摘要： 为提高检测精度，同时保持算法复杂度在可接受范围内，提出基于特征模式的马尔可夫链异常检测模型。提取所有支持度大于阈值的系统调用短序列为特征模式，在此基础上建立改进的马尔可夫模型CPMC。在检测时，用程序轨迹匹配特征模式，计算其在CPMC模型下的概率，概率小则代表异常。实验表明，该方法的检测精度高于目前常见的几种单一方法，与DBCPIDS方法的精度近似相等，但其计算复杂度更低。

关键词: 特征模式, 系统调用, 马尔可夫模型

Abstract: In order to improve the accuracy and maintain an acceptable algorithm complexity, this paper proposes a new method for anomaly detection based on characteristic patterns and Markov chain model. It extracts the short sequence of system calls as a characteristic pattern if this sequence satisfies the certain support degree, and proposes an improved Markov model CPMC on this basis. When detecting intrusions, it uses the program trace to match characteristic patterns, and calculates the trace’s probability under CPMC model. Small probability means anomaly. Experimental results show that higher detection accuracy can be got than that with other current single methods. Compared with DBCPIDS, the method has the approximate accuracy but lower computational complexity.

Key words: characteristic patterns, system call, Markov model

中图分类号: 

• TP309