【作者】 刘辉；

【导师】 蔡利栋；

【作者基本信息】 暨南大学 ， 计算机软件与理论， 2003， 硕士

【摘要】 入侵检测是计算机安全防范的一个重要手段，迄今已有多种入侵检测方法。异常检测作为入侵检测的一个重要分支，也越来越受到人们的重视。由于Linux进程可由一系列的系统调用序列来表征，通过分析其系统调用序列可以了解进程的行为模式，据此本文分别探讨了对Linux进程的系统调用序列进行模式提取和异常检测的两种方法：神经网络方法和马尔科夫链方法。前者采用了ART1神经网络模型，后者则应用了概率预报原理，两种方法相互独立。然后，分别用计算机模拟验证了这两种方法的可行性。两种方法中，由于马尔科夫链方法考虑了系统调用序列的顺序关系，因此效果更好。更多还原

【Abstract】 Intrusion detection is one of the most important techniques in protecting computer security, and so far many intrusion-detection models have been proposed. As an important branch of intrusion detection, anomaly detection attracts more and more attentions. Since a sequence of system calls gives a stable signature for a Linux process, behavior of the processes can be explored by analyzing the system call sequences. So, in this thesis, two methods are investigated for detection of abnormal process behavior under Linux using system call sequences. One is to learn behaviorpatterns and to detect anomaly behavior using ART1--a neural network, and theother is to use Markov chain and probability prediction to do the same job. Primary experiments confirm that both methods are feasible, and the latter one would be better due to taking account of the sequential relation of system calls in process.更多还原