摘要
针对传统杀毒软件采用的基于特征的检测与单点片断式阻断方式的不足,提出了一种基于自适应滑动窗口的桌面异常行为阻断模型.以多阶一致指数迭代检测算法为基础,对Windows内核系统调用序列进行分析和检测,设计了带滑动窗口的自适应式阻断机制,提出了正常密集度和异常密集度两项衡量进程安全状态的指标,并以此确定滑动窗口步长修正的时机.利用网络熵理论确定滑动窗口步长修正的幅度.实验表明:不同于杀毒软件的行为阻断方式,该模型可更早发现并追踪入侵行为,且较之固定窗口阻断模型,平均阻断时间缩减近半.
Considering the shortcomings of traditional anti-virus software characteristics based detection and single point block mode,this paper proposes a novel desktop secure blocking model based on an adaptive sliding window to trace and block the whole process of a certain malware. On the basis of multi-step consistency exponential iteration detection algorithm, it develops an adaptive blocking mechanism using sliding window by analyzing Windows native API (application programming interface) sequences in kernel space. The two indices, normal-density and abnormal-density, are also proposed to measure the security status of an observed process and calculates the time when to change the sliding window step. The length of sliding window step is determined by network entropy theory. Experimental results show that the model can detect intrusion behavior earlier than anti-virus software and track them with well performance and the average blocking period time of this model is nearly half of traditional ones using fixed windows.
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2010年第11期44-47,共4页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家高技术研究发展计划资助项目(2007AA01Z464)
国防'十一五'预研计划资助项目
船舶工业国防科技预研项目
关键词
桌面安全
行为阻断
自适应滑窗
系统调用
密集度指标
desktop security
behavior blocking
adaptive sliding window
native API (application programming interface)
density index