期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于系统调用属性的程序行为监控 被引量:7

Program Behavior Monitoring Based on System Call Attributes
在线阅读 下载PDF
导出
摘要 程序的行为轨迹常采用基于系统调用的程序行为自动机来表示.针对传统的程序行为自动机中控制流和数据流描述的程序行为轨迹准确性较低、获取系统调用上下文时间开销大、无法监控程序运行时相邻系统调用间的程序执行轨迹等问题,提出了基于系统调用属性的程序行为自动机.引入了多个系统调用属性,综合系统调用各属性的偏离程度,对系统调用序列描述的程序行为轨迹进行更准确地监控;提出了基于上下文的系统调用参数策略,检测针对系统调用控制流及数据流的行为轨迹偏离;提出了系统调用时间间距属性,使得通过系统调用及其参数无法监控的相邻系统调用间的程序行为轨迹在一定程度上得到了监控.实验表明基于系统调用属性的程序行为自动机能够更准确地刻画程序行为轨迹,较传统模型有更强的行为偏离检测能力. The automaton of program behavior based on system call is often used to model program behavior. The automaton of program behavior based on system call attributes is proposed, which overcomes some drawbacks of traditional automaton of program behavior, such as low accuracy of program behavior trace modeled by control flow and data flow of system calls, high time overhead of capturing the system call context, and inability to monitor the program behavior between adjacent system calls. First of all, several system call attributes are introduced and the program behavior trace modeled by system call sequence can be monitored more accurately by considering the deviation degrees of system call attributes comprehensively. Secondly, system call arguments policies based on context are proposed to monitor the program behavior aiming at control flow or data flow. Thirdly, the time interval attribute of system call is presented and the program behavior trace between adjacent system calls, which cannot be monitored by system call and its arguments policies, can be monitored to some extent. The experimental results show that the automaton of program behavior based on system call attributes can model the program behavior more accurately and has better deviation detection ability of program behavior than traditional models of program behavior.
作者 李珍 田俊峰 杨晓晖
机构地区 河北大学数学与计算机学院网络技术研究所
出处 《计算机研究与发展》 EI CSCD 北大核心 2012年第8期1676-1684,共9页 Journal of Computer Research and Development
基金 国家自然科学基金项目(61170254) 河北省杰出青年基金项目(F2010000317) 河北省自然科学基金项目(F2010000319 F2011201039)
关键词 程序行为 异常检测 系统调用 自动机 时间间距 program behavior anomaly detection system call automaton time interval
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献17

  • 1Mutz D, Robertson W, Vigna G, et al. Exploiting execution context for the detection of anomalous system calls G // LNCS 4637: Proc of the 10th Int Syrup on Recent Advances in Intrusion Detection. Berlin: Springer, 2007:1-20.
  • 2Fctzcr C, Suesskraut M. SwitchBlade: Enforcing dynamic personalized system call models [C] //Proe of the 3rd ACM SIGOPS/EuroSys European Conf on Computer Systems. New York: ACM, 2008.. 273-286.
  • 3Wagner D, Dean D. Intrusion detection via static analysis EC [[Proc o[ the IEEE Syrup on Security and Privacy. Los Alamitos, CA: IEEE Computer Society, 2001:156-169.
  • 4Feng H H, Kolesnikov O M, Fogla P, et al. Anomaly detection using call stack information C //Proc of the IEEE Symp on Security and Privacy. Los Alamitos, CA: IEEE Computer Society, 2003.. 62-75.
  • 5Liu Z, Bridges S M, Vaughn R B, Combining static analysis and dynamic learning to build accurate intrusion detection models C //Proc of the 3rd IEEE Int Workshop on Information Assurance. Los Alamitos, CA: IEEE Computer Society, 2005 164-177.
  • 6李闻,戴英侠,连一峰,冯萍慧.基于混杂模型的上下文相关主机入侵检测系统[J].软件学报,2009,20(1):138-151. 被引量:31
  • 7田新广,高立志,孙春来,张尔扬.基于系统调用和齐次Markov链模型的程序行为异常检测[J].计算机研究与发展,2007,44(9):1538-1544. 被引量:19
  • 8Frossi A, Maggi F, Rizzo G L, et al. Selecting and improving system call models for anomaly detection [G] // LNCS 5587: Proe of the 6th Detection of Intrusions and Malware and Vulnerability Assessment. Berlin Springer, 2009:206-223.
  • 9Spivey J M. Fast, Accurate call graph profiling [J]. Software-Practice and Experience, 2004, 34(3): 249-264.
  • 10Bond M D, McKinley K S. Probabilistic calling context [C] //Proe of Obieet-Oriented Programming Systems, Languages, and Applications. New York: ACM, 2007: 97- 112.

二级参考文献30

  • 1田新广,高立志,张尔扬.新的基于机器学习的入侵检测方法[J].通信学报,2006,27(6):108-114. 被引量:15
  • 2Denning D. An intrusion detection model. IEEE Trans. on Software Engineering, 1987,13(2):222-232.
  • 3Forrest S. A sense of self for UNIX processes. In: Proc. of the IEEE Symp. on Security and Privacy. Oakland: IEEE Press, 1996. 120-128. http://www.cs.unm.edu/-forrest/publications/ieee-sp-96-unix.pdf
  • 4Hofmeyr SA, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998, 6(3):151-180.
  • 5Helman P, Bhangoo J. A statistically based system for prioritizing information exploration under uncertainty. IEEE Trans. on Systems, Man and Cybernetics, Part A: Systems and Humans, 1997,27(4):449466.
  • 6Lee W, Stolfo SJ. Data mining approaches for intrusion detection. In: Proc. of the 7th USENIX Security Syrup. San Antonio, 1998. 26-40. http://www.usenix.org/publications/library/proceedings/sec98/full_papers/lee/lee.pdf
  • 7Lee W, Stolfo SJ, Chan PK. Learning patterns from UNIX process execution traces for intrusion detection. In: AAAI Workshop on AI Approaches to Fraud Detection and Risk Management. AAAI Press, 1997. 50-56. http://www.cc.gatech.edu/-wenke/papers/ osid paper.ps
  • 8Sekar R, Bcndre M, Bollineni P, Dhurjati D. A fast Automaton-Based method for detecting anomalous program behaviors. In: IEEE Symp. on Security and Privacy. Oakland: IEEE Press, 2001. 144-155. http://www.cc.gatech.cdu/-wcnkc/ids-readings/automaton. pdf
  • 9Feng HH, Kolesnikov OM, Fogla P, Lee W, Gong W. Anomaly detection using call stack information. In: Proc. of the 2003 IEEE Syrup. on Security and Privacy. Oakland: IEEE Press, 2003.62-75. http://www-unix.ecs.umass.edu/-gong/papers/ok_idpc.pdf
  • 10Wagner D, Dean D. Intrusion detection via static analysis. In: Proc. of the IEEE Symp. on Security and Privacy. Oakland: IEEE Press, 2001. 156-168. http://www.csl.sri.com/users/ddean/papers/oakland01.pdf

共引文献46

同被引文献74

  • 1沈昌祥,张焕国,王怀民,王戟,赵波,严飞,余发江,张立强,徐明迪.可信计算的研究与发展[J].中国科学:信息科学,2010,40(2):139-166. 被引量:261
  • 2张林,赵勇,刘吉强,韩臻.基于椭圆曲线数字签名算法的序列号软件保护方案[J].中国电子科学研究院学报,2006,1(1):54-57. 被引量:5
  • 3陆炜,曾庆凯.一种基于控制流的程序行为扩展模型[J].软件学报,2007,18(11):2841-2850. 被引量:8
  • 4Garfinkel T. Rosenblum M. A Virtual machine introspection based architecture for intrusion detection [C] // Proc of the 10th Annual Network and Distributed System Security Symp (NDSS'2003). Washington: ISOC, 2003: 191-200.
  • 5Pfoh J. Schneider C. Eckert C. Exploiting the xB6 architecture to derive virtual machine state information [C] // Proc of the 4th Int Conf on Emerging Security Information, Systems and Technologies (SECURWARE'2010). Piscataway, NJ: IEEE, 2010: 166-175.
  • 6Pfoh J, Schneider C, Eckert C. A formal model for virtual machine introspection [C] //Proc of the 1st ACM Workshop on Virtual Machine Security. New York: ACM, 2009: 1-10.
  • 7Popek G J. Goldberg R P. Formal requirements for virtualizable third generation architectures [J]. Communications of the ACM. 1974, 17(7): 412-421.
  • 8Prosnitz B. Blackbox no more: Reconstruction of internal virtual machine state [OL]. (2007-03-26) [2013-03-21 J. http://virtuoso. cs. northwestern. edu/NWU-EECS-07-01. pdf.
  • 9Onoue K, Oyama Y, Yonezawa A. Control of system calls from outside of virtual machines [C] //Proc of the 2008 ACM Syrnp on Applied Computing (SAC'2008). New York: ACM, 2008: 2116-1221.
  • 10Forrest S, Hofmeyr S, Somayaji A. The evolution of system-call monitoring [C] // Proc of the 2008 Annual Computer Security Applications(ACSAC'2008). Piscataway, NJ: IEEE, 2008: 41B-430.

引证文献7

二级引证文献14

计算机研究与发展
2012年 第8期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部