作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2006, Vol. 32 ›› Issue (20): 143-146. doi: 10.3969/j.issn.1000-3428.2006.20.052

• 安全技术 • 上一篇    下一篇

基于不定长系统调用序列模式的入侵检测方法

王福宏,彭勤科,李乃捷   

  1. (西安交通大学电子与信息工程学院,西安 710049)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2006-10-20 发布日期:2006-10-20

Intrusion Detection Using Variable-length System Calls Patterns

WANG Fuhong, PENG Qinke, LI Naijie   

  1. (School of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an 710049)
  • Received:1900-01-01 Revised:1900-01-01 Online:2006-10-20 Published:2006-10-20

摘要: 提出了一种不定长序列模式的寻找算法,目标是从训练序列中找出一组基本的、相对独立的不定长序列模式。并在模式集的更新过程中自动定义了模式间的前后次序关系,以此构建了一个描述进程执行模式的DFA。针对已有基于不定长序列模式的模式匹配算法需要向前预测若干个系统调用号的缺点,文章设计了一个更好的模式匹配算法。实验结果表明,算法在模式寻找过程中是稳定的,并在保持一组规模很小的模式集的情况下,取得了很低的误报率和漏报率。

关键词: 入侵检测, 系统调用, 模式匹配, 不定长序列模式, 误报率

Abstract: A novel simple technique to build a table of variable-length patterns from training system call sequences is presented, aiming to find out a set of basic and relatively independent variable-length patterns. Also, the method finds out all possible relationship between variable-length patterns, and thereby generates an exact DFA representation of the program. Using the data sets from the university of New Mexico, the schema is evaluated by several targets—sizes of variable-length patterns, false positives and false negatives. The experimental results indicate that the algorithms generate a relative small set of patterns, and get very low false positives and false negatives.

Key words: Intrusion detection, System call, Pattern match, Variable-length patterns, False positives