摘要： 异常检测是目前入侵检测研究的主要方向之一。该文提出一种新的程序行为异常检测方法，主要用于Linux或Unix平台上以系统调用为审计数据的入侵检测系统。该方法利用数据挖掘技术中的序列模式对特权程序的正常行为进行建模，根据系统调用序列的支持度和可信度在训练数据中提取正常模式。在检测阶段，通过序列模式匹配对被监测程序的行为异常程度进行分析，提供两种可选的判决方案。实验结果表明，该方法具有良好的检测性能。

关键词: 入侵检测, 异常检测, 系统调用, 数据挖掘

Abstract: Anomaly detection acts as one of the important directions of research on intrusion detection. This paper presents a new method for anomaly detection of program behaviors, which is applicable to intrusion detection systems using system calls as audit data on Linux or Unix platform. The method uses sequence patterns in data mining technique to model the normal behavior of a privileged program, and extracts normal system call sequences according to their support and confidence in the training data. At the detection stage, system call sequences are matched to perform the comparison of the historic behaviors and current behaviors, and then two alternative schemes can be used to distinguish between normal and anomalous behaviors. The experimental results show that the method can achieve high detection performance.

Key words: intrusion detection, anomaly detection, system call, data mining

中图分类号: 

• TP393