基于程序行为的异常检测技术研究与实现
|
摘要
随着Internet技术的迅速发展,网络入侵问题也越发严重,入侵检测已成为网络防护安全体系中的重要组成部分。入侵检测系统通过从计算机网络或计算机系统中的若干关键点收集信息并对其进行分析,以发现网络或系统中是否有违反安全策略的行为和遭到袭击的迹象。
异常检测作为入侵检测的一个重要分支,也越来越受到人们的重视。由于Linux进程可由一系列的系统调用序列来表征,通过分析其系统调用序列可以了解进程的行为模式,据此本文分别探讨了对Linux进程的系统调用序列进行模式提取和异常检测的两种方法:
1.基于HMM/MLP混合模型的异常检测方法。在这个方法中,多层感知机(MLP)用作HMM的概率估计器,以克服HMM方法的不足,建立了一个基于系统调用的混合HMM/MLP异常检测模型用来对正常行为进行建模以实现异常检测,并给出了该模型的训练和检测算法。实验结果表明该混合系统的漏报率和误报率都低于HMM方法。
2.基于RBF神经网络的异常检测方法。提出了用RBF神经网络来构建异常检测中正常行为的特征轮廓。通过与BP网络和HMM方法实现的异常检测效果相比较,我们可以看出,RBF方法的检测率较高,误报率较低,训练时间短。
本文用新墨西哥大学提供的综合仿真数据进行了实验仿真和比较,证明两种方法都提高了入侵检测系统的性能。
论文的最后对下一步的工作进行了探讨,并且对入侵检测的进一步发展和应用进行了展望。
With the rapid development of Internet, network intrusion is becoming a serious problem, and intrusion detection becomes a critical component of network security administration. Intrusion detection system is a combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred.
As an important branch of intrusion detection, anomaly detection attracts more and more attentions. Since a sequence of system calls gives a stable signature for a Linux process, behavior of the process can be explored by analyzing the system call sequences. So, in this thesis, two methods are investigated for detection of abnormal process behavior under Linux using system call sequences:
One is to learn behavior patterns and to detect anomaly behavior using a hybrid HMM/MLP model. In this method, the Multiple Layer Perceptron (MLP) is used as probability estimators in HMM framework to alleviate the limitations of the HMM based system. A hybrid HMM/MLP anomaly detection model based on system calls is proposed, and the training algorithm and detection algorithm are presented. The practical implementation of this hybrid system is also illustrated. Experimental results show that the false negative rate and the false positive rate of the hybrid system are both lower than the HMM based system.
The other is to use RBF neural networks to model normal behavior based on system calls. Compared with the BP neural networks and the HMM based method, the method based on RBF networks has higher detection rate, lower false positive rate and shorter training time.
The two methods are both tested on the data provided by University of New Mexico. The results of our preliminary experiments have shown that both methods have improved the performance of intrusion detection system.
Finally, some problems to be further studied are discussed and the further development of intrusion detection is discussed.
异常检测作为入侵检测的一个重要分支,也越来越受到人们的重视。由于Linux进程可由一系列的系统调用序列来表征,通过分析其系统调用序列可以了解进程的行为模式,据此本文分别探讨了对Linux进程的系统调用序列进行模式提取和异常检测的两种方法:
1.基于HMM/MLP混合模型的异常检测方法。在这个方法中,多层感知机(MLP)用作HMM的概率估计器,以克服HMM方法的不足,建立了一个基于系统调用的混合HMM/MLP异常检测模型用来对正常行为进行建模以实现异常检测,并给出了该模型的训练和检测算法。实验结果表明该混合系统的漏报率和误报率都低于HMM方法。
2.基于RBF神经网络的异常检测方法。提出了用RBF神经网络来构建异常检测中正常行为的特征轮廓。通过与BP网络和HMM方法实现的异常检测效果相比较,我们可以看出,RBF方法的检测率较高,误报率较低,训练时间短。
本文用新墨西哥大学提供的综合仿真数据进行了实验仿真和比较,证明两种方法都提高了入侵检测系统的性能。
论文的最后对下一步的工作进行了探讨,并且对入侵检测的进一步发展和应用进行了展望。
With the rapid development of Internet, network intrusion is becoming a serious problem, and intrusion detection becomes a critical component of network security administration. Intrusion detection system is a combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred.
As an important branch of intrusion detection, anomaly detection attracts more and more attentions. Since a sequence of system calls gives a stable signature for a Linux process, behavior of the process can be explored by analyzing the system call sequences. So, in this thesis, two methods are investigated for detection of abnormal process behavior under Linux using system call sequences:
One is to learn behavior patterns and to detect anomaly behavior using a hybrid HMM/MLP model. In this method, the Multiple Layer Perceptron (MLP) is used as probability estimators in HMM framework to alleviate the limitations of the HMM based system. A hybrid HMM/MLP anomaly detection model based on system calls is proposed, and the training algorithm and detection algorithm are presented. The practical implementation of this hybrid system is also illustrated. Experimental results show that the false negative rate and the false positive rate of the hybrid system are both lower than the HMM based system.
The other is to use RBF neural networks to model normal behavior based on system calls. Compared with the BP neural networks and the HMM based method, the method based on RBF networks has higher detection rate, lower false positive rate and shorter training time.
The two methods are both tested on the data provided by University of New Mexico. The results of our preliminary experiments have shown that both methods have improved the performance of intrusion detection system.
Finally, some problems to be further studied are discussed and the further development of intrusion detection is discussed.
引文
[1] StephenNorthcutt,网络入侵检测分析员手册,第一版,北京:人民邮电出版社,2000
[2] Anderson J P. Computer Security Threat Monitoring and Surveillance. Fort Washington, James P. Anderson Co, 1980, pp. 1-53
[3] Denning D E. An Intrusion-Detection Model. IEEE Transaction on Software Engineering, February 1987, VOL. SE-13, NO. 2, pp. 222-232
[4] ISS Company. RealSecure Network Protection. http://www.iss.net/products services/enterprise protection/rsnetwork/index. php
[5] Cheung. S, Crawford. R, Dilger. M, et al. The Design of GrIDS: A Graph Based Intrusion Detection System. University of California, Davis: Department of Computer Science, 1999, pp. 1-20
[6] Forrest. S, Hofmeyr. S, Somayaji. A. Computer immunology. Communications of the ACM, 1997. 40(10), pp. 88-96
[7] Ross Anderson, Abide Khattak. The Use of Information Retrieval Techniques for Intrusion Detection. Louvain-la-Neuve, Belgium: Proceeding of RAID'98, 1998, pp. 1-20
[8] The Common Intrusion Detection Framework (CIDF). http://gost.isi.edu/cidf/
[9] The Internet Engineering Task Force. http://www.ietf.org/
[10] Allen J et al. State of the Practice of Intrusion Detection Technologies. TECHNICAL REPORT, CMU/SEI-99-TR-028, Carnegie Mellon University, Software Engineering Institute, 2000
[11] 刘朝曦.入侵检测技术.宏智杂志,2002年第四期.http://www.wholewise.com.cn/magazine/0204/5. shtml
[12] Aurobindo Sundaram. An Introduction to Intrusion Detection. 2001. http://www.acm.org/crossroads/xrds2-4/intrus.html
[13] Wenke Lee, Salvatore. Stolfo, Data mining approaches for intrusion detection, Proc the 7thUSENIX Security Symposium, San Antonio, TX, 1998
[14] Wenke Lee, Salvatore J. Stolfo, Kui W. Mok, A data mining framework for building intrusion detection models, Proc the 1990 IEEE Symposium on Security and Privacy, Berkely, California, 1999, pp. 122-132
[15] Wenke Lee, A data mining framework for constructing features and models for intrusion detection systems[Ph D dissertation], Columbia University, 1999
[16] 连一峰,戴英侠,王航,基于模式挖掘的用户行为异常检测,计算机学报,2002.3,pp.325-330
[17] 杨向荣,宋擒豹,沈钧毅,基于行为模式挖掘的网络入侵检测,西安交通大学学报, 2002,2,pp.173-176
[18] 李新远,吴宇红,狄文远,基于数据挖掘的入侵检测建模,计算机工程,2002.2,pp.159-161
[19] 常见IP碎片攻击详解.http://sinbad.zhoubin.com/pubs/pdf/IP-Fragment-Analysis.pdf
[20] The Unicode Consortium. The Unicode Standard Version 3.0. 2000
[21] DoS与DDos攻击工具基本技术及其发展.http://www.cns911.com/docs/hacker/hack0019.php
[22] Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji. Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 1998, pp. 151—180
[23] Stephanie Forrest, Steven A. Hofmeur, Anil Somayaji. A Sense of Self for Unix Processes. In Proceeding of the 1996 IEEE Symposium on Security and Privacy pp. 120-128
[24] Christina Warrender, Stephanie Forrest, Barak Pearlmutt, Detecting Intrusions Using System Calls: Alternative Data Models. 1999 IEEE Symposium on Security and Privacy pp. 133-145
[25] Wenke Lee, Salvatore J. Stolfo, Learning Patterns from Unix Process Execution
Traces for Intrusion Detection, http://citeseer,nj.nec.com/cs, 1997
[26] Sung-Bae and Hyuk-Jang Park. Efficient anomaly detection by modeling privilege flows using hidden Marker model Computers & Security Vol. 22, 2003, No 1, pp. 45-55
[27] 谭小彬,王卫平,奚宏生,殷保群。计算机系统入侵检测的隐马尔可夫模型 计算机研究与发展 Feb.2003,Vol.40.No.2,pp.245-250
[28] Bourlard. H, Wellekens. C. J. Links between Markov models and Multi-layer perceptrons, IEEE Tran. Patt. Anal. Machine Intell. 1990, Vol. 12, pp. 1167-1178
[29] Renals. S, Morgan. N, Bourland. H, Cohen. M, and Franco. H. Connectionist probability estimators in HMM speech recognition, IEEE Tran. Speech & Audio Proc, Jan. 1994, Vol. 2, No. 1, Part Ⅱ
[30] Bose. N. K., Liang. P. Neural Networks Fundamentals with Graphs, Algorithms and Applications, Tara McGraw-Hill, New Delhi, 1998
[31] Warrender. C, Forrest. S, and Pearlmutt. B. Detecting intrusions using system calls: alternative data model. IEEE Symposium on Security and Privacy, 1999. pp. 133-145.
[32] 董聪,人工神经网络:当前的进展与问题,基础科学,1999-07(133)26
[33] 戴葵,神经网络实现技术,国防科技大学出版社,1998
[34] 张际先,神经网络及其在工程中的应用,机械工业出版社,1996
[35] Kirkpatrick S. Optimization by Simulated Annealing: Quantitative Studies, J. Statis, Phys, 1984, 34, pp. 975-986
[36] 董聪,多层前向网络的逼近机理与拓扑结构学习方法,通讯学报,1998,19(3),pp.29-34
[37] Rumelhart. D. E, Hinton. G. E, Williams. R. F. LearningRepresentation by Backpropagation Errors. Nature, 1986, 323(6188), pp. 533-536
[38] 周志华,国际神经网络研究动向,2000年国际神经网络联合大会情况介绍
[39] H. Debar, B. Dorizzi. An application of a recurrent network to an intrusion detection system, IEEE International Conference, 1992, Vol. 2 pp. 478-483
[40] D. Endler. Intrusion detection: Applying machine learning to Solaris audit data,
Proceeding of the 1998 annual computer security applications conference, December, 1998, pp. 268-279
[41] Piggio. T, Girosi. F. A Theory of Networks for Approximation and Learning. AI Memo. Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge Mass, 1989, pp. 1140
[2] Anderson J P. Computer Security Threat Monitoring and Surveillance. Fort Washington, James P. Anderson Co, 1980, pp. 1-53
[3] Denning D E. An Intrusion-Detection Model. IEEE Transaction on Software Engineering, February 1987, VOL. SE-13, NO. 2, pp. 222-232
[4] ISS Company. RealSecure Network Protection. http://www.iss.net/products services/enterprise protection/rsnetwork/index. php
[5] Cheung. S, Crawford. R, Dilger. M, et al. The Design of GrIDS: A Graph Based Intrusion Detection System. University of California, Davis: Department of Computer Science, 1999, pp. 1-20
[6] Forrest. S, Hofmeyr. S, Somayaji. A. Computer immunology. Communications of the ACM, 1997. 40(10), pp. 88-96
[7] Ross Anderson, Abide Khattak. The Use of Information Retrieval Techniques for Intrusion Detection. Louvain-la-Neuve, Belgium: Proceeding of RAID'98, 1998, pp. 1-20
[8] The Common Intrusion Detection Framework (CIDF). http://gost.isi.edu/cidf/
[9] The Internet Engineering Task Force. http://www.ietf.org/
[10] Allen J et al. State of the Practice of Intrusion Detection Technologies. TECHNICAL REPORT, CMU/SEI-99-TR-028, Carnegie Mellon University, Software Engineering Institute, 2000
[11] 刘朝曦.入侵检测技术.宏智杂志,2002年第四期.http://www.wholewise.com.cn/magazine/0204/5. shtml
[12] Aurobindo Sundaram. An Introduction to Intrusion Detection. 2001. http://www.acm.org/crossroads/xrds2-4/intrus.html
[13] Wenke Lee, Salvatore. Stolfo, Data mining approaches for intrusion detection, Proc the 7thUSENIX Security Symposium, San Antonio, TX, 1998
[14] Wenke Lee, Salvatore J. Stolfo, Kui W. Mok, A data mining framework for building intrusion detection models, Proc the 1990 IEEE Symposium on Security and Privacy, Berkely, California, 1999, pp. 122-132
[15] Wenke Lee, A data mining framework for constructing features and models for intrusion detection systems[Ph D dissertation], Columbia University, 1999
[16] 连一峰,戴英侠,王航,基于模式挖掘的用户行为异常检测,计算机学报,2002.3,pp.325-330
[17] 杨向荣,宋擒豹,沈钧毅,基于行为模式挖掘的网络入侵检测,西安交通大学学报, 2002,2,pp.173-176
[18] 李新远,吴宇红,狄文远,基于数据挖掘的入侵检测建模,计算机工程,2002.2,pp.159-161
[19] 常见IP碎片攻击详解.http://sinbad.zhoubin.com/pubs/pdf/IP-Fragment-Analysis.pdf
[20] The Unicode Consortium. The Unicode Standard Version 3.0. 2000
[21] DoS与DDos攻击工具基本技术及其发展.http://www.cns911.com/docs/hacker/hack0019.php
[22] Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji. Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 1998, pp. 151—180
[23] Stephanie Forrest, Steven A. Hofmeur, Anil Somayaji. A Sense of Self for Unix Processes. In Proceeding of the 1996 IEEE Symposium on Security and Privacy pp. 120-128
[24] Christina Warrender, Stephanie Forrest, Barak Pearlmutt, Detecting Intrusions Using System Calls: Alternative Data Models. 1999 IEEE Symposium on Security and Privacy pp. 133-145
[25] Wenke Lee, Salvatore J. Stolfo, Learning Patterns from Unix Process Execution
Traces for Intrusion Detection, http://citeseer,nj.nec.com/cs, 1997
[26] Sung-Bae and Hyuk-Jang Park. Efficient anomaly detection by modeling privilege flows using hidden Marker model Computers & Security Vol. 22, 2003, No 1, pp. 45-55
[27] 谭小彬,王卫平,奚宏生,殷保群。计算机系统入侵检测的隐马尔可夫模型 计算机研究与发展 Feb.2003,Vol.40.No.2,pp.245-250
[28] Bourlard. H, Wellekens. C. J. Links between Markov models and Multi-layer perceptrons, IEEE Tran. Patt. Anal. Machine Intell. 1990, Vol. 12, pp. 1167-1178
[29] Renals. S, Morgan. N, Bourland. H, Cohen. M, and Franco. H. Connectionist probability estimators in HMM speech recognition, IEEE Tran. Speech & Audio Proc, Jan. 1994, Vol. 2, No. 1, Part Ⅱ
[30] Bose. N. K., Liang. P. Neural Networks Fundamentals with Graphs, Algorithms and Applications, Tara McGraw-Hill, New Delhi, 1998
[31] Warrender. C, Forrest. S, and Pearlmutt. B. Detecting intrusions using system calls: alternative data model. IEEE Symposium on Security and Privacy, 1999. pp. 133-145.
[32] 董聪,人工神经网络:当前的进展与问题,基础科学,1999-07(133)26
[33] 戴葵,神经网络实现技术,国防科技大学出版社,1998
[34] 张际先,神经网络及其在工程中的应用,机械工业出版社,1996
[35] Kirkpatrick S. Optimization by Simulated Annealing: Quantitative Studies, J. Statis, Phys, 1984, 34, pp. 975-986
[36] 董聪,多层前向网络的逼近机理与拓扑结构学习方法,通讯学报,1998,19(3),pp.29-34
[37] Rumelhart. D. E, Hinton. G. E, Williams. R. F. LearningRepresentation by Backpropagation Errors. Nature, 1986, 323(6188), pp. 533-536
[38] 周志华,国际神经网络研究动向,2000年国际神经网络联合大会情况介绍
[39] H. Debar, B. Dorizzi. An application of a recurrent network to an intrusion detection system, IEEE International Conference, 1992, Vol. 2 pp. 478-483
[40] D. Endler. Intrusion detection: Applying machine learning to Solaris audit data,
Proceeding of the 1998 annual computer security applications conference, December, 1998, pp. 268-279
[41] Piggio. T, Girosi. F. A Theory of Networks for Approximation and Learning. AI Memo. Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge Mass, 1989, pp. 1140