摘要： 研究了Linux 进程行为结构及其异常检测问题。讨论了程序结构和程序踪迹之间的联系，认为正常运行的进程在整体结构上总具有一定的规律性，并据此提出了进程行为“结构异常”的概念。在此基础上，采用Markov 链概率预报模型，提出了一种序列分段检测的新策略，将进程的结构异常检测和统计异常检测有机结合起来，实验结果初步表明该方法是可行、有效的。最后简要说明了方法的优点和不足。

关键词: 进程行为；入侵检测；结构异常

Abstract: This paper investigats the extraction and anomaly detection for structure of Linux process behavior. The relations between program structures and process traces are first discussed, leading to a new concept of “structure anomaly” of process behavior. Then, a Markov chain prediction model is used and a novel strategy of sub-section detection of process sequences is proposed, forming a comprehensive method of anomaly detection in both structure and statistics. Primary experiments results show that this method is feasible. Finally, both merits and demerits of this approach are briefly presented

Key words: Process behavior; Intrusion detection; Structure anomaly