学 通信学院,成都 610054
  • 通讯作者: 朱莺嘤

Abstract: Considering the shortcomings of Windows system intrusion detection and the advantages of the Linux system intrusion detection based on the sequence of the system call,a kernel-level host intrusion detection program based on the BP neural network algorithm to study and classify the sequence of Windows Native API is proposed in this paper.Experiment results prove that the sequence of Native API can be used for intrusion detection.Windows Native API means the kernel model API,which is similar to the Linux system call.The neural network is trained to learn the normal and abnormal sequence of Native API.In the intrusion detection,use the trained neural network to classify the emerging Native API sequence,and find whether the intrusion happens.

摘要: 针对Windows系统入侵检测的不足,研究并借鉴Linux下基于系统调用序列进行入侵检测的方法,提出一种采用BP神经网络算法对Windows Native API序列学习和分类的内核级主机入侵检测方案。通过实验,验证了采用Windows Native API序列进行系统入侵的可行性。Native API是Windows系统内核模式下的API,可以类比于Linux下的系统调用。通过训练神经网络学习Native API序列,建立一个对正常和异常Native API序列进行分类的BP神经网络。在入侵检测时,利用训练后的神经网络对不断出现的Windows Native API 序列进行分类,判断系统是否出现异常入侵。