摘要
深入研究系统调用异常检测方法存在的不足,针对单纯依据序列或系统调用频率不能完整表示进程行为等问题,提出以研究系统调用的先后顺序以及系统调用之间的稳定性作为重要特征,提取系统调用特征向量,利用机器学习分类算法实现异常检测的新方法。提出的异常检测方法具有模型体积小、特征明确、报警准确率高等优点。静态数据测试结果表明利用系统调用时间特征描述进程行为是可行的;实时环境实验结果表明系统在真实环境下占用资源少、不影响程序及网络本身的运行效率,同时用户击键特征识别实验结果表明了时间特征对行为检测的有效性。
By thorough studying the shortages in abnormal behaviour detection methods using system calls,and aiming at the problem that the progress behaviours cannot be fully expressed simply according to the sequence or system calling frequency,we propose a novel method, which takes studying the order of system calls and the stability between system calls as the important character,extracts the eigenvector of system calls,and uses machine learning classification algorithm to implement anomaly detection.The presented method has the advantages of small model size,explicit features,and highly accurate alert rate.Test results on static data show that it is feasible to describe the process behaviours by system call time features;experimental results in practical environment demonstrate that in real environment the system consumes few resources and does not affect the operation efficiency of the program and the network themselves,meanwhile the experimental result of users keystroke feature expresses the effectiveness of the time feature on behaviour detection.
出处
《计算机应用与软件》
CSCD
2015年第4期309-313,共5页
Computer Applications and Software
基金
十二五国家科技支撑计划项目(2012BA H08B02)
关键词
异常行为
实时检测
时间序列特征
机器学习
Abnormal behaviour
Real-time detection
Time sequence features
Machine learning