基于系统调用参数关系可信度的入侵检测模型
|
摘要
基于系统调用的入侵检测一直是软件行为检测的研究热点,该研究的重点已经从单纯考虑控制流特征转变为融合控制流与数据流信息,进而建立更加全面的行为特征模型.为提高基于数据流所建模型的准确性,结合控制流信息提出一种基于参数关系可信度的入侵检测模型.首先,为了降低软件行为分析的复杂度,给出以模式序列进行划分的方法.其次,该模型引入调用属性及属性间关系来描述系统调用之间的数据流特征.最后,为提高模型的精度,引入意外概率和支持度两个因素,通过计算得到了参数关系的可信度,利用关系可信度判断某行为是否属于入侵.实验结果表明,基于上述方法建立的模型不仅可以检测出大量异常,还可以量化异常程度,提高异常行为判定的准确性.
The intrusion detection based on system call has always been a research focus. In order to establish a more comprehensive behavior characteristic model,the study's focus has changed from simply considering control flowto merging control flowand data flow. To improve the accuracy of the model based on data flow,the papers combining with control flowinformation presents an intrusion detection model based on confidence of relation among system call arguments( CRA). First of all,in order to reduce the complexity of analysis in software behavior,CRA uses pattern to divide a sequence. Secondly,CRA introduces system call attribute and relation of attributes to describe the characteristics of the data flowbetween system calls. Finally,to enhance accuracy of CRA,escape probability and support value are presented. CRA can deduce confidence value of arguments relations and determine whether a particular behavior is an intrusion using confidence value. The experimental results showthat CRA can not only detect lots of abnormal behavior,but also quantify the degree of abnormality and judge abnormality accurately.
The intrusion detection based on system call has always been a research focus. In order to establish a more comprehensive behavior characteristic model,the study's focus has changed from simply considering control flowto merging control flowand data flow. To improve the accuracy of the model based on data flow,the papers combining with control flowinformation presents an intrusion detection model based on confidence of relation among system call arguments( CRA). First of all,in order to reduce the complexity of analysis in software behavior,CRA uses pattern to divide a sequence. Secondly,CRA introduces system call attribute and relation of attributes to describe the characteristics of the data flowbetween system calls. Finally,to enhance accuracy of CRA,escape probability and support value are presented. CRA can deduce confidence value of arguments relations and determine whether a particular behavior is an intrusion using confidence value. The experimental results showthat CRA can not only detect lots of abnormal behavior,but also quantify the degree of abnormality and judge abnormality accurately.
引文
[1]Hofmeyr S A,Forrest S,Somayaji A.Intrusion detection using sequence of system calls[J].Journal of Computer Security,1998,6(3):151-180.
[2]Wepsi A,Dacier M,Debar H.Intrusion detection using variable length audit trail patterns[C].In:Proc.of the 3rd International Workshop on Recent Advances in Intrusion Detection,London,UK:Springer Verlag,2000:110-129.
[3]Sekar R,Bendre M,Dhurjati D,et al.A fast automation-based method for detecting anomalous program behaviors[C].In:Proc.of IEEE Symposium on Security and Privacy,2001:144-155.
[4]Wagner D,Dean D.Intrusion detection via static analysis[C].In:Proc.of IEEE Symposium on Security and Privacy,2001:156-168.
[5]Feng H H,Kolesnikov O M,Fogla P,et al.Anomaly detection using call stack information[C].In:Proc.of the 2003 IEEE Symposium on Security and Privacy,Oakland:IEEE Press,2003:62-75.
[6]Giffin J T,Dagon D,J ha S,et al.Environment sensitive intrusion detection[C].In:Proc.of the 8th International Conference on Recent Advances in Intrusion Detection,2005:185-206.
[7]Li Wen,Dai Ying-xia,Lian Yi-feng,et al.Context sensitive hostbased IDS using hybrid automaton[J].Journal of Softw are,2009,20(1):138-151.
[8]Kruegel C,Mutz D,Valeur F,et al.On the detection of anomalous system call arguments[C].In:Proc.of European Symposium on Research in Computer Security(ESORICS),2003:326-343.
[9]Maggi F,Matteucci M,Zanero S.Detecting intrusions through system call sequence and argument analysis[J].Dependable and Secure Computing,IEEE Transactions on,2010,7(4):381-395.
[10]Bhatkar S,Chaturvedi A,Sekar R.Dataflow anomaly detection[C].In:Proc.of IEEE Symposium on Security and Privacy,2006:15-62.
[11]Li Peng,Park Hyundo,Gao Debin,et al.Bridging the gap between data-flow and control flow analysis for anomaly detection[C].In:Proc.of Annual Computer Security Applications Conference,2008:392-401.
[12]Rigoutsos I,Floratos A.Combinatorial pattern discovery in biological sequences[J].Bioinformatics,1998,14(1):55-67.
[13]Witten Ian H,Bell T.The zero-frequency problem:estimating the probabilities of novel events in adaptive text compression[J].In:Proc.of IEEE Trans.Info.Theory,1991,37(4):1085-1094.
[14]Agrawal R,Srikant R.Fast algorithms for mining association rules[C].In:Proc.of the 20th International Conference on Very Large Data Bases,1994:487-499.
[15]Gaurav Tandon,Philip K.Chan.Weighting versus pruning in rule validation for detecting netw ork and host anomalies[C].In:Proc.of the 13th ACM SIGKDD International Conference,2007:697-706.
[16]DARPA 1999 Data Set.MIT lincoln laboratory[EB/OL].http://www.ll.mit.edu/mission/communications/cyber/CSTcor CSTc/ideval/data,2013.
[7]李闻,戴英侠,连一峰,等.基于混杂模型的上下文相关主机入侵检测系统[J].软件学报,2009,20(1):138-151.
[2]Wepsi A,Dacier M,Debar H.Intrusion detection using variable length audit trail patterns[C].In:Proc.of the 3rd International Workshop on Recent Advances in Intrusion Detection,London,UK:Springer Verlag,2000:110-129.
[3]Sekar R,Bendre M,Dhurjati D,et al.A fast automation-based method for detecting anomalous program behaviors[C].In:Proc.of IEEE Symposium on Security and Privacy,2001:144-155.
[4]Wagner D,Dean D.Intrusion detection via static analysis[C].In:Proc.of IEEE Symposium on Security and Privacy,2001:156-168.
[5]Feng H H,Kolesnikov O M,Fogla P,et al.Anomaly detection using call stack information[C].In:Proc.of the 2003 IEEE Symposium on Security and Privacy,Oakland:IEEE Press,2003:62-75.
[6]Giffin J T,Dagon D,J ha S,et al.Environment sensitive intrusion detection[C].In:Proc.of the 8th International Conference on Recent Advances in Intrusion Detection,2005:185-206.
[7]Li Wen,Dai Ying-xia,Lian Yi-feng,et al.Context sensitive hostbased IDS using hybrid automaton[J].Journal of Softw are,2009,20(1):138-151.
[8]Kruegel C,Mutz D,Valeur F,et al.On the detection of anomalous system call arguments[C].In:Proc.of European Symposium on Research in Computer Security(ESORICS),2003:326-343.
[9]Maggi F,Matteucci M,Zanero S.Detecting intrusions through system call sequence and argument analysis[J].Dependable and Secure Computing,IEEE Transactions on,2010,7(4):381-395.
[10]Bhatkar S,Chaturvedi A,Sekar R.Dataflow anomaly detection[C].In:Proc.of IEEE Symposium on Security and Privacy,2006:15-62.
[11]Li Peng,Park Hyundo,Gao Debin,et al.Bridging the gap between data-flow and control flow analysis for anomaly detection[C].In:Proc.of Annual Computer Security Applications Conference,2008:392-401.
[12]Rigoutsos I,Floratos A.Combinatorial pattern discovery in biological sequences[J].Bioinformatics,1998,14(1):55-67.
[13]Witten Ian H,Bell T.The zero-frequency problem:estimating the probabilities of novel events in adaptive text compression[J].In:Proc.of IEEE Trans.Info.Theory,1991,37(4):1085-1094.
[14]Agrawal R,Srikant R.Fast algorithms for mining association rules[C].In:Proc.of the 20th International Conference on Very Large Data Bases,1994:487-499.
[15]Gaurav Tandon,Philip K.Chan.Weighting versus pruning in rule validation for detecting netw ork and host anomalies[C].In:Proc.of the 13th ACM SIGKDD International Conference,2007:697-706.
[16]DARPA 1999 Data Set.MIT lincoln laboratory[EB/OL].http://www.ll.mit.edu/mission/communications/cyber/CSTcor CSTc/ideval/data,2013.
[7]李闻,戴英侠,连一峰,等.基于混杂模型的上下文相关主机入侵检测系统[J].软件学报,2009,20(1):138-151.