Abstract: This paper proposes an efficient method to reconstruct the general network intrusion model from transcripts and instruction traces recorded during the intrusion via decompilation，enhanced formal analysis and verification techniques.In contrast to most current works focused on exploit signature generation，this method precisely models context-sensitive relations among malicious messages to reflect the intrusion dynamics，which has practical efficiency and provable soundness.In addition to detailed theoretical analysis，the engineering evaluation and application are also briefly presented.

Key words: network intrusion, model reconstruction, execution traces

摘要： 建立一种重构网络入侵模型的有效方法，依据入侵实例中所记录的入侵过程的消息流及受害软件实际执行的指令流，通过反编译并应用改进的形式分析及验证技术构建出充分一般的入侵模型。与目前绝大多数基于独立消息特征（signature）的入侵模型不同，该模型能精确给出恶意消息上下文之间的关联模式，表达出入侵过程的动态特征，效率可行并具有逻辑上可证明的精确性。在详细阐述方法的理论基础之后，也讨论了针对安全演化的应用。

关键词: 网络入侵, 模型重构, 执行流