CN101252578A - Host computer intrude detecting method decomposed based on inherent subsequence mode - Google Patents
Host computer intrude detecting method decomposed based on inherent subsequence mode Download PDFInfo
- Publication number
- CN101252578A CN101252578A CNA2008100445160A CN200810044516A CN101252578A CN 101252578 A CN101252578 A CN 101252578A CN A2008100445160 A CNA2008100445160 A CN A2008100445160A CN 200810044516 A CN200810044516 A CN 200810044516A CN 101252578 A CN101252578 A CN 101252578A
- Authority
- CN
- China
- Prior art keywords
- sequence
- subsequence
- intrinsic
- pattern
- limit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 238000001514 detection method Methods 0.000 claims abstract description 57
- 230000008569 process Effects 0.000 claims abstract description 37
- 230000002159 abnormal effect Effects 0.000 claims abstract description 12
- 238000001798 double quantum transitions for finding unresolved line Methods 0.000 claims description 24
- 230000005856 abnormality Effects 0.000 claims description 14
- 230000008878 coupling Effects 0.000 claims description 6
- 238000010168 coupling process Methods 0.000 claims description 6
- 238000005859 coupling reaction Methods 0.000 claims description 6
- 101710099060 Tectonic Proteins 0.000 claims description 2
- 238000012163 sequencing technique Methods 0.000 claims description 2
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 230000009545 invasion Effects 0.000 abstract description 9
- 238000000354 decomposition reaction Methods 0.000 abstract description 5
- 239000008186 active pharmaceutical agent Substances 0.000 description 43
- 238000012549 training Methods 0.000 description 27
- 230000006399 behavior Effects 0.000 description 23
- 238000012360 testing method Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 10
- 238000012550 audit Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000005065 mining Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 241001269238 Data Species 0.000 description 3
- 241000700605 Viruses Species 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000009412 basement excavation Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 230000000266 injurious effect Effects 0.000 description 2
- 238000010223 real-time analysis Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000010355 oscillation Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a host computer invasion detection method based on the natural subsequence mode decomposition. The method includes the following steps: firstly, defining rules; obtaining Windows Native API data sequence, decomposing process sequences into natural subsequence mode sets and then layering the natural subsequence modes according to the support degree; thirdly, decomposing suspected sequences into a plurality of layers respectively containing natural sequence modes with similar support degrees; fourthly, matching the normal process sequences with the suspected sequences according to the corresponding layers, calculating the abnormal degree according to the matched number and judging if the suspected sequences are abnormal. The method overcomes the disadvantages existed in the prior art and can accurately and effectively identify the current attacks and the new increasing attacks.
Description
Technical field
The present invention relates to the computer security technique field, be specifically related to a kind of host computer intrude detecting method.
Background technology
The development of Computer Networking has changed the computation schema based on unit.But the risk and the chance of network intrusions also correspondingly sharply increase.The resource and the data of unauthorized access system are taken precautions against in the design safety measure, are very important and urgent problems of current network security fields.Intrusion detection is exactly a kind of network security technology that produces and grow up under such background.Specifically, intrusion detection is exactly that running status to network system monitors, detects and finds various attack attempt, attack or attack result, to guarantee the confidentiality, integrity, and availability of system resource.Intrusion Detection Technique mainly is divided into misuse and detects (misuse detection) and abnormality detection (anomaly detection) two classes.Wherein, it is to set up a feature database according to known attack signature that misuse detects, and then feature in the data of gathering and the feature database is mated, if there is the feature of mating, shows that then it is an intrusion behavior.Traditional condition code detection technique is exactly that a kind of misuse detects, and it can not effectively detect mutation, encrypted virus and the new virus etc. of virus.Abnormality detection then is that the normal behavioural characteristic of user is stored in the property data base, then the feature in user's current behavior and the feature database is compared, and has reached to a certain degree if depart from, and then explanation has taken place unusual.These two kinds of technology respectively have pluses and minuses, and misuse detects can accurately detect the known attack example, but powerless to novel attack; Abnormality detection can detect novel attack, and its false drop rate is but than higher, and can not describe the classification of intrusion behavior.
Chinese patent 200510056935.2 discloses a kind of " based on the program level intruding detection system and the method for sequential mode mining ", and technical scheme is as follows:
A kind of program level intruding detection system and method based on sequential mode mining, this system is made up of control module, data acquisition and pretreatment module, training module, storage module, detection module, testing result output module, is configured on the server that needs monitoring.This system adopts the abnormality detection technology based on data mining, and the ruuning situation by privilege process in the monitor network server detects various attack activity in the network; The system call that produces when promptly moving with privileged program is as Audit data, utilize sequence pattern in the data mining technology to represent the normal behaviour of a privileged program, support or confidence level according to sequence are excavated normal sequence pattern in training data, and set up corresponding normal sequence pattern storehouse; By being compared and mate with normal sequence pattern, the current sequence pattern discerns attack during detection, so that cause network security manager's close attention and take measures areput to guarantee safety.
The main modular function of this system is as follows:
Control module: be responsible for the operating state and the various parameter of the system that is provided with, and control to the data collection with the operation of processing module, training module, detection module and whole system;
Data acquisition and pretreatment module, be responsible for from server, obtaining original training data or Audit data, it is the system call that produces in the program operation process, and these original training datas or upgrade data are carried out preliminary treatment, after the filtering appts call parameters, send into training module or detection module respectively, be used for training or detection;
Training module is responsible for utilizing training data to train, and sets up normal sequence pattern storehouse;
Memory module is used to store the normal sequence pattern storehouse that training module is set up, and when detecting, retrieves comparison for detection module;
The testing result output module is responsible for the decision value that the demonstration detection module produces, and according to the warning message of detection module attack is reported to the police.
The step based on the program level intrusion detection method of sequential mode mining that this invention provides is summarized as follows:
(1) system start-up;
(2) during the input of system wait job information and instruction, the operating state and the running parameter of system are set by control module, so that after instruction is started working in input after this, automatically check that by control module system is provided with situation, enter two kinds of different operating states respectively:, carry out subsequent step if system is set to physical training condition; If system is set to detected state, then redirect execution in step (7);
(3) data acquisition and pretreatment module are imported original training data from predefined data-interface, and after this original training data carried out preliminary treatment, export it to training module;
(4) training program that is provided with from control module read step (2) of training module if be set to first kind of training program, is carried out subsequent step; If be set to second kind of training program, redirect execution in step (6);
(5) training module utilizes training data, trains according to first kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into storage module, send the message that training finishes to control module, finish training work, redirect execution in step (7);
(6) training module utilizes training data to train according to second kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, sends the message that training finishes to control module, finishes training work;
(7) control module is checked the set detection scheme of step (2) kind automatically, if be set to first kind of detection scheme, carries out subsequent step; If be set to second kind of training program, redirect execution in step (9);
(8) system carries out monitoring according to first kind of detection scheme: earlier by data acquisition and real-time the obtaining original Audit data and it is carried out preliminary treatment from server of pretreatment module, according to first kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation;
System carries out testing according to second kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to second kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation.
Technique scheme is mainly paid attention to excavate frequent sequence in the normal sequence and sequence with a high credibility and is formed the normal sequence storehouse and be used for abnormality detection, do not consider the importance of non-frequent sequence, and can not detect in the unusual sequence and identical frequent sequence or sequence with a high credibility occur with normal sequence.The parameters such as length of its frequent sequence need artificial the setting simultaneously, and the parameter setting is bigger for result's influence, and the adaptability in complicated real time environment is not strong.
Chinese patent 200710098609.7 discloses a kind of host computer intrude detecting method and system, and this invention relates to one of a kind of staple product as network security: HIDS (HIDS:Host IntrusionDetection System).The crucial host computer intrude detecting method of its core comprises rule definition, deployment and mode of operation.Rule definition associates the abnormal behaviour on invasion and the main frame, and the mode of definition response.The mode of disposing is supported multi-level cascade, can adapt to complicated network environment.How mutual with intruding detection system mode of operation defined the characteristics of manager's and system works.This method feature: on the basis of intercepting and capturing the main frame behavior, seek the relevance between main frame behavior and intrusion behavior, and, produce and report to the police and other appointment behaviors according to rule definition;
This method comprises the steps:
Step 1: definition rule;
Step 2: in control centre's application rule, rule is issued on the All hosts engine automatically and is employed;
Step 3: according to increase, change, the actual effect update rule storehouse of intrusion behavior.
Its definition rule comprises the steps:
Definition event rules: can define at the unusual condition of registration table, file system, log system, network-driven and the critical applications of host computer system;
Definition event response rule: provide the only processing of warning, a daily record, blocking-up, warning+daily record, daily record+warning, warning+blocking-up, warning+daily record+blocking-up unusually at what define in the event rules.
Definition rule comprises event variable and behavior sign two large divisions in this system;
Event variable comprises incident title, event id, event classification ID, can support logical operator to describe and 5 key elements of incident text description; Behavior is designated for the significant behavior of event object, and the classification that relies on event variable is different and different.The incident that this system monitoring self process and testing result are distorted.
Detected unusual for system, often have a source and the repeatedly situation of warning occurs, the notion of incident of native system definition and secondary incident is controlled.When definition rule, providing according to generation incident and number of repetition is that condition is controlled.When condition was triggered, one time incident can generate the secondary incident, and having similitude in any case can a merged incident can not repeat.This system uses the kernel surveillance technology to guarantee the fail safe of process and testing result, when the discovery process by the people for stopping, reporting when restarting injurious act.When finding that testing result is distorted in violation of rules and regulations, organize this behavior and be reported as injurious act.
The rule definition storehouse of this system is upgraded according to the life cycle of intrusion behavior.Specific inbreak method from initial generation, propagate into analyzed, produce corresponding patch, the understanding of behavior rule to it deepens constantly, up to might invaded system all be modified or be eliminated, the incident related with the method rejected from event base.
This system comprises that one or many dispose the Windows main frames of control end, the Windows main frame of or many deployment engine, and network access devices etc. is characterized in that: control end forms level and disposes, and the main frame of disposing the master control end has only one; The control of control end accepted by all engines and to its feedback warning message, rule match takes place at engine end.
The object of action of this system monitoring comprises:
Registry key, value;
File and catalogue;
Dangerous system management behavior;
Noticeable SQL SERVER database manipulation;
Noticeable IIS behavior;
Irregular access to netwoks.
This scheme is obtained system data, generates respective rule and is utilized the regular process that detects very complicated.It is huger that it detects rule base, and detection efficiency is not high.Because it is not deep into the essence of system to the research of system action, so its description to the system action feature is very complicated, and the more redundant loaded down with trivial details detection efficiency that causes in the respective rule storehouse of its generation is not high.
Chinese patent 2005100443053.2 discloses the host computer intrude detecting method under a kind of Windows environment, and technical scheme is as follows: multistage Native API consistent model and correlation Native API sequence that detected process produce between the note abnormalities invasion of this scheme by analyzing and set up appointment process under the Windows environment.In the hands-on stage, the Native APIs data of collection appointment process also are stored in the database.Analysis to initial data comprises single order analysis and second order analysis, single order and second-order model in analysis and the deal with data set; At test phase, the index Iterative detection algorithm is calculated the single order of Native APIs correspondence and the normal exponential quantity of second order Native APIs.In real system, designed the warning extracting method, make in the continuous variation fluctuation of index iterative detection rate, the abnormal time that occurs is found accurately and extracted, and carry out correct warning.
Host computer intrude detecting method under the Windows environment is characterized in that:
1) system data Native APIs's obtains
When the process of appointment is initiated the system service call request each time, at first enter the kernel of Windows system by DriverEntry routine load driver equipment, this driving arrangement utilizes the KeServiceDescriptortable data structure to finish visit and modification to the system service distributing list, and the data structure of utilizing KeServiceDescriptortable is determined the address of system service allocation table, system backs up the SSDT of system's reason earlier, secondly, at the corresponding function of intercepting and capturing of each NativeAPI configuration, and these function calls addresses are written in the original system delivery of services table, and it is corresponding one by one, make the pointed of function intercept and capture function, obtain all related datas of each Native API that the appointment process produces in the operating system with this system service table of intercepting and capturing the Windows main frame, these data comprise the title of Native API, ID and parameter length information, after having intercepted and captured these information, withdraw from the intercepting and capturing process, and turn back to the system service that is called of execution;
2) by the data message of the Native APIs that gets access to the process in the Windows operating system is set up normal behavior model, and with the abnormal conditions in this model detection system.
By multistage consistent method for establishing model the Native APIs data of obtaining are trained, by two tuple { B
k, O
kIn database, set up the consistent model of single order with second order, the consistent model of single order is by two tuple { B
k, O
kRepresent B wherein
kBe Native APIs
kThe frequency that in the training set, occurs, O
kBe the single order index of correlation, by all B in the pair set
kAccording to the position size that ascending order is arranged, two tuple { B
k, O
kTo having set up a relation mapping table between each NativeAPI data in the training set and the observed process.
3) index iteration detection method, the positive ordinary index by each NativeAPI correspondence of cycle calculations calculate the degree of correlation between it and the detected process, thereby by the invasion that notes abnormalities of passive index variation
4) the warning extraction algorithm by proposing makes the anomalous event that occurs in the index of oscillation iterative detection rate to continuous variation find exactly and extract, and carries out correct warning.
To the less process of index iterative detection value having occurred, take to forbid the current observed process or the behavior of thread, adopt PostThreadMessage or PostMessage to send message for the thread of appointment and end the malice thread by force.
The amount of calculation of this method is bigger, and the foundation of single order and second-order model, CALCULATION OF PARAMETERS and to the normal data training with to set up the model process very complicated apply to difficulty of actual specific.And this method is just considered the relation of process front and back two steps with Native API, and the Native API Calls process in the actual conditions is very complicated, and the relational models in two steps are not enough to describe in the actual motion environment process to the complicated invoked procedure of NativeAPI before and after only considering.Therefore this method just be applicable to detection to some invasion, can not generally be applicable to the intrusion detection in the real time environment.
Summary of the invention
Technical problem to be solved by this invention is how a kind of host computer intrude detecting method that decomposes based on intrinsic subsequence pattern is provided, though this method has overcome the deficiency that exists in the prior art, can discern existing attack and increasing new attack accurately and efficiently.
Technical problem proposed by the invention is to solve like this: a kind of host computer intrude detecting method that decomposes based on intrinsic subsequence pattern is provided, it is characterized in that, may further comprise the steps:
1. rule definition:
Sequence (T): sequence T is the data set that its element is arranged according to time sequencing, T=t
1..., t
n, n is the length of sequence;
Support (Sup): the support Sup of subsequence S (S) is its number of times that occurs in sequence T.
Intrinsic subsequence pattern (IS): among the sequence T, if the support of all subsequences of certain subsequence is identical with its support, and in sequence T, do not exist the subsequence identical with its support to comprise it, then this subsequence is called as intrinsic subsequence pattern (Intrinsic Subsequence Pattern);
Layer (Layer): in sequence T, the intrinsic subsequence pattern with similar support is formed a layer;
Sequence is decomposed (Decomposition): it is exactly that long sequence is decomposed into some intrinsic subsequence patterns and forms corresponding layer that sequence is decomposed;
2. obtain Windows Native API data sequence, the sequence of process at first is decomposed into an intrinsic subsequence set of patterns, then these intrinsic subsequence patterns are carried out layering according to its support;
3. doubtful sequence is decomposed into several layers, every layer of intrinsic subsequence pattern that contains similar support;
4. normal process sequence and doubtful sequence are mated according to corresponding layer, the quantity according to coupling calculates intensity of anomaly, judges the whether unusual of doubtful sequence.
According to the host computer intrude detecting method that decomposes based on intrinsic subsequence pattern provided by the present invention, it is characterized in that, above-mentioned steps is set up a sequence chart with the sequence of process in 2., find out closed path in the sequence chart as the candidate sequence of intrinsic subsequence pattern, find out the intrinsic subsequence pattern that constitutes each candidate sequence in former sequence, step is as follows:
1. tectonic sequence figure: with each different digital numbering among the sequence T corresponding to a node among the nodal set V, LOC={L
1..., L
NThe position that in T, occurs of each node among the record V; To each length among the T is 2 subsequence, if its corresponding limit is present among the E, then the weights on this limit increase by 1, if this limit is not present among the E, then set up this limit, and the limit weights are 1;
2. intrinsic subsequence is excavated: at first find the limit of weights maximum in the sequence chart and the adding set EE in limit approximate with these limit weights, algorithm is found out all approximate closed paths among the EE as the candidate of intrinsic subsequence pattern then, then, get back to and find out all approximate intrinsic subsequence patterns that produce each approximate closed path among the sequence T, at last, algorithm carries out right value update to each intrinsic subsequence pattern corresponding edge in the drawings, the weights on limit are deducted its intrinsic subsequence pattern occurrence number in T, if weights are smaller or equal to 0, then delete this limit, it is empty graph up to sequence chart that algorithm repeats above step.
Host computer intrude detecting method according to intrinsic subsequence pattern decomposition provided by the present invention, it is characterized in that, at first the intrinsic subsequence pattern of doubtful sequence and normal process sequence is formed several layers independently of one another according to support in the described abnormality detection step, intrinsic subsequence pattern and normal-sub sequence pattern to doubtful sequence mates in corresponding layer then, quantity according to coupling, thereby calculate intensity of anomaly and judge whether doubtful sequence is unusual, and algorithm steps is as follows:
Input: the subsequence natural mode collection TIS of the intrinsic subsequence set of patterns NIS of normal sequence and doubtful sequence
Output: the abnormal index ADgree of doubtful sequence
Anormaly?Detection(NIS,TIS)
5) find out the maximum support sequence among NIS and the TIS and add Nlayer and Tlayer respectively respectively, and in NIS and TIS, remove these sequences with the approaching sequence of its support;
6) calculate among the Tlayer can with the sequence number M A of sequences match among the Nlayer: to each sequence among the Tlayer, if this sequence satisfies DIS==0 to certain sequence among the Nlayer, then MA increases by 1;
7) number of sequence is N among the Tlayer, and ADgree=(N-MA)/MA adds previous each layer abnormal index simultaneously;
8) if ADgree>η then returns ADgree, wherein η is a threshold value;
Repeat 1), 2), 3) and, 4) be empty set up to NIS or TIS, return ADgree.
The present invention proposes to detect unusual sequence based on the algorithm that intrinsic subsequence pattern is decomposed, thereby detects unusual invasion according to the substantive characteristics of Windows Native API sequence.In order to discern existing attack and increasing new attack accurately and efficiently, this programme is according to the feature of system process Windows Native API sequence, the notion of intrinsic subsequence pattern has been proposed, intrinsic subsequence pattern is in a sequence, comprises the maximum subsequence of the subsequence that occurrence number equates in sequence with it.It always occurs with an integral body sequence and is indissoluble as can be seen from the definition of intrinsic subsequence pattern, has very strong globality.Being defined in the Windows Native API sequence of intrinsic subsequence pattern is of practical significance.When a process is carried out certain operation of determining, thereby can form a sequence according to the corresponding Windows NativeAPI of certain sequence call.Therefore, in the implementation of a process, carried out this operation, its corresponding Windows Native API sequence will appear in the Windows Native API sequence of this process.Windows Native API sequence that this operation produces has just in time met our definition to intrinsic subsequence.
The Windows Native API sequence that the main frame intrusion detection produces process is decomposed into different layers, each layer is made up of the intrinsic subsequence pattern that similar number of times occurs, by the difference of doubtful Windows Native API sequence and the normal more intrinsic subsequence pattern of Windows Native API sequence layering is judged whether doubtful Windows Native API sequence is unusual.Because the purpose of intrusion behavior, the Windows Native API sequence of its generation has stronger globality.When the intrinsic subsequence pattern of execution was decomposed, this sequence generally can not be broken down into thinner subsequence.In contrast be that noise in the Windows Native API sequence is a chaotic, intrinsic subsequence pattern is very big in decomposing may to be broken down into each different layer carrying out for it.Noise can be not weakened because of decomposing weakened unusual intrusion behavior, therefore relatively can find many faint unusual sequences more exactly based on the layering of this programme.Traditional intrusion detection based on sequential mode mining is to detect unusual invasion by more doubtful sequence pattern and normal sequence pattern differentials, and the unusual sequence identical with the normal sequence pattern for sequence pattern can not detect effectively.Although the subsequence identical with normal sequence appearred in doubtful sequence, its occurrence number can bigger change, and this programme can detect the unusual sequence of the type effectively according to the more intrinsic subsequence pattern of subsequence occurrence number layering.
Embodiment
The present invention is further described below in conjunction with embodiment.
One, Windows Native API
There are two kinds of patterns of user and kernel among the Windows.User application moves under user model, and system program moves under kernel mode.It is different that the important difference of two kinds of patterns is that it is handled on the priority of file, invoke memory and use CPU, and kernel mode has higher priority than user model.Even grave error has appearred in user application, can not cause too big influence to whole system yet, guaranteed the normal operation of operating system.
API is Windows operating system provides system service to the user in dynamic link libraries a interface function, operates under the user model or under the kernel mode.Wherein the API that moves under kernel mode is exactly NativeAPI, is the interface function of the kernel level system service in the dynamic link libraries.API under Native API and the user model has very big difference, and its calling sequence can reflect the feature of application program on the kernel level level, therefore can be used as the data source of abnormality detection.
In the Win32 system, below four dynamic link libraries all provide API:User32.dll (user interface API), Gdi32.dll (graphic interface API), Kernel32.dll (management interface API), Adapi32.dll (AS management interface API).Wherein Kernel32.dll provides the API of kernel mode, i.e. Native API.In Windows XP system, nearly 949 Native API have 949 Native API in the Windows XP system, and wherein 284 Native API in NTdll.dll are the most key NativeAPI of system.Among the Win32API all are called and have finally all been turned to NTdll.dll, the driving most of the time of kernel mode is called this module, if Request System service, the main effect of NTdll.dll are exactly to allow the particular subset of kernel function can be descended the routine call of operation by user model.Therefore in experiment, we mainly follow the tracks of the NativeAPI that intercepts and captures these 284 keys.We think that it is similar to the system call of Linux, can carry out abnormality detection based on its sequence pattern.We conveniently carry out later further data processing to each Native API numbering.Table 1 is actual some Native API and function and the numbering that intercepts.
Table 1Native API example
Two, intrinsic subsequence mode excavation method
Before introduction method, at first provide relevant notion and definition:
Definition 1: sequence chart SG is the graph of a relation of sequence T, and it is a four-tuple, i.e. SG=<V, E, W 〉, wherein:
(1) V is the nodal set among the figure, and the node among the V is corresponding one by one with the different digital numbering among the T;
(2) the directed edge collection among the figure.Context between any two adjacent elements among the T all with SG in directed edge between the respective nodes corresponding one by one.
(3) W is a directed edge weights collection among the figure.Every limit is corresponding one by one with the corresponding weight value among the W among the E.The i.e. number of times that in T, occurs of the sequence of this limit correspondence of the weights on every limit among the E.
Definition 2: path: in the sequence chart SG of T, as infructescence S=X
0X
1... X
m, satisfy to all i 0≤i≤m, limit X
iX
I+1∈ E claims that then S is the paths among the SG.
Definition 3: closed path: in the sequence chart SG of T, R=X
pX
P+1... X
P+qIf all limit weights among the R are equal, and for any connected node X
P-1And X
P+qLimit X
P-1X
pAnd X
P+qX
P+q+1Weights and R in the weights on any limit all unequal, then R is a closed path.
This step is excavated intrinsic subsequence pattern according to following step:
(1) sequence is set up a sequence chart;
(2) find out closed path in the sequence chart as the candidate sequence of intrinsic subsequence pattern;
(3) in former sequence, find out the intrinsic subsequence pattern that constitutes each candidate sequence.
Sequence chart SG building method is as follows: each different digital among the T is numbered corresponding to a node among the V; LOC={L
1..., L
NThe position that in T, occurs of each node among the record V; To each length among the T is 2 subsequence, if its corresponding limit is present among the E, then the weights on this limit increase by 1, if this limit is not present among the E, then set up this limit, and the limit weights are 1.The algorithm of sequence chart SG is as follows:
Input: sequence T
Output: sequence chart SG
ConstructSG(T)
1)
The k bit data T of set T
kInput;
2) if limit T
K-1T
k∈ E, then its weights add 1, otherwise, set up this limit, weights are 1;
3) each element of pair set T repeats above 1 successively), 2).
Because the complexity of real data itself and some noise datas of existence wherein, the closed path that meets definition fully in the sequence chart of reality seldom.Therefore, this algorithm is sought approximate closed path and approximate intrinsic subsequence pattern, thinks that the limit with similar weights is the equal weights limit in the closed path, and the sequence with similar occurrence number is for equating the sequence of occurrence number.Intrinsic subsequence mining algorithm at first finds the limit of weights maximum among the figure and the limit adding set EE approximate with these limit weights, algorithm is found out all approximate closed paths among the EE as the candidate of intrinsic subsequence pattern then, then, get back to all approximate intrinsic subsequence patterns of finding out each approximate closed path of generation among the sequence T.At last, algorithm carries out right value update to each intrinsic subsequence pattern corresponding edge in the drawings: the weights on limit are deducted its intrinsic subsequence pattern occurrence number in T, if weights smaller or equal to 0, are then deleted this limit.It is empty graph up to SG that algorithm repeats above step.Intrinsic subsequence mode excavation algorithm is as follows:
Input: sequence T, the set LOC of position appears in each node among sequence chart SG and the records series figure in T
Output: intrinsic subsequence pattern and the occurrence number in T
FindIntrinsicSubsequence(T,SG,LOC)
1) finds out the limit of weights maximum among the SG and all limits adding set EEs approximate with these limit weights;
2) find out the candidate of approximate closed paths all among the EE, and each candidate got back to find out occurrence number and weights are approximate and length is the longest all subsequences among the former sequence T as corresponding with it intrinsic subsequence pattern and write down the actual occurrence number of these subsequences as intrinsic subsequence pattern;
3) upgrade SG figure: the limit weights of each intrinsic subsequence pattern deduct its occurrence number, if the limit weights smaller or equal to 0, are then deleted this limit;
4) repeat 1), 2), 3) and be empty graph up to SG.
Three, method for detecting abnormality
When sequence occurs when unusual, there will be two kinds of situations usually: the subsequence that not occurring in the normal sequence appears in (1); (2) the still obviously change of occurrence number generation of some subsequence of new subsequence does not appear.Our unusual intrusion detection method is that intrinsic subsequence pattern is decomposed into layer according to its occurrence number, then normal sequence and doubtful sequence is compared by layer.If first kind of situation is unusual, unusual subsequence can show in its equivalent layer unusually; If second kind of situation is unusual, the layer that some subsequence occurs in unusual sequence is inequality with its layer in normal sequence, and therefore, after the layering, second class unusually also can be detected.Because subsequence is compared in layering, data volume is relatively dwindled simultaneously, and what some was faint will seem more obvious unusually.In service at real system, when intrusion behavior occurring, tend to occur the big subsequence of the violent change of a large amount of occurrence numbers in the sequence, this characteristic with intrusion behavior itself is consistent.Because when system is invaded, the invasion program is finished duplicating and propagating of invasion to system, destruction and self through regular meeting in very short time.
Method for detecting abnormality is at first formed several layers with the intrinsic subsequence pattern of doubtful sequence and normal sequence according to support.Then, in corresponding layer the intrinsic subsequence pattern of doubtful sequence and the intrinsic subsequence pattern of normal sequence are mated, statistics detects the subsequence number of coupling in this layer, and the coupling number is abnormal index divided by the sum of this sequence of layer.After each layer abnormal index sum is greater than a threshold value η, think that this doubtful sequence comprises unusually.This programme is collected its normal sequence of carrying out respectively as training set with each process, also detects at each process respectively during detection.
Method for detecting abnormality is as follows:
Input: the subsequence natural mode collection TIS of the intrinsic subsequence set of patterns NIS of normal sequence and doubtful sequence
Output: the abnormal index ADgree of doubtful sequence
Anormaly?Detection(NIS,TIS)
1) finds out the maximum support sequence among NIS and the TIS and add Nlayer and Tlayer respectively respectively, and in NIS and TIS, remove these sequences with the approaching sequence of its support;
2) calculate among the Tlayer can with the sequence number M A of sequences match among the Nlayer: to each sequence among the Tlayer, if this sequence satisfies DIS==0 to certain sequence among the Nlayer, then MA increases by 1;
3) number of sequence is N among the Tlayer, and ADgree=(N-MA)/MA adds previous each layer abnormal index simultaneously;
4) if ADgree>η then returns ADgree;
5) repeat 1), 2), 3) and, 4) be empty set up to NIS or TIS, return ADgree;
Because data number is artificial the setting, so the meaning that similar numbering may be represented falls far short; Simultaneously the decomposition method for intrinsic subsequence pattern is that the redundancy that is similar to is decomposed, if therefore subsequence that sequence is the another one sequence, then the distance of two sequences is 0.The function DIS about sequence of calculation distance in this algorithm is defined as follows:
For two sequences C and Q, if
Then DIS (C, Q)=0; Other, and DIS (C, Q)=∞.
Claims (3)
1. a host computer intrude detecting method that decomposes based on intrinsic subsequence pattern is characterized in that, may further comprise the steps:
1. rule definition:
Sequence: sequence T is the data set that its element is arranged according to time sequencing, T=t
1..., t
n, n is the length of sequence;
Support: the support Sup of subsequence S (S) is its number of times that occurs in sequence T.
Intrinsic subsequence pattern: among the sequence T, if the support of all subsequences of certain subsequence is identical with its support, and in sequence T, do not exist the subsequence identical with its support to comprise it, then this subsequence is called as intrinsic subsequence pattern;
Layer: in sequence T, the intrinsic subsequence pattern with similar support is formed a layer;
Sequence is decomposed: it is exactly that long sequence is decomposed into some intrinsic subsequence patterns and forms corresponding layer that sequence is decomposed;
2. obtain WINdows Native API data sequence, the sequence of a certain process at first is decomposed into an intrinsic subsequence set of patterns, then these intrinsic subsequence patterns is carried out layering according to its support;
3. doubtful sequence is decomposed into several layers, every layer of intrinsic subsequence pattern that contains similar support;
4. normal process sequence and doubtful sequence are mated according to corresponding layer, the quantity according to coupling calculates intensity of anomaly, judges the whether unusual of doubtful sequence.
2. the host computer intrude detecting method that decomposes based on intrinsic subsequence pattern according to claim 1, it is characterized in that, above-mentioned steps is set up a sequence chart with the sequence of process in 2., find out closed path in the sequence chart as the candidate sequence of intrinsic subsequence pattern, find out the intrinsic subsequence pattern that constitutes each candidate sequence in former sequence, step is as follows:
1. tectonic sequence figure: with each different digital numbering among the sequence T corresponding to a node among the nodal set V, LOC={L
1..., L
NThe position that in T, occurs of each node among the record V; To each length among the T is 2 subsequence, if its corresponding limit is present among the E, then the weights on this limit increase by 1, if this limit is not present among the E, then set up this limit, and the limit weights are 1;
2. intrinsic subsequence is excavated: at first find the limit of weights maximum in the sequence chart and the adding set EE in limit approximate with these limit weights, algorithm is found out all approximate closed paths among the EE as the candidate of intrinsic subsequence pattern then, then, get back to and find out all approximate intrinsic subsequence patterns that produce each approximate closed path among the sequence T, at last, algorithm carries out right value update to each intrinsic subsequence pattern corresponding edge in the drawings, the weights on limit are deducted its intrinsic subsequence pattern occurrence number in T, if weights are smaller or equal to 0, then delete this limit, it is empty graph up to sequence chart that algorithm repeats above step.
3. the host computer intrude detecting method that intrinsic subsequence pattern according to claim 1 is decomposed, it is characterized in that, at first find out in the described abnormality detection step and occur maximum intrinsic subsequence patterns and the approximate with it subsequence formation one deck of occurrence number in doubtful sequence and the normal process sequence, intrinsic subsequence pattern and normal-sub sequence pattern to doubtful sequence mates in this layer then, quantity according to coupling, thereby calculate intensity of anomaly and judge whether doubtful sequence is unusual, and algorithm steps is as follows:
Input: the subsequence natural mode collection TIS of the intrinsic subsequence set of patterns NIS of normal sequence and doubtful sequence
Output: the abnormal index ADgree of doubtful sequence
Anormaly?Detection(NIS,TIS)
1) finds out the maximum support sequence among NIS and the TIS and add Nlayer and Tlayer respectively respectively, and in NIS and TIS, remove these sequences with the approaching sequence of its support;
2) calculate among the Tlayer can with the sequence number M A of sequences match among the Nlayer: to each sequence among the Tlayer, if this sequence satisfies DIS==0 to certain sequence among the Nlayer, then MA increases by 1;
3) number of sequence is N among the Tlayer, and ADgree=(N-MA)/MA adds previous each layer abnormal index simultaneously;
4) if ADgree>η then returns ADgree, wherein η is a threshold value;
Repeat 1), 2), 3) and, 4) be empty set up to NIS or TIS, return ADgree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100445160A CN101252578B (en) | 2008-04-02 | 2008-04-02 | Host computer intrude detecting method decomposed based on inherent subsequence mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100445160A CN101252578B (en) | 2008-04-02 | 2008-04-02 | Host computer intrude detecting method decomposed based on inherent subsequence mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101252578A true CN101252578A (en) | 2008-08-27 |
| CN101252578B CN101252578B (en) | 2011-05-11 |
Family
ID=39955764
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100445160A Expired - Fee Related CN101252578B (en) | 2008-04-02 | 2008-04-02 | Host computer intrude detecting method decomposed based on inherent subsequence mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101252578B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN104142881A (en) * | 2013-05-07 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Adaptive defect detecting method and device of application program programming interfaces |
| CN106156078A (en) * | 2015-03-31 | 2016-11-23 | 西门子公司 | Data analysing method and device |
| CN106840213A (en) * | 2017-01-18 | 2017-06-13 | 北京蓝色星语科技有限公司 | A kind of dangerous material detection method and detector |
| CN112966266A (en) * | 2021-03-02 | 2021-06-15 | 北京金山云网络技术有限公司 | Virus detection system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1333553C (en) * | 2005-03-23 | 2007-08-22 | 北京首信科技有限公司 | Program grade invasion detecting system and method based on sequency mode evacuation |
-
2008
- 2008-04-02 CN CN2008100445160A patent/CN101252578B/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104142881A (en) * | 2013-05-07 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Adaptive defect detecting method and device of application program programming interfaces |
| CN104142881B (en) * | 2013-05-07 | 2019-04-12 | 腾讯科技(深圳)有限公司 | The adaptation defect inspection method and detection device of application programming interface |
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN103530118B (en) * | 2013-09-30 | 2017-01-11 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN106156078A (en) * | 2015-03-31 | 2016-11-23 | 西门子公司 | Data analysing method and device |
| CN106840213A (en) * | 2017-01-18 | 2017-06-13 | 北京蓝色星语科技有限公司 | A kind of dangerous material detection method and detector |
| CN106840213B (en) * | 2017-01-18 | 2019-04-16 | 北京蓝色星语科技有限公司 | A kind of dangerous material detection method and detector |
| CN112966266A (en) * | 2021-03-02 | 2021-06-15 | 北京金山云网络技术有限公司 | Virus detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101252578B (en) | 2011-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101252440B (en) | Network intrude detecting method based on inherent subsequence mode decomposition | |
| Lunt et al. | A real-time intrusion-detection expert system (IDES) | |
| US6347374B1 (en) | Event detection | |
| Lunt | IDES: An intelligent system for detecting intruders | |
| Denning | An intrusion-detection model | |
| Lunt | Automated audit trail analysis and intrusion detection: A survey | |
| Chopade et al. | Ten years of critical review on database forensics research | |
| CN102647421B (en) | The web back door detection method of Behavior-based control feature and device | |
| CN104766011A (en) | Sandbox detection alarming method and system based on main engine characteristic | |
| CN104283889A (en) | Electric power system interior APT attack detection and pre-warning system based on network architecture | |
| Liu et al. | Intrusion confinement by isolation in information systems | |
| CN101252578B (en) | Host computer intrude detecting method decomposed based on inherent subsequence mode | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| Tang et al. | Discovering lag intervals for temporal dependencies | |
| Singh et al. | Sql injection detection and correction using machine learning techniques | |
| Srivastava et al. | Weighted intra-transactional rule mining for database intrusion detection | |
| Hu et al. | An anomaly detection model of user behavior based on similarity clustering | |
| Darwish | Machine learning approach to detect intruders in database based on hexplet data structure | |
| Mohammad et al. | A novel local network intrusion detection system based on support vector machine | |
| Adebiyi et al. | An sql injection detection model using chi-square with classification techniques | |
| CN112822210A (en) | Vulnerability management system based on network assets | |
| Sodiya et al. | A new two‐tiered strategy to intrusion detection | |
| Kumar et al. | Detection and Prevention of SQL Injection attack | |
| Hu et al. | Design and analysis of techniques for detection of malicious activities in database systems | |
| Hu et al. | An effective log mining approach for database intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: WUXI UEST SCIENCE + TECHNOLOGY DEVELOPMENT CO., LT Free format text: FORMER OWNER: UNIVERSITY OF ELECTRONIC SCIENCE AND TECHNOLOGY OF CHINA Effective date: 20131029 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 610054 CHENGDU, SICHUAN PROVINCE TO: 214135 WUXI, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20131029 Address after: 214135 Jiangsu New District of Wuxi City Branch Park University Chinese sensor network science and Technology Park building A room 402 business district Patentee after: WUXI UESTC TECHNOLOGY DEVELOPMENT Co.,Ltd. Address before: 610054 No. two, Jianshe North Road, Chengdu, Sichuan, four Patentee before: University of Electronic Science and Technology of China |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20210108 Address after: No.2006 Xiyuan Avenue, Chengdu, Sichuan 611731 Patentee after: University of Electronic Science and technology of Sichuan foundation for education development Address before: Room 402, area a, Liye building, science and Technology Park, China sensor network university, Taike Park, New District, Wuxi City, Jiangsu Province, 214135 Patentee before: WUXI UESTC TECHNOLOGY DEVELOPMENT Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110511 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |