多维进程行为评估模型建立及最优化方法

计算机应用 ›› 2013, Vol. 33 ›› Issue (08): 2244-2249.

多维进程行为评估模型建立及最优化方法

毛琨¹,²,杜学绘¹,²,孙奕¹,²

1. 数字工程与先进计算国家重点实验室，郑州 450004
2. 信息工程大学，郑州 450004;

收稿日期:2013-02-08 修回日期:2013-03-27 出版日期:2013-08-01 发布日期:2013-09-11
通讯作者: 毛琨
作者简介:毛琨(1986-)，男，辽宁大连人，硕士研究生，主要研究方向：信息安全、数据安全交换、进程安全;
杜学绘(1968-)，女，河南辉县人，教授，博士，主要研究方向：信息安全;
孙奕(1979-)，女，河南郑州人，讲师，博士研究生，主要研究方向：信息安全、数据安全交换。

Multiple-dimension process behavior evaluation model and its optimization

MAO Kun¹,²,DU Xuehui¹,²,SUN Yi¹,²

1. Information Engineering University, Zhengzhou Henan 450004, China
2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Henan 450004, China

Received:2013-02-08 Revised:2013-03-27 Online:2013-09-11 Published:2013-08-01
Contact: MAO Kun

摘要/Abstract

摘要： 针对目前进程行为评估模型所存在的模型优化问题和模型选取问题，定义进程行为，采用隐马尔可夫模型(HMM)来描述进程行为。讨论了准确率与误报率的关系，提出多维进程行为评估模型，以弥补单一进程行为评估模型的不足，基于布尔运算对多维进程行为评估模型进行融合，提高了评估性能。并基于代价决策树理论，给出了选取最优进程行为评估模型的目标函数，用于在融合后的多维进程行为评估模型上选择最优进程行为评估模型。最后，对所提出的多维进程行为评估模型的性能进行了测试，并与传统的STIDE和HMM方法进行了比较，结果证明了其有效性和优越性。

关键词: 进程行为, 异常检测, 多维进程行为评估模型, 布尔运算, 代价决策树, 最优进程行为评估模型

Abstract: To solve the existing problems of optimization and selection in process behavior evaluation model, the process behavior was defined, and the process behavior was described based on Hidden Markov Model (HMM). The relation between precision rate and false positives rate was discussed, and a multiple-dimension process behavior evaluation model based on Boolean function was proposed, which overcame the shortcomings of single process behavior evaluation model, and increased evaluation performance. On the basis of cost decision tree, the target function was given to select the optimal process behavior on the proposed evaluation model. Finally, the proposed evaluation model was tested and compared with the traditional Sequence TIme-Delay Embedding (STIDE) and HMM method. The test results verify the efficiency and superiority of the proposed model.

Key words: process behavior, anomaly detection, multiple-dimension process behavior evaluation model, Boolean function, cost decision tree, optimal process behavior evaluation model

中图分类号:

TP309

毛琨杜学绘孙奕. 多维进程行为评估模型建立及最优化方法[J]. 计算机应用, 2013, 33(08): 2244-2249.

MAO Kun DU Xuehui SUN Yi. Multiple-dimension process behavior evaluation model and its optimization[J]. Journal of Computer Applications, 2013, 33(08): 2244-2249.

参考文献

［1］FORREST S, HOFMEYR S A, SOMAYAJI A, et al. A sense of self for UNIX processes [C]// Proceedings of 1996 IEEE Symposium on Security and Privacy. Washington， DC: IEEE Computer Society, 1996: 120-128.

［2］HOFMEYR S A, FORREST S, SOMAYAJI A. Intrusion detection using sequence of system calls [J]. Journal of Computer Security, 1998, 6(3): 151-I80.

［3］WAGNER D, DEAN D. Intrusion detection via static analysis [C]// Proceedings of 2001 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 2001: 156-168.

［4］DEBAR H, BECKER M, SIBONI D. A neural network component for an intrusion detection system [C]// Proceedings of 1992 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 1992: 256-266.

［5］ESKIN E, LEE W, STOLFO S. Modeling system calls for intrusion detection with dynamic window sizes [C]// Proceedings of DARPA Information Survivability Conference and Exposition II. Washington, DC: IEEE Computer Society, 2001: 165-175.

［6］WESPI A, DACIER M, DEBAR H. Intrusion detection using variable-length audit trail pattern [C]// Proceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection. Berlin: Springer-Verlag, 2000: 110-129.

［7］WARRENDER C, FORREST S, PEARLMUTTER B. Detecting intrusions using system calls: Alternative data models [C]// Proceedings of the 1999 IEEE Computer Society Symposium on Research in Security and Privacy. Washington, DC: IEEE Computer Society, 1999: 133-145.

［8］LEE W, STOI FO S, MOK K.A data mining framework for building intrusion detection models [C]// Proceedings of 1999 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 1999: 120-132.

［9］MARCEAU C. Characterizing the behavior of a program using multiple length grams [C]// NSPW00: Proceedings of the 2000 Workshop on New Security Paradigms.New York:ACM,2000:101-110.

［10］GENT C R, SHEPPARD C P. Predicting time series by a fully corrected neural network trained by back propagation [J]. Computing and Control Engineering Journal, 1992, 12(5): 123-127.

［11］GHOSH A K, SCHWARTZBARD A, SCHZTZ M. Learning program behavior profiles for intrusion detection [C]// Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring. Berkeley: USENIX Association, 1999: 9-12.

［12］屈延文. 软件行为学[M]. 北京：电子工业出版社, 2004.

［13］TULYAKOV S, JAEGER S, GOVINDARAJU V, et al. Review of classifier combination methods [M]// Studies in Computational Intelligence: Machine Learning in Document Analysis and Recognition. Berlin: Springer-Verlag, 2008: 361-386.

［14］LIPPMANN R, FRIED D, GRAF I, et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation [C]// Proceedings of DISCEX 2000. Piscataway: IEEE, 1999: 12-26.

［15］DAUGMAN J. Biometric decision landscapes, UCAM-CL-TR-482 [R]. Cambridge：University of Cambridge, 2000.

［16］FAWCETT T. ROC graphs: Notes and practical considerations for researchers, HPL-2003-4 [R]. Palo Alto：HP Laboratories, 2004.

［17］PROVOST F, FAWCETT T. Robust classification for imprecise environments[J]. Machine Learning，2001， 42(3)：203-231.

［18］MAO K, DU X, SUN Y. A modified process anomaly detection using Boolean function [C] // ICCT2012： Proceedings of the 14th International Conference on Communication Technologies. Piscataway: IEEE, 2012: 927-931.

［19］GAFFNEY J E, Jr, ULVILA J W. Optimization of the operation of a detector: a decision theory approach, 00-1 [R]. Vienna: Decision Science Associates Inc, 2000.

[1]	胡天杰, 胡文军, 王士同. 分布熵惩罚的支持向量数据描述[J]. 计算机应用, 2021, 41(8): 2212-2218.
[2]	孟凡, 陈广, 王勇, 高阳, 高德群, 贾文龙. 基于多粒度时序结构表示的异常检测算法在储层含油性检测中应用[J]. 计算机应用, 2021, 41(8): 2453-2459.
[3]	李衍志, 范勇, 高琳. 基于形态流的石油钻井水流异常检测[J]. 计算机应用, 2021, 41(6): 1842-1848.
[4]	姚杰, 程春玲, 韩静, 刘峥. 云工作流中基于多任务时序卷积网络的异常检测方法[J]. 计算机应用, 2021, 41(6): 1701-1708.
[5]	谢雨, 蒋瑜, 龙超奇. 基于随机子空间的扩展隔离林算法[J]. 计算机应用, 2021, 41(6): 1679-1685.
[6]	张晨曦, 唐曙, 唐珂. 迁移学习下的火箭发动机参数异常检测策略[J]. 计算机应用, 2020, 40(9): 2774-2780.
[7]	王磊. 改进粗糙集属性约简结合K-means聚类的网络入侵检测方法[J]. 计算机应用, 2020, 40(7): 1996-2002.
[8]	胡珉, 白雪, 徐伟, 吴秉键. 多维时间序列异常检测算法综述[J]. 计算机应用, 2020, 40(6): 1553-1564.
[9]	霍纬纲, 王慧芳. 基于自编码器和隐马尔可夫模型的时间序列异常检测方法[J]. 计算机应用, 2020, 40(5): 1329-1334.
[10]	仇媛, 常相茂, 仇倩, 彭程, 苏善婷. 基于长短期记忆网络和滑动窗口的流数据异常检测方法[J]. 计算机应用, 2020, 40(5): 1335-1339.
[11]	夏彬, 白宇轩, 殷俊杰. 基于生成对抗网络的系统日志级异常检测算法[J]. 计算机应用, 2020, 40(10): 2960-2966.
[12]	王伟, 谢耀滨, 尹青. 针对不平衡数据的决策树改进方法[J]. 计算机应用, 2019, 39(3): 623-628.
[13]	陶涛, 周喜, 马博, 赵凡. 基于双向LSTM的Seq2Seq模型在加油站时序数据异常检测中的应用[J]. 计算机应用, 2019, 39(3): 924-929.
[14]	刘子豪, 李凌, 叶枫. 基于SparkR的水文传感器数据的异常检测方法[J]. 计算机应用, 2019, 39(2): 436-440.
[15]	丁景全, 马博, 李晓. 基于融合时空数据的车辆加油行为多视图深度异常检测框架[J]. 计算机应用, 2019, 39(11): 3370-3375.