System Call Anomaly Detection Method Based on HMM

YAN Qiao; XIE Wei-xin; SONG Ge; YU Jian-Ping

您当前的位置：

首页 >

文章列表页 >

System Call Anomaly Detection Method Based on HMM

更新时间：2025-07-16

- System Call Anomaly Detection Method Based on HMM
- Acta Electronica Sinica Vol. 31, Issue 10, Pages: 1486-1490(2003)
- 作者机构：
  
  1. 深圳大学信息工程学院,广东,深圳,518060
  2. 西安电子科技大学电子工程学院,陕西,西安,710071
  3. 深圳大学信息工程学院广东深圳,518060
  4. 西安电子科技大学电子工程学院陕西西安,710071
- 作者简介：
- 基金信息：
- DOI：
  CLC： TP393
- Published Online：25 October 2003，
  
  Published：2003
- 稿件说明：
移动端阅览
YAN Qiao, XIE Wei-xin, SONG Ge, et al. System Call Anomaly Detection Method Based on HMM[J]. Acta Electronica Sinica, 2003, 31(10): 1486-1490.
DOI：

YAN Qiao, XIE Wei-xin, SONG Ge, et al. System Call Anomaly Detection Method Based on HMM[J]. Acta Electronica Sinica, 2003, 31(10): 1486-1490. DOI：

摘要

我们利用隐马尔可夫模型来描述特权进程正常运行时局部系统调用之间存在的规律性.具体方法是将UNIX特权程序的系统调用轨迹通过隐马尔可夫模型处理得到系统状态转移序列

再经滑窗后得到系统状态转移短序列.初步的实验证明这样得到的系统状态转移短序列比TIDE方法提出的系统调用短序列能更加简洁和稳定地表示系统的正常状态

采用这种状态短序列建立的正常轮廓库比较小

而且对训练数据的不完整性不太敏感.在同等的训练数据下

检测时本方法比TIDE方法的检测速度快

虚警率低.

Abstract

An anomaly intrusion detection method based on a HMM is given.We pass the system call trace of unix privileged process into a HMM to get state transition sequences.Preliminary experiments prove the state transition sequences can express the different mode between normal action and intrusion behavior more stably and more simply than the short sequence in TIDE can do.Although building a HMM is computationally expensive

we can get three advantages

that is

smaller profile database

needing smaller training data

and greater difference between normal data and abnormal data.So we can detect more quickly and with lower false positive rate.

关键词

Keywords

references

Views

2147

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Intrusion Detection Based on Sub-Set of System Calls

Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models

An Anomaly Intrusion Detection Model Based on Nonhierarchical Clustering

Profile Creation Technique Research for Intrsuion Detection Based CCA

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

Related Author

ZHANG Xiang-feng

SUN Yu-fang

ZHAO Qing-song

XIAO Xi

ZHAI Qi-bin

TIAN Xin-guang

CHEN Xiao-juan

YE Run-guo

Related Institution

Institute of Software,Chinese Academy of Sciences

State Key Laboratory of Information Security,Graduate University of Chinese Academy of Sciences

Key Laboratory of Network Science and Technology,Institute of Computing Technology,Chinese Academy of Sciences

College of Computer and Information Engineering,Beijing Technology and Business University

Beijing Venustech Company Ltd

⁰