【摘要】 系统调用序列能够反映系统进程的行为特征。而系统调用序列中每个调用的出现都与它之前出现的若干个调用相关。因此可以利用概率后缀树(PST)对系统调用序列建模,反映系统调用基于上下文的概率特性。提出了系统调用序列异常度的定义。在进行序列的异常检测时,先利用正常系统调用序列训练PST模型,然后通过该模型,利用计算未知系统调用序列的异常度,根据给定的阈值判断该序列是否异常。实验表明这一度量对于正常进程与异常进程有着良好的区分效果。更多还原

【Abstract】 System call trace is one of the behavior characters of system process.Each system call of the trace depends on a few previous system calls.Thus,probabilistic suffix tree is used to model the system call trace,and capture the probabilistic characteristic of the system call.Two definitions of abnormal metric are given.When detecting the abnormal trace,train the PST with normal system call traces,and then calculate the abnormal metric of each trace,which is used to compare with a given limit.Experiment shows that this measurement can well distinct normal process from abnormal process.更多还原