[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

计算机科学 ›› 2022, Vol. 49 ›› Issue (6): 350-355.doi: 10.11896/jsjkx.210500031

• 信息安全 • 上一篇    下一篇

一种基于顺序和频率模式的系统调用轨迹异常检测框架

魏辉, 陈泽茂, 张立强   

  1. 空天信息安全与可信计算教育部重点实验室(武汉大学国家网络安全学院) 武汉 430072
  • 收稿日期:2021-05-07 修回日期:2021-07-30 出版日期:2022-06-15 发布日期:2022-06-08
  • 通讯作者: 陈泽茂(chenzemao@whu.edu.cn)
  • 作者简介:(weihui@whu.edu.cn)
  • 基金资助:
    湖北省重点研发项目(2020BAA001)

Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns

WEI Hui, CHEN Ze-mao, ZHANG Li-qiang   

  1. Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China
  • Received:2021-05-07 Revised:2021-07-30 Online:2022-06-15 Published:2022-06-08
  • About author:WEI Hui,born in 1998,postgraduate.His main research interests include network security and deep learning.
    CHEN Ze-mao,born in 1975,Ph.D,professor.His main research interests include information system security,trusted computing and equipment information security.
  • Supported by:
    Key R & D Projects of Hubei Province(2020BAA001).

摘要: 针对现有的基于系统调用的异常入侵检测方法使用单一轨迹模式无法准确反映进程行为的问题,基于系统调用轨迹的顺序和频率模式对进程行为进行建模,设计了一个数据驱动的异常检测框架。该框架可以同时检测系统调用轨迹的顺序异常和定量异常,借助组合窗口机制,通过满足离线训练和线上检测对提取轨迹信息的不同需求,可以实现离线细粒度学习和线上异常实时检测。在ADFA-LD入侵检测标准数据集上进行了针对未知异常检测性能的对比实验,结果表明,相比4类传统机器学习方法和4类深度学习方法,该框架的综合检测性能提高了10%左右。

关键词: 长短期记忆神经网络, 基于主机型入侵检测系统, 深层神经网络, 系统调用

Abstract: The existing system call-based anomaly intrusion detection methods can’t accurately describe the behavior of the process by a single trace pattern.In this paper,the process behavior is modeled based on the sequence and frequency patterns of system call trace,and a data-driven anomaly detection framework is designed.The framework could detect both sequential and quantitative anomalies of the system call trace simultaneously.With the help of combinational window mechanism,the framework could realize offline fine-grained learning and online anomaly real-time detection by meeting different requirements of offline trai-ning and online detection for extracting trace information.Performance comparison experiments of unknown anomalies detection are conducted on the ADFA-LD intrusion detection standard dataset.The results show that,compared with the four traditional machine learning methods and four deep learning methods,the comprehensive detection performance of the framework improves by about 10%.

Key words: Deep neural network, Host-based intrusion detection systems, Long and short-term memory neural network, System calls

中图分类号: 

  • TP393
[1] MORA-GIMENOF J,MORA-MORA H.Intrusion DetectionSystem Based on Integrated System Calls Graph and Neural Networks[J].IEEE Access,2021(9):9822-9833.
[2] LIU M,XUE Z,XU X,et al.Host-Based Intrusion DetectionSystem with System Calls:Review and Future Trends[J].ACM Computing Surveys,2018,51(5):98-136.
[3] CHEN X S,CHEN J X,JIN X,et al.Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments[J].Journal of Computer Research and Development,2019,56(12):2684-2693.
[4] CHEN X S,JIN Y L,WANG Y L,et al.Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J].Acta Electronica Sinica,2021,49(1):149-156.
[5] SUN P,LIU P,LI Q,et al.DL-IDS:Extracting Features Using CNN-LSTM Hybrid Network for Intrusion Detection System[J].Security and Communication Networks,2020,5(55):639-652.
[6] CHAWL A,LEE B,FALLON S,et al.Host Based Intrusion Detection System with Combined CNN/RNN Model[C]//ECML PKDD 2018 Workshops.Lecture Notes in Computer Science.Cham:Springer,2019:149-158.
[7] FORREST S,HOFMEVRS A,SOMAYAJI A,et al.A sense of self for Unix processes[C]//Proceedings of IEEE Symposium on Security and Privacy.Oakland:IEEE press,1996:120-128.
[8] DING Y X,YUAN X B,ZHOU D,et al.Feature representation and selection in malicious code detection methods based on static system calls[J].Computers & Security,2011,30(6):514-524.
[9] JOHNSON R,TONG Z.Learning Nonlinear Functions Using Regularized Greedy Forest[J].IEEE Transactions Pattern Analysis and Machine Intelligence,2014,36(5):942-954.
[10] WEAL K,SYED S M,ABEDL H L,et al.Combining heterogeneous anomaly detectors for improved software security[J].Journal of Systems and Software,2017,137(MAR.):415-429.
[11] DARREN M,FREDRIK V,GIOVANNI K,et al.Anomaloussystem call detection[C]//ACM Transactions on Information and System Security.2006:61-93.
[12] CREECH G,HU J.A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguous and Discontinuous System Call Patterns[J].IEEE Transactions on Computers,2014,63(4):807-819.
[13] XIE M,HU J,YU X,et al.Evaluating Host-Based Anomaly Detection Systems:Application of the Frequency-Based Algorithms to ADFA-LD[C]//Network and System Security.Cham:Springer,2015:542-549.
[14] SANJEEV D,YANG L,WEI Z,et al.Semantics-based onlinemalware detection:Towards efficient real-time protection against malware[J].IEEE Transaction on Information Forensics and Security,2016,11(2):289-302.
[15] LV S H,JIAN W,YANG Y Q,et al.Intrusion prediction with system-call sequence-to-sequence model[J].IEEE Access,2018(6):71413-71421.
[16] KOLOSNJAII B,ZARRAS A,WEBSTER G,et al.Deep Lear-ning for Classification of Malware System Call Sequences[C]//Advances in Artificial Intelligence.Cham:Springer,2016:137-149.
[17] ZHAN J,TONG Y,XU M D,et al.A Method for Data Collection and Real-Time Anomaly Detection of Lightweight Hosts[J].Journal of Xi’an Jiaotong University,2017,51(4):97-102.
[18] XU L F,ZHANG D P,ALVAREZ M A,et al.Dynamic android malware classification using graph-based re-presentations[C]//IEEE International Conference on Cyber Security and Cloud Computing.IEEE.2016:220-331.
[19] WUNDERLICH S,RING M,LANDES D,et al.Comparison of System Call Representations for Intrusion Detection[C]//Computational Intelligence in Security for Information Systems and International Conference on European Transnational Education.Cham:Springer,2019:14-24.
[20] HOCHREITER S,SCHMIDHUBER J.Long Short-Term Me-mory[J].Neural Computation,1997,9(8):1735-1780.
[21] CREECH G,HU J.Generation of a new IDS test dataset:Time to retire the KDD collection[C]//IEEE Wireless Communications and Networking Conference (WCNC).2013:4487-4492.
[1] 刘梦炀, 武利娟, 梁慧, 段旭磊, 刘尚卿, 高一波.
一种高精度LSTM-FC大气污染物浓度预测模型
A Kind of High-precision LSTM-FC Atmospheric Contaminant Concentrations Forecasting Model
计算机科学, 2021, 48(6A): 184-189. https://doi.org/10.11896/jsjkx.200600090
[2] 包振山, 郭俊南, 谢源, 张文博.
基于LSTM-GA的股票价格涨跌预测模型
Model for Stock Price Trend Prediction Based on LSTM and GA
计算机科学, 2020, 47(6A): 467-473. https://doi.org/10.11896/JsJkx.190900128
[3] 刁莉, 王宁.
基于X12-LSTM模型的保费收入预测研究
Research on Premium Income Forecast Based on X12-LSTM Model
计算机科学, 2020, 47(6A): 512-516. https://doi.org/10.11896/JsJkx.191100077
[4] 余珊珊, 苏锦钿, 李鹏飞.
一种基于自注意力的句子情感分类方法
Sentiment Classification Method for Sentences via Self-attention
计算机科学, 2020, 47(4): 204-210. https://doi.org/10.11896/jsjkx.190100097
[5] 杨佳宁, 黄向生, 李宗翰, 荣灿, 刘道伟.
基于双层栈式长短期记忆的电网时空轨迹预测
Spatio-temporal Trajectory Prediction of Power Grid Based on Double Layers Stacked Long Short-term Memory
计算机科学, 2019, 46(11A): 23-27.
[6] 孙志远,鲁成祥,史忠植,马刚.
深度学习研究与进展
Research and Advances on Deep Learning
计算机科学, 2016, 43(2): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.02.001
[7] 黄聪会,陈靖,龚水清,陈明华.
64位Windows ABI虚拟化方法研究
Research of Method for Virtualizing 64-bit Windows Application Binary Interface
计算机科学, 2014, 41(1): 39-42.
[8] 张莉萍,雷大江,曾宪华.
基于频率特征向量的系统调用入侵检测方法
System Calls Based Intrusion Detection Method with Frequency Feature Vector
计算机科学, 2013, 40(Z6): 330-333.
[9] 黄金钟,朱淼良.
基于程序的异常检测研究综述
Overview of Anomaly Detection Based on Program
计算机科学, 2011, 38(6): 7-13.
[10] 吴瀛,江建慧,张蕊.
基于系统调用的入侵检测研究进展
System Calls Based Intrusion Detection:A Survey
计算机科学, 2011, 38(1): 20-25.
[11] 陶芬,尹芷仪,傅建明.
基于系统调用的软件行为模型
Software Behavior Model Based on System Calls
计算机科学, 2010, 37(4): 151-.
[12] 袁源 戴冠中.
LKM后门综述

计算机科学, 2008, 35(7): 5-8.
[13] .
基于粗糙集约简的进程系统调用序列异常检测方法研究

计算机科学, 2006, 33(8): 281-284.
[14] 芮建武 谢谦 吴健 孙玉芳.
Linux内核多语言文件子系统的设计与实现

计算机科学, 2005, 32(7): 234-236.
[15] 高微 卿斯汉 崔永祯.
系统调用层的操作系统安全增强

计算机科学, 2004, 31(8): 176-178.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!