摘要： 提出一种利用动态提取进程堆栈中的信息来寻找不定长模式的方法。该方法以进程中产生系统调用的函数返回地址链作为提取不定长模式的依据，根据函数的结构关系对模式集进行精简，得到一组不定长模式集。在此基础上，以不定长模式作为基本单位构建了一个马尔可夫链模型来检测异常行为。实验结果表明，该方法的检测性能要优于传统的不定长模式方法和一阶马尔可夫链模型方法，能够获得更高的检测率和更低的误报率。

关键词: 入侵检测, 系统调用, 调用堆栈, 函数返回地址, 不定长序列模式, 马尔可夫链

Abstract: A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process. This method uses the chains of function return addresses to derive a table of variable-length patterns, and reduces the pattern set based on the structure of functions of the process. Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors. The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method, the proposed method can achieve higher hit rates and lower false alarm rates.

Key words: Intrusion detection, System call, Call stack, Function return addresses, Variable-length patterns, Markov chain

中图分类号: 

• TP393.08