基于程序行为的异常检测模型研究
|
摘要
入侵检测是网络高层次安全的保障系统,论文主要研究了基于程序行为的异常检测技术,目的是利用异常检测技术的高适应性和程序行为的不易变性来提高检测系统的性能。在Unix环境下构建了一个基于程序行为的异常检测模型,详细阐述了该模型的模式抽取模块、检测模块以及检测参数修正模块的设计与实现。采用基于Teiresias算法的变长模式抽取方法构建程序正常行为模式库,在模式匹配中,基于两步匹配算法实现变长模式匹配。引入了一种基于阈值的入侵判定方法,并在此基础上,针对检测参数的确定进行了相关研究,提出一种新的匹配算法用于确定阈值的取值范围。利用新墨西哥大学提供的仿真数据进行了实验测试,实验结果表明在阈值一定的前提下,通过适当的调整两步匹配算法中匹配因子D的值,可有效地降低异常检测的误报率。
Intrusion detection system is a high-level defence system on network security. This paper discuss a program-based anomaly detection approach, which takes both advantage of the ability of anomaly detection in detecting novel attacks and the stability of program behavior in intrusion analysis compared with other observables. We design a program-based anomaly detection model under Unix and explicate chiefly pattern extraction module, detection module and detection parameters amending module. A variable-length patterns extracting approach based on Teiresias algorithm is adopted to model the normal program behavior, and a two-step matching algorithm is applied to implement variable-length pattern matching. We apply an intrusion decision measure based on threshold to determine if an intrusion happens. In order to select detection parameters, we put forward a new matching algorithm to choose the scope of threshold and make an experiment using the emulational data provided by the University of New Mexico. The result of the experiment indicates that false positive can be reduced effectively by adjusting suitably the value Ox matching gene, under the precondition of threshold confirmed.
Intrusion detection system is a high-level defence system on network security. This paper discuss a program-based anomaly detection approach, which takes both advantage of the ability of anomaly detection in detecting novel attacks and the stability of program behavior in intrusion analysis compared with other observables. We design a program-based anomaly detection model under Unix and explicate chiefly pattern extraction module, detection module and detection parameters amending module. A variable-length patterns extracting approach based on Teiresias algorithm is adopted to model the normal program behavior, and a two-step matching algorithm is applied to implement variable-length pattern matching. We apply an intrusion decision measure based on threshold to determine if an intrusion happens. In order to select detection parameters, we put forward a new matching algorithm to choose the scope of threshold and make an experiment using the emulational data provided by the University of New Mexico. The result of the experiment indicates that false positive can be reduced effectively by adjusting suitably the value Ox matching gene, under the precondition of threshold confirmed.
引文
[1] 刘美兰,姚京松.神经网络在入侵检测系统中的应用.计算机工程与应用,1999,6
[2] 冯登国.国内外信息安全研究现状及其发展趋势.专家论坛
[3] http://www. c114. net/technic/technicread. asp?articleid=5755&boardco de=test
[4] 金波,吴咏炜,邹淳.入侵检测技术综述.网络世界,2002.3
[5] Johnny S.K. Wong, Vasant Honavar, and Les Miller. Intelligent Agents for Intrusion Detection. IEEE, 1998
[6] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社,2002
[7] D. Denning. An Intrusion Detection Model. IEEE Trans. On Software Engineering, Feb 1987
[8] Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. Network Intrusion Detection. IEEE Network, May/June 1994
[9] Dan Schnackenberg, Kelly Djahandari, and Dan Sterne. Infrastructure for Intrusion Detection and Response
[10] http://duba. xaonline, com/c/2002/1021/14825_2. htm
[11] 蒋建春,马恒太,任党恩.网络安全入侵检测:研究综述.软件学报,2000
[12] 周军民.入侵检测技术综述.http://www.powerba.com/develop/net/article/20010814005.htm
[13] D. Anderson, T. Frivold, and A. Valdes. "Next Generation Intrusion Detection Expert System: A Summary". Tech Report SRI-CSL-95-07
[14] Sandeep Kumar, Eugene H. Spafford. An Application of Pattern Matching in Intrusion Detection. Division of INFOSEC Computer Science Department of Defense. June 17,1994
[15] P. Porras and R. Kemmerer. Penetration State Transition Analysis-A Rule Based Intrusion Detection Approach. Computer Security Applications Conference, 1992
[16] T.D. Garvey, T.F. Lunt. Model-based intrusion detection. In proceedings of the 14th National computer Security Conference, October 1991
[17] Daniel J. Ragsdale. Adaptation Techniques for Intrusion Detection and Intrusion Response Systems. IEEE, 2000
[18] Joao B.D, Cabreral B. Ravichandran, and Raman K. Mchra. Statistical Traffic Modeling for Network Intrusion Detection. IEEE 2000
[19] Sheng-Uei Guan, Sok-Seng Lim. Modeling with enhance prioritized Petri nets: EP-nets. Computer communications
[20] Guy G. Helmer, Jose Mauricio Bonifacio Jr, and Adriano M. Cansian. Neural Networks Applied in Intrusion Detection Systems. IEEE, 1998
[21] Wenke Lee, Salvatore J. Stolfo, Kui W. Mok. A Data Mining Framework for Building Intrusion Detection Models
[22] P.D' haeseleer, S. Forrest, and P. Helman. An immunological approach to change detection: Algorithms, analysis and implications. In IEEE Symposium on Security and Privacy, 1996
[23] Michael Conner, Chirag Patel, and Mike Little. Genetic algorithm/artificial life evolution of security vulnerability Agents. IEEE, 1999
[24] Abdelaziz Mounji. "Languages and Tools for Rule-Based Distributed Intrusion detection"
[25] 王锋波,曾昭苏.一种基于多代理技术的分布式入侵检测系统.计算机工程与科学,2002年第22卷第二期
[26] S. Forrest and S.A. Hofmeyr, A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press
[27] A.P. Kosoresow, S.A. Hofmeyr. A shape of self for unix processes. IEEE, 1997
[28] Christina warrender, Stephanie Forrest. Detecting Intrusion Using System Calls: Alternative Data Models. IEEE, 1999
[29] Eugene H. Spafford, Diego Zamboni. Intrusion detection using autonomous agents. Computer Networks 34(2000) 547-570
[30] Marina Bykova, Shawn Ostermann, and Brett Tjaden. Detecting Network Intrusions via a Statistical Analysis of Network Packet Characteristics IEEE, 2001
[31] M. Damashek. Gauging similarity with n-grams:Language-independent categorization of text. Science, 1995.2
[32] P. Helman, J. Bhangoo. A statistically based system for prioritizing information exploration under uncertainty. IEEE Transactions on
Systems, 1997,7
[33] S.A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. To appear in Journal of Computer Security
[34] Yoshinori Okazaki, Shigeki Goto. A New Intrusion Detection Method based on Process Profiling. IEEE, 2002
[35] Anup K. Ghosh, Aaron Schwartzbard. Learning Program Behavior Profiles for Intrusion Detection. Proceedings of the Workshop on Intrusion Detection and Network Monitoring, 1999
[36] Ming-Yuh Huang, Robert J. Jasper, and Thomas M. Wicks. A large scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks 31 (1999)
[37] Chris Sinclair, Lyn Pierce, and Sara Matzner. An Application of Machine Learning to Network Intrusion Detection
[38] 奚琪,董灿军,李梅林.基于系统调用的入侵检测.网络安全技术与应用,2002.8
[39] Carta Marceau. Characterizing the Behavior of a Program Using Multiple-Length N-grams. Odyssey Ressearch Associates.
[40] Andreas Wespi, Marc Dacier, and Herve Debar. An Intrusion-Detection System Based on the Teiresias Pattern-Discovery Algorithm. EICAR Proceedings, 1999
[41] A.P Kosoresow, S.A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, 1997
[42] Andreas Wespi, Herve Debar, Marc Dacier and Mehdi Nassehi. Fixedvs. variable-length patterns for detecting suspicious process behavior. Journal of Computer Security, 2000
[43] http://www. cs. unm. edu/~immsec/data-sets. html
[2] 冯登国.国内外信息安全研究现状及其发展趋势.专家论坛
[3] http://www. c114. net/technic/technicread. asp?articleid=5755&boardco de=test
[4] 金波,吴咏炜,邹淳.入侵检测技术综述.网络世界,2002.3
[5] Johnny S.K. Wong, Vasant Honavar, and Les Miller. Intelligent Agents for Intrusion Detection. IEEE, 1998
[6] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社,2002
[7] D. Denning. An Intrusion Detection Model. IEEE Trans. On Software Engineering, Feb 1987
[8] Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. Network Intrusion Detection. IEEE Network, May/June 1994
[9] Dan Schnackenberg, Kelly Djahandari, and Dan Sterne. Infrastructure for Intrusion Detection and Response
[10] http://duba. xaonline, com/c/2002/1021/14825_2. htm
[11] 蒋建春,马恒太,任党恩.网络安全入侵检测:研究综述.软件学报,2000
[12] 周军民.入侵检测技术综述.http://www.powerba.com/develop/net/article/20010814005.htm
[13] D. Anderson, T. Frivold, and A. Valdes. "Next Generation Intrusion Detection Expert System: A Summary". Tech Report SRI-CSL-95-07
[14] Sandeep Kumar, Eugene H. Spafford. An Application of Pattern Matching in Intrusion Detection. Division of INFOSEC Computer Science Department of Defense. June 17,1994
[15] P. Porras and R. Kemmerer. Penetration State Transition Analysis-A Rule Based Intrusion Detection Approach. Computer Security Applications Conference, 1992
[16] T.D. Garvey, T.F. Lunt. Model-based intrusion detection. In proceedings of the 14th National computer Security Conference, October 1991
[17] Daniel J. Ragsdale. Adaptation Techniques for Intrusion Detection and Intrusion Response Systems. IEEE, 2000
[18] Joao B.D, Cabreral B. Ravichandran, and Raman K. Mchra. Statistical Traffic Modeling for Network Intrusion Detection. IEEE 2000
[19] Sheng-Uei Guan, Sok-Seng Lim. Modeling with enhance prioritized Petri nets: EP-nets. Computer communications
[20] Guy G. Helmer, Jose Mauricio Bonifacio Jr, and Adriano M. Cansian. Neural Networks Applied in Intrusion Detection Systems. IEEE, 1998
[21] Wenke Lee, Salvatore J. Stolfo, Kui W. Mok. A Data Mining Framework for Building Intrusion Detection Models
[22] P.D' haeseleer, S. Forrest, and P. Helman. An immunological approach to change detection: Algorithms, analysis and implications. In IEEE Symposium on Security and Privacy, 1996
[23] Michael Conner, Chirag Patel, and Mike Little. Genetic algorithm/artificial life evolution of security vulnerability Agents. IEEE, 1999
[24] Abdelaziz Mounji. "Languages and Tools for Rule-Based Distributed Intrusion detection"
[25] 王锋波,曾昭苏.一种基于多代理技术的分布式入侵检测系统.计算机工程与科学,2002年第22卷第二期
[26] S. Forrest and S.A. Hofmeyr, A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press
[27] A.P. Kosoresow, S.A. Hofmeyr. A shape of self for unix processes. IEEE, 1997
[28] Christina warrender, Stephanie Forrest. Detecting Intrusion Using System Calls: Alternative Data Models. IEEE, 1999
[29] Eugene H. Spafford, Diego Zamboni. Intrusion detection using autonomous agents. Computer Networks 34(2000) 547-570
[30] Marina Bykova, Shawn Ostermann, and Brett Tjaden. Detecting Network Intrusions via a Statistical Analysis of Network Packet Characteristics IEEE, 2001
[31] M. Damashek. Gauging similarity with n-grams:Language-independent categorization of text. Science, 1995.2
[32] P. Helman, J. Bhangoo. A statistically based system for prioritizing information exploration under uncertainty. IEEE Transactions on
Systems, 1997,7
[33] S.A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. To appear in Journal of Computer Security
[34] Yoshinori Okazaki, Shigeki Goto. A New Intrusion Detection Method based on Process Profiling. IEEE, 2002
[35] Anup K. Ghosh, Aaron Schwartzbard. Learning Program Behavior Profiles for Intrusion Detection. Proceedings of the Workshop on Intrusion Detection and Network Monitoring, 1999
[36] Ming-Yuh Huang, Robert J. Jasper, and Thomas M. Wicks. A large scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks 31 (1999)
[37] Chris Sinclair, Lyn Pierce, and Sara Matzner. An Application of Machine Learning to Network Intrusion Detection
[38] 奚琪,董灿军,李梅林.基于系统调用的入侵检测.网络安全技术与应用,2002.8
[39] Carta Marceau. Characterizing the Behavior of a Program Using Multiple-Length N-grams. Odyssey Ressearch Associates.
[40] Andreas Wespi, Marc Dacier, and Herve Debar. An Intrusion-Detection System Based on the Teiresias Pattern-Discovery Algorithm. EICAR Proceedings, 1999
[41] A.P Kosoresow, S.A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, 1997
[42] Andreas Wespi, Herve Debar, Marc Dacier and Mehdi Nassehi. Fixedvs. variable-length patterns for detecting suspicious process behavior. Journal of Computer Security, 2000
[43] http://www. cs. unm. edu/~immsec/data-sets. html