【摘要】 我们利用隐马尔可夫模型来描述特权进程正常运行时局部系统调用之间存在的规律性 .具体方法是将UNIX特权程序的系统调用轨迹通过隐马尔可夫模型处理得到系统状态转移序列 ,再经滑窗后得到系统状态转移短序列 .初步的实验证明这样得到的系统状态转移短序列比TIDE方法提出的系统调用短序列能更加简洁和稳定地表示系统的正常状态 ,采用这种状态短序列建立的正常轮廓库比较小 ,而且对训练数据的不完整性不太敏感 .在同等的训练数据下 ,检测时本方法比TIDE方法的检测速度快 ,虚警率低 .更多还原

【Abstract】 An anomaly intrusion detection method based on a HMM is given.We pass the system call trace of unix privileged process into a HMM to get state transition sequences.Preliminary experiments prove the state transition sequences can express the different mode between normal action and intrusion behavior more stably and more simply than the short sequence in TIDE can do.Although building a HMM is computationally expensive,we can get three advantages,that is,smaller profile database,needing smaller training data,and greater difference between normal data and abnormal data.So we can detect more quickly and with lower false positive rate.更多还原