基于隐马尔可夫模型的程序行为异常检测

针对入侵检测中普遍存在误报与漏报过高的问题，提出了一种基于隐马尔可夫模型的程序行为异常检测新方法．该方法以程序正常执行过程中产生的系统调用序列为研究对象，建立计算机的正常程序行为模型．在入侵检测时，先对测试的系统调用数据用滑动窗口划分得到短序列，再根据正常程序行为的隐马尔可夫模型求得每个测试短序列的输出概率，如果系统调用短序列的输出概率低于给定阈值，则将该短序列标定为“不匹配”，如果测试数据中不匹配的短序列数占总短序列数的百分比超过另一给定阈值，该模型就认为此程序行为异常．实验结果表明，与Forrest和Lee的方法相比，所提方法的检测率的最大提高率可达590％．

Detection of Anomalous Program Behaviors Based on Hidden Markov Models

To improve detection accuracy,a new intrusion detection method with high efficiency was presented.The method is based on hidden Markov model(HMM) to profile normal program behaviors using traces of system calls generated during the normal execution of processes.At the stage of anomaly detection,a testing trace of system calls is divided into short system call sequences by moving along the trace with a sliding window.The output probability of a short system call sequence embedded in the testing trace is calculated based on the normal model.If the output probability of a short system call sequence exceeds a preset threshold,the short system call sequence is identified as a "mismatch".If the ratio of the number of mismatch system call sequences to the number of all sequences embedded in the trace exceeds another preset threshold,the trace is then considered as an intrusion.Experimental results show that the proposed method improves the detection accuracy by at most 590% compared to both Forrest's and Lee's methods.