期刊文献+

基于自适应滑窗的桌面异常行为阻断模型

Blocking model of anomaly behavior based on adaptive sliding window
原文传递
导出
摘要 针对传统杀毒软件采用的基于特征的检测与单点片断式阻断方式的不足,提出了一种基于自适应滑动窗口的桌面异常行为阻断模型.以多阶一致指数迭代检测算法为基础,对Windows内核系统调用序列进行分析和检测,设计了带滑动窗口的自适应式阻断机制,提出了正常密集度和异常密集度两项衡量进程安全状态的指标,并以此确定滑动窗口步长修正的时机.利用网络熵理论确定滑动窗口步长修正的幅度.实验表明:不同于杀毒软件的行为阻断方式,该模型可更早发现并追踪入侵行为,且较之固定窗口阻断模型,平均阻断时间缩减近半. Considering the shortcomings of traditional anti-virus software characteristics based detection and single point block mode,this paper proposes a novel desktop secure blocking model based on an adaptive sliding window to trace and block the whole process of a certain malware. On the basis of multi-step consistency exponential iteration detection algorithm, it develops an adaptive blocking mechanism using sliding window by analyzing Windows native API (application programming interface) sequences in kernel space. The two indices, normal-density and abnormal-density, are also proposed to measure the security status of an observed process and calculates the time when to change the sliding window step. The length of sliding window step is determined by network entropy theory. Experimental results show that the model can detect intrusion behavior earlier than anti-virus software and track them with well performance and the average blocking period time of this model is nearly half of traditional ones using fixed windows.
出处 《华中科技大学学报(自然科学版)》 EI CAS CSCD 北大核心 2010年第11期44-47,共4页 Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金 国家高技术研究发展计划资助项目(2007AA01Z464) 国防'十一五'预研计划资助项目 船舶工业国防科技预研项目
关键词 桌面安全 行为阻断 自适应滑窗 系统调用 密集度指标 desktop security behavior blocking adaptive sliding window native API (application programming interface) density index
  • 相关文献

参考文献9

  • 1Forrest S, Hofmeyr S A, Somayaji A, et al. A sense of self for UNIX proeesses[C]// IEEE Symposium on Security and Privacy. Washington: IEEE Computer Society Press, 1996: 120-128.
  • 2Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: alternative data models [C]//Proceedings of the IEEE Symposium on Security and Privacy. Los Alamitos: IEEE Computer Society Press, 1999: 133-145.
  • 3Yu Zhenwei, Tsai J J P, Weigert T. An automatically tuning intrusion detection system[J]. IEEE Trans actions on Systems, Man, and Cybernetics--Part B Cybernetics, 2007, 37(2): 373-384.
  • 4Han S J, Cho S B. Evolutionary neural networks for anomaly detection based on the behavior of a program [J]. IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics, 2006, 36(3):559- 570.
  • 5Cho S B, Park H J. Efficient anomaly detection by modeling privilege flows using hidden Maekov model [J]. Computer & Science, 2003, 22(1): 45-55.
  • 6Michael C, Ghosh A. Simple, state-based approaches to program-based anomaly detection [J]. ACM Transactions on Information and System Security, 2002, 5(3): 203-237.
  • 7Wu Naiqi, Qian Yanming, Chen Guiqing. A novel approach to trojan horse detection by process tracing [C] //Proceedings of the 2006 IEEE International Conference on Networking, Sensing and Control. Fort Lauderdale.. IEEE, 2006: 721-726.
  • 8肖海军,王小非,洪帆,崔国华.基于特征选择和支持向量机的异常检测[J].华中科技大学学报(自然科学版),2008,36(3):99-102. 被引量:11
  • 9张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法[J].通信学报,2004,25(11):158-165. 被引量:55

二级参考文献22

  • 1包潘晴,杨明福.基于KPCA和SVM的网络入侵检测[J].计算机应用与软件,2006,23(2):125-127. 被引量:19
  • 2The International Organization for Standardization. Common Criteria for Information Technology Security Evaluation-Part 1:Introduction and General Model, ISO/IEC 15408-1:1999(E)[S]. 1999.
  • 3The International Organization for Standardization. Common Criteria for Information Technology Security Evaluation-Part 2:Security Function Requirements, ISO/IEC 15408-2:1999(E)[S]. 1999.
  • 4The International Organization for Standardization, Common Criteria for Information Technology Security Evaluation-Part 3:Security Assurance Requirements, ISO/IEC 15408-3: 1999(E)[S]. 1999.
  • 5BRESLAU L, ESTRIN D, FALL K. Advances in network simulation[J]. IEEE Computer, 2000, 35(5): 59-67.
  • 6候定丕,王战军.非线性评估的理论探索与应用[M]合肥:中国科学技术大学出版社,2001.
  • 7Canada. Communications Security Establishment, Canadian Trusted Computer Product Evaluation Criteria (V3.0e) [S]. 1993.
  • 8System security engineering capability maturity model (SSE-CMM) [EB/OL]. http://www.se-cat.com/download/download.shtml.
  • 9Trusted Computer System Evaluation Criteria[S]. US National Computer Security Center, NCSC 5200.28-STD, 1985.
  • 10Information Technology Security Evaluation Criteria[S]. Provisional Harmonized Criteria of France, Germany, Netherlands, and United Kingdom, Commission of the European Communities, 1991.

共引文献64

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部