计算机科学 ›› 2022, Vol. 49 ›› Issue (6): 350-355.doi: 10.11896/jsjkx.210500031
魏辉, 陈泽茂, 张立强
WEI Hui, CHEN Ze-mao, ZHANG Li-qiang
摘要: 针对现有的基于系统调用的异常入侵检测方法使用单一轨迹模式无法准确反映进程行为的问题,基于系统调用轨迹的顺序和频率模式对进程行为进行建模,设计了一个数据驱动的异常检测框架。该框架可以同时检测系统调用轨迹的顺序异常和定量异常,借助组合窗口机制,通过满足离线训练和线上检测对提取轨迹信息的不同需求,可以实现离线细粒度学习和线上异常实时检测。在ADFA-LD入侵检测标准数据集上进行了针对未知异常检测性能的对比实验,结果表明,相比4类传统机器学习方法和4类深度学习方法,该框架的综合检测性能提高了10%左右。
中图分类号:
| [1] MORA-GIMENOF J,MORA-MORA H.Intrusion DetectionSystem Based on Integrated System Calls Graph and Neural Networks[J].IEEE Access,2021(9):9822-9833. [2] LIU M,XUE Z,XU X,et al.Host-Based Intrusion DetectionSystem with System Calls:Review and Future Trends[J].ACM Computing Surveys,2018,51(5):98-136. [3] CHEN X S,CHEN J X,JIN X,et al.Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments[J].Journal of Computer Research and Development,2019,56(12):2684-2693. [4] CHEN X S,JIN Y L,WANG Y L,et al.Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J].Acta Electronica Sinica,2021,49(1):149-156. [5] SUN P,LIU P,LI Q,et al.DL-IDS:Extracting Features Using CNN-LSTM Hybrid Network for Intrusion Detection System[J].Security and Communication Networks,2020,5(55):639-652. [6] CHAWL A,LEE B,FALLON S,et al.Host Based Intrusion Detection System with Combined CNN/RNN Model[C]//ECML PKDD 2018 Workshops.Lecture Notes in Computer Science.Cham:Springer,2019:149-158. [7] FORREST S,HOFMEVRS A,SOMAYAJI A,et al.A sense of self for Unix processes[C]//Proceedings of IEEE Symposium on Security and Privacy.Oakland:IEEE press,1996:120-128. [8] DING Y X,YUAN X B,ZHOU D,et al.Feature representation and selection in malicious code detection methods based on static system calls[J].Computers & Security,2011,30(6):514-524. [9] JOHNSON R,TONG Z.Learning Nonlinear Functions Using Regularized Greedy Forest[J].IEEE Transactions Pattern Analysis and Machine Intelligence,2014,36(5):942-954. [10] WEAL K,SYED S M,ABEDL H L,et al.Combining heterogeneous anomaly detectors for improved software security[J].Journal of Systems and Software,2017,137(MAR.):415-429. [11] DARREN M,FREDRIK V,GIOVANNI K,et al.Anomaloussystem call detection[C]//ACM Transactions on Information and System Security.2006:61-93. [12] CREECH G,HU J.A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguous and Discontinuous System Call Patterns[J].IEEE Transactions on Computers,2014,63(4):807-819. [13] XIE M,HU J,YU X,et al.Evaluating Host-Based Anomaly Detection Systems:Application of the Frequency-Based Algorithms to ADFA-LD[C]//Network and System Security.Cham:Springer,2015:542-549. [14] SANJEEV D,YANG L,WEI Z,et al.Semantics-based onlinemalware detection:Towards efficient real-time protection against malware[J].IEEE Transaction on Information Forensics and Security,2016,11(2):289-302. [15] LV S H,JIAN W,YANG Y Q,et al.Intrusion prediction with system-call sequence-to-sequence model[J].IEEE Access,2018(6):71413-71421. [16] KOLOSNJAII B,ZARRAS A,WEBSTER G,et al.Deep Lear-ning for Classification of Malware System Call Sequences[C]//Advances in Artificial Intelligence.Cham:Springer,2016:137-149. [17] ZHAN J,TONG Y,XU M D,et al.A Method for Data Collection and Real-Time Anomaly Detection of Lightweight Hosts[J].Journal of Xi’an Jiaotong University,2017,51(4):97-102. [18] XU L F,ZHANG D P,ALVAREZ M A,et al.Dynamic android malware classification using graph-based re-presentations[C]//IEEE International Conference on Cyber Security and Cloud Computing.IEEE.2016:220-331. [19] WUNDERLICH S,RING M,LANDES D,et al.Comparison of System Call Representations for Intrusion Detection[C]//Computational Intelligence in Security for Information Systems and International Conference on European Transnational Education.Cham:Springer,2019:14-24. [20] HOCHREITER S,SCHMIDHUBER J.Long Short-Term Me-mory[J].Neural Computation,1997,9(8):1735-1780. [21] CREECH G,HU J.Generation of a new IDS test dataset:Time to retire the KDD collection[C]//IEEE Wireless Communications and Networking Conference (WCNC).2013:4487-4492. |
| [1] | 刘梦炀, 武利娟, 梁慧, 段旭磊, 刘尚卿, 高一波. 一种高精度LSTM-FC大气污染物浓度预测模型 A Kind of High-precision LSTM-FC Atmospheric Contaminant Concentrations Forecasting Model 计算机科学, 2021, 48(6A): 184-189. https://doi.org/10.11896/jsjkx.200600090 |
| [2] | 包振山, 郭俊南, 谢源, 张文博. 基于LSTM-GA的股票价格涨跌预测模型 Model for Stock Price Trend Prediction Based on LSTM and GA 计算机科学, 2020, 47(6A): 467-473. https://doi.org/10.11896/JsJkx.190900128 |
| [3] | 刁莉, 王宁. 基于X12-LSTM模型的保费收入预测研究 Research on Premium Income Forecast Based on X12-LSTM Model 计算机科学, 2020, 47(6A): 512-516. https://doi.org/10.11896/JsJkx.191100077 |
| [4] | 余珊珊, 苏锦钿, 李鹏飞. 一种基于自注意力的句子情感分类方法 Sentiment Classification Method for Sentences via Self-attention 计算机科学, 2020, 47(4): 204-210. https://doi.org/10.11896/jsjkx.190100097 |
| [5] | 杨佳宁, 黄向生, 李宗翰, 荣灿, 刘道伟. 基于双层栈式长短期记忆的电网时空轨迹预测 Spatio-temporal Trajectory Prediction of Power Grid Based on Double Layers Stacked Long Short-term Memory 计算机科学, 2019, 46(11A): 23-27. |
| [6] | 孙志远,鲁成祥,史忠植,马刚. 深度学习研究与进展 Research and Advances on Deep Learning 计算机科学, 2016, 43(2): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.02.001 |
| [7] | 黄聪会,陈靖,龚水清,陈明华. 64位Windows ABI虚拟化方法研究 Research of Method for Virtualizing 64-bit Windows Application Binary Interface 计算机科学, 2014, 41(1): 39-42. |
| [8] | 张莉萍,雷大江,曾宪华. 基于频率特征向量的系统调用入侵检测方法 System Calls Based Intrusion Detection Method with Frequency Feature Vector 计算机科学, 2013, 40(Z6): 330-333. |
| [9] | 黄金钟,朱淼良. 基于程序的异常检测研究综述 Overview of Anomaly Detection Based on Program 计算机科学, 2011, 38(6): 7-13. |
| [10] | 吴瀛,江建慧,张蕊. 基于系统调用的入侵检测研究进展 System Calls Based Intrusion Detection:A Survey 计算机科学, 2011, 38(1): 20-25. |
| [11] | 陶芬,尹芷仪,傅建明. 基于系统调用的软件行为模型 Software Behavior Model Based on System Calls 计算机科学, 2010, 37(4): 151-. |
| [12] | 袁源 戴冠中. LKM后门综述 计算机科学, 2008, 35(7): 5-8. |
| [13] | . 基于粗糙集约简的进程系统调用序列异常检测方法研究 计算机科学, 2006, 33(8): 281-284. |
| [14] | 芮建武 谢谦 吴健 孙玉芳. Linux内核多语言文件子系统的设计与实现 计算机科学, 2005, 32(7): 234-236. |
| [15] | 高微 卿斯汉 崔永祯. 系统调用层的操作系统安全增强 计算机科学, 2004, 31(8): 176-178. |
|
||