CN102768638B - Software behavior credibility detecting method based on state transition diagram - Google Patents
Software behavior credibility detecting method based on state transition diagram Download PDFInfo
- Publication number
- CN102768638B CN102768638B CN201210157706.XA CN201210157706A CN102768638B CN 102768638 B CN102768638 B CN 102768638B CN 201210157706 A CN201210157706 A CN 201210157706A CN 102768638 B CN102768638 B CN 102768638B
- Authority
- CN
- China
- Prior art keywords
- weights
- state
- module
- limit
- degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a software behavior credibility detecting method based on a diagram. A detecting system is divided into five modules including a data preprocessing module, a state diagram training module, a behavior detecting module, a real-time monitoring module and an abnormal warning module, wherein the data preprocessing module is in charge of processing preliminary data; the state diagram training module is used for training a normal behavior base; the behavior detecting module is in charge of detecting behaviors according to the built diagram, and the detection module is divided into two layers, the first layer is used for detecting states and paths, and the second layer is mainly used for detecting weights; the real-time monitoring module dynamically stores detection results in a log mode; and the abnormal warning module warns when the detecting module detects abnormal conditions, and stops running software. A detecting model can monitor software behaviors in real time, and detects behaviors which do not belong to the software, aggressive behaviors and illegal input.
Description
Technical field:
The present invention is intended to set up the credible detection model of software action, ensures behavior safety, belongs to information security field.
Background technology:
Software nature is replace people to perform the instrument of certain behavior, the credibility of software be mainly manifested in its behavior credible on.Bend and prolong culture and education and award and think the credibility of software action when referring to running software as main body, rely on the function of himself to the using of object, operate or the historical record of action reflect its whether in violation of rules and regulations, go beyond one's commission and a kind of statistical property of the aspect such as to go beyond the scope.That is trusted software should be that the behavior of software and result it is expected to, and behavior state during operation can be monitored.
Existing behavior is credible, and type of detection roughly comprises credible evaluation and test, risk assessment, Tendency Prediction etc.Credible evaluation and test model generally adopts first sets up normal or abnormal storehouse, and then carry out the detection method of mating according to known storehouse, correlative study means mainly comprise the aspects such as system call sequence, software action automat, system call context and parameter thereof.Most researchers is intended to the accuracy and the completeness that improve model; Risk assessment refers to that researcher utilizes risk assessment strategies, be determined with the scene of doubtful risk, adopt and reward or the machine-processed confidence level obtaining software action of punishment, judge the whether believable method of software action, the method proposes risk and trust determines believable two key factors, and risk and trust are mutual opposition; Tendency Prediction refers to pays close attention to the behavior of running software, the relation between scene and behavior effect, adopts advanced statistical machine learning tool analysis behavior trace rule, and then carries out Tendency Prediction to software action.
These detection methods often only pay close attention to exception under set behavior stipulations, lack systematized software action testing mechanism, be difficult to detect the overall security of target software, cannot monitor in real time software action, more cannot locate abnormal time of origin and reason.And the factor paid close attention to is a lot, model is complicated, and practicality is not high.
Summary of the invention:
For the problems referred to above, the present invention proposes a kind of software action creditability detection method based on figure, be intended to set up a perfect testing process, realize real-time monitoring and the detection of software action.Detection system is divided into five modules: data preprocessing module, constitutional diagram training module, behavioral value module, real-time monitoring module and abnormality alarming module.
The present invention includes following steps:
Data preprocessing module, first intercepts and captures the system call of the software run, and utilizes study and the evaluation problem of hidden horse model, is responsible for system call sequence to be converted into status switch, completes the pre-service of data.
Constitutional diagram training module is the normal behaviour storehouse trained before detection system is opened, and comprises the state set up and always schemes and multiple local sensitivity functional diagram.Utilize the status switch obtained from data preprocessing module directly to build figure, before building figure, first provide related notion and definition.
1 state that defines refers to the high-rise sequence pattern derived from system call.
Defining 2 paths refers to if there is state 2 after state 1, then the path of existence 1 to state 2 is described.
Define 3 weights and refer to that the ratio of total degree appears in certain limit occurrence number and all limits.
Defining 4 state distance D is distance between two different conditions, in order to judge the similarity degree of two states.What compare here is that two states distinguish corresponding system call sequence, if short sequence is l
min, sequence length is l
1, long sequence is l
max, sequence length is l
2, first by l
minfirst and l
maxfirst alignment, if the numerical value being in same position is identical be designated as 0, difference is designated as 1, by record value be added after divided by short sequence length l
1, be designated as R
1.Then l
minslide backward one, namely by l
minfirst and l
maxsecond alignment, then carry out an aforesaid operations, record R
2, until l
minend and l
maxend alignment till, then calculate
The weights sum defining the limit ending at certain summit in 3 in-degree in+STG is called this in-degree of vertex.
The weights sum defining the limit originating in certain summit in 4 out-degree out-STG is called the out-degree on this summit.
The method of building figure is similar with the method in graph theory, also will meet following two rules:
Rule 1 small probability branch deletion rule
When building figure, delete the limit that weights are less than 0.08, if the out-degree on certain summit and in-degree all do not reach 0.08, this summit is also deleted in the lump.The appearance on small probability state and limit may be because the erroneous judgement of hidden horse or the operating system of windows round-robin cause, the probability occurred due to it is very little, not there is stability, be not suitable for for describing software action, it is not inconsistent with the feature of abnormal intrusion and virus yet, can not impact detection, so deleted.
Rule 2 equivalent state merges rule
If there is limit between two states, and distance D is less than 0.5 can merge.Merging process is as follows:
■ summit: summit becomes one by two
■ limit: the limit between two states is directly deleted, the limit between two states and other states retains.
■ weights: because it is corresponding with limit, if so remain two identical limits, be then added by its weights, only retain a same limit.
■ in-degree: for before merging, the in-degree sum of two states deducts the weights on the limit between two states.
■ out-degree: for before merging, the out-degree sum of two states deducts the weights on the limit between two states.
Constitutional diagram directly generates according to the status switch derived and rule 1 and 2, comprising the path between state and state, need not record weights.Local sensitivity function refers to be similar to and connects or log in these special functions.This function itself is also without exception, but a large amount of operations may be just attack or malicious act.So local sensitivity functional diagram is set up separately, build drawing method the same with the method for building up of state transition diagram, need to record weights, comprising state, path and weights.
Then status switch enters behavioral value module, and this module is the core of whole detection model, and ground floor is state based on constitutional diagram and path detection, and the second layer is the detection based on the state of local sensitivity functional diagram, path, weights.
Ground floor detects: the status switch obtained in data preprocessing module is built constitutional diagram, build drawing method consistent with the method for building constitutional diagram in constitutional diagram training module, then contrast with the constitutional diagram in storehouse, the state do not had in the figure in storehouse if occurred or path, be then judged to insincere.Whether this part is used for detecting has new behavior appearance and code injection to attack, because do not have the object of behavior and the code injection of expecting often to cause the appearance of software New function, and the appearance of New function just means the appearance in state or the path do not had in the figure of storehouse.
The second layer detects: be the in-depth analysis when ground floor detection does not have abnormal, the second layer detects and uses the data of ground floor to build figure, build drawing method consistent with the method for building sensitive function figure in constitutional diagram training module, the figure built up mates with partial functional diagram, if state, path are identical, the computing method that weights deviation delta d is less than 0.1(weights deviation are: the weighted value calculating every paths difference, if this figure has 3 paths, in storehouse, the weights of figure are w
1, w
2, w
3, treat that the weights of mapping are
weights deviation
Then illustrate and occur this responsive behavior, occur more than 5 times continuously if identical responsive behavior is determined, be then judged to insincere.The effect of this layer is for detection type to be attacked like Dos/DDos and the behavior such as illegal input of user.This attack can not embody to some extent in state and path, and not lawbreaking activities, but performs illegal operation.
Real-time monitoring module with the operation conditions of the form dynamically recording software of daily record, after detection module finishes the coupling of ground floor and the second layer at every turn, all will by simply orderly being recorded in daily record of result.As long as therefore inquiry log, the just operation conditions of known software.If software is by abnormal end, also roughly reason can be analyzed accordingly.
Abnormality alarming module gives the alarm after receiving the abnormal message of behavioral value module appearance immediately, and the operation of terminator.
The inventive method establishes a complete credible detection system of software action.Advantage is as follows:
1. need obtain system call from the software of actual motion, simple to operate, convenient storage.
2. real-time monitoring module is with the operation conditions of the form dynamically recording software of daily record, achieves the real-time monitoring of software action, and can according to log analysis software by abortive reason.
3. detection system clear layer, can have an overall assurance to the security of software.
Accompanying drawing explanation
Fig. 1 is the process flow diagram that the present invention realizes the software action creditability detection method based on state transition diagram.
Fig. 2 is that the present invention builds figure process.
embodiment
The step of implementation method of the present invention is specifically introduced below in conjunction with accompanying drawing 1:
See accompanying drawing 1, the present invention is the credible detection scheme of a kind of software action based on state transition diagram.Detection system is divided into five modules: 1 data preprocessing module, 2 constitutional diagram training modules, 3 behavioral value modules, 4 real-time monitoring module, 5 abnormality alarming modules, and testing process is as follows:
First data preprocessing module intercepts and captures the system call of the software run, and is quantized, and then utilizes hidden horse model system call sequence to be changed into multiple status switch calling combination.
Then status switch is admitted to behavioral value module, status switch is divided establishment constitutional diagram, such as a string status switch 13434521343453134345134345134345134345134345, build figure process as shown in Figure 2, this sequence comprises 5 states altogether, so vertex set V={1, 2, 3, 4, 5}, comprise 9 limits altogether, the total degree that all limits occur is 43, wherein state 1 has occurred 7 times to state 3, therefore state 1 is 7/43=0.16 to the weights of state 3 corresponding sides, generate the first width figure thus, then executing rule 1, delete the limit that weights are less than 0.08, as can be seen from the first width figure, there is four edges deleted, obtain the second width figure, then executing rule 2, the sequence of our Discovery Status 4 correspondence is 12343423, the sequence of state 5 correspondence is 1234323, as shown in table 1, computing mode distance.During beginning, same position has the different numerical value in 2 places, and record 2/7, moves one after state 5, and there is the different numerical value in 5 places identical position, and record 5/7, finally calculates
distance D=0.38<0.5 between two states, so state 4 and state 5 are merged, first be the merging on summit, only retain a state, then delete the path between two states, there is no the weights finding to merge, then obtain the 3rd width figure, the summit out-degree after at this moment merging is 0.32+0.12-0.16=0.28, and in-degree is 0.32+0.16-0.16=0.32, finally delete the weights in the 3rd width figure, constitutional diagram is set up complete.Figure builds up and carries out ground floor differentiation according to constitutional diagram existing in storehouse afterwards, if there is not new state or path, then monitors log recording 1rs; Otherwise, monitoring log recording 1newS(new state occurrence number), newP(new route occurrence number), then enter alarm module, alarm module sends the alarm of ground floor, and software stops running.
If ground floor detects not abnormal appearance, then carry out second layer detection, divided into groups to set up local sensitivity functional diagram by the status switch be just detected again, build drawing method the same with the method in Fig. 2, the weights of the 3rd width figure will retain.The figure built up mates with the local sensitivity functional diagram in storehouse, if state, path are identical, weights deviation is less than 0.1, then illustrate that sensitive function occurs, monitoring log recording 1(sensitive function title), then continue to build figure, detection module will be added up this responsive behavior, if same responsive behavior occurs more than 5 times continuously, alarm module sends the alarm of the second layer, and running software stops.
The calculating of weights deviation: by the every bar weights on known figure with treat that the corresponding weights of every bar of mapping do difference, then ask quadratic sum to open radical sign again.The weights of such as known figure are w1=0.3, w2=0.6, w3=0.1, and treat that mapping weights are w1'=0.25, w2'=0.65, w3'=0.1, then weights deviation is
If once perform, software is not by abnormal end, and monitoring log recording normal operation 1ro, gets back to status switch, proceeds next round and detect.
This patent chooses RSS ocr software comparatively popular at present and bean cotyledon FM tests.Set up its constitutional diagram and local sensitive function figure, description of test
Table 1
Claims (1)
1., based on the software action creditability detection method of state transition diagram, it is characterized in that; Comprise the following steps:
First the extraction of sequence pattern is carried out: intercept and capture system call sequence when software normally performs, excavate all sequences pattern;
Then the derivation of state layer is carried out: first utilize the problem concerning study of hidden horse model to be that each sequence pattern sets up a hidden horse model, recycle the evaluation problem decision state of hidden horse model;
Finally set up state transition diagram according to status switch: before building figure, first provide related notion and definition;
Defining 1 STG is a tlv triple, STG={V, E, W};
V is the node in figure, i.e. known state collection,
E is the set of the directed edge of connection layout interior joint,
W is weights, represents that the ratio of total degree appears in certain limit occurrence number and all limits,
Define 2 state distance D: be the distance between two different conditions, in order to judge the similarity degree of two states;
The system call sequence that two states are corresponding respectively, if short sequence is l
min, sequence length is l
1, long sequence is l
max, sequence length is l
2, first by l
minfirst and l
maxfirst alignment, if the numerical value being in same position is identical be designated as 0, difference is designated as 1; Divided by short sequence length l after the value of record is added
1, be designated as R
1; Then l
minslide backward one, namely by l
minfirst and l
maxsecond alignment, then carry out an aforesaid operations, record R
2, until l
minend and l
maxend alignment till, then calculate
The weights sum defining the limit ending at certain summit in 3 in-degree in+STG is called this in-degree of vertex;
The weights sum defining the limit originating in certain summit in 4 out-degree out-STG is called the out-degree on this summit;
The method of building figure is similar with the method in graph theory, also will meet following two rules:
Rule 1 small probability branch deletion rule
When building figure, delete the limit that weights are less than 0.08, if the out-degree on certain summit and in-degree all do not reach 0.08, this summit is also deleted in the lump;
Rule 2 equivalent state merges rule
If there is limit between two states, and distance D is less than 0.5 merges; Merging process is as follows:
Summit: summit becomes one by two;
Limit: the limit between two states is directly deleted, the limit between two states and other states retains;
Weights: because it is corresponding with limit, if so remain two identical limits, be then added by its weights, only retain a same limit;
In-degree: for before merging, the in-degree sum of two states deducts the weights on the limit between two states;
Out-degree: for before merging, the out-degree sum of two states deducts the weights on the limit between two states;
Constitutional diagram directly generates according to the status switch derived and rule 1 and 2, comprises the path between state and state,
Local sensitivity functional diagram is set up separately, builds drawing method the same with the method for building up of state transition diagram, needs to record weights, comprising state, path and weights;
Then status switch enters behavioral value module, and ground floor is state based on constitutional diagram and path detection, and the second layer is the detection based on the state of local sensitivity functional diagram, path, weights;
Ground floor detects: the status switch obtained in being extracted by sequence pattern builds constitutional diagram, build drawing method consistent with the method that status switch sets up state transition diagram, then contrast with the constitutional diagram in storehouse, the state or path that have not had in the figure in storehouse if occurred, be then judged to insincere;
The second layer detects: the second layer detects and uses ground floor data to build figure, build drawing method consistent with the method that status switch sets up state transition diagram, the figure built up mates with local sensitivity functional diagram, if state, path are identical, calculate the weighted value that namely weights deviation calculates every paths difference, weights deviation delta d is less than 0.1; Then illustrate and occur this responsive behavior, occur more than 5 times continuously if identical responsive behavior is determined, be then judged to insincere.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210157706.XA CN102768638B (en) | 2012-05-18 | 2012-05-18 | Software behavior credibility detecting method based on state transition diagram |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210157706.XA CN102768638B (en) | 2012-05-18 | 2012-05-18 | Software behavior credibility detecting method based on state transition diagram |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102768638A CN102768638A (en) | 2012-11-07 |
| CN102768638B true CN102768638B (en) | 2015-04-29 |
Family
ID=47096045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210157706.XA Active CN102768638B (en) | 2012-05-18 | 2012-05-18 | Software behavior credibility detecting method based on state transition diagram |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102768638B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831059A (en) * | 2012-08-23 | 2012-12-19 | 北京工业大学 | Software behavior modeling method based on state layer |
| CN103106130B (en) * | 2013-01-31 | 2015-11-18 | 广东欧珀移动通信有限公司 | A kind of software action data monitoring method of mobile terminal and system |
| US9665665B2 (en) * | 2013-08-20 | 2017-05-30 | International Business Machines Corporation | Visualization credibility score |
| CN103744786A (en) * | 2014-01-16 | 2014-04-23 | 北京工业大学 | Method of tracing software abnormal behaviors based on software functional layer |
| CN104794051A (en) * | 2014-01-21 | 2015-07-22 | 中国科学院声学研究所 | Automatic Android platform malicious software detecting method |
| WO2015140842A1 (en) * | 2014-03-20 | 2015-09-24 | 日本電気株式会社 | System-monitoring information processing device and monitoring method |
| CN104035866B (en) * | 2014-05-30 | 2017-10-10 | 中国电子科技集团公司第十五研究所 | The software action appraisal procedure and device of analysis are called based on system |
| CN105528286A (en) * | 2015-09-28 | 2016-04-27 | 北京理工大学 | System call-based software behavior assessment method |
| CN106598866A (en) * | 2016-12-22 | 2017-04-26 | 合肥国信车联网研究院有限公司 | smali intermediate language-based static detection system and method |
| CN108960220B (en) * | 2018-10-31 | 2019-02-15 | 上海电气泰雷兹交通自动化系统有限公司 | Signal system communication data analysis method for reliability based on state machine model |
| CN110096650A (en) * | 2019-04-23 | 2019-08-06 | 北京科技大学 | The analysis method and device of network connection intensity |
| CN110719270A (en) * | 2019-09-26 | 2020-01-21 | 湖南大学 | FCM algorithm-based slow denial of service attack detection method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649312A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Program grade invasion detecting system and method based on sequency mode evacuation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5153470B2 (en) * | 2008-06-19 | 2013-02-27 | 三菱電機株式会社 | State transition verification device and state transition verification method |
-
2012
- 2012-05-18 CN CN201210157706.XA patent/CN102768638B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1649312A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Program grade invasion detecting system and method based on sequency mode evacuation |
Non-Patent Citations (2)
| Title |
|---|
| Trust Model of Software Behaviors Based on Check Point Risk Evaluation;Junfeng Tian等;《Information Science and Engineering,2010 International Symposium on》;20101226;第54-57页 * |
| 一个新的软件行为动态可信评测模型;杨晓辉等;《小型微型计算机系统》;20101115;第31卷(第11期);第2113-2120页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102768638A (en) | 2012-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102768638B (en) | Software behavior credibility detecting method based on state transition diagram | |
| Wang et al. | Detection of power grid disturbances and cyber-attacks based on machine learning | |
| CN102682229B (en) | Malicious code behavior detection method based on virtualization technology | |
| CN103890771B (en) | User-defined countermeasures | |
| CN101803337B (en) | Intrusion detection method and system | |
| CN102546638A (en) | Scene-based hybrid invasion detection method and system | |
| CN106341414A (en) | Bayesian network-based multi-step attack security situation assessment method | |
| Yu | A survey of anomaly intrusion detection techniques | |
| CN106850558A (en) | Intelligent electric meter abnormal state detection method based on seaconal model time series | |
| CN103036745A (en) | Anomaly detection system based on neural network in cloud computing | |
| CN113434866B (en) | Unified risk quantitative evaluation method for instrument function safety and information safety strategies | |
| Anwar et al. | A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid | |
| CN106792883A (en) | Sensor network abnormal deviation data examination method and system | |
| CN109379373A (en) | A kind of cloud security assessment system and method | |
| CN102045358A (en) | Intrusion detection method based on integral correlation analysis and hierarchical clustering | |
| CN103679025B (en) | A kind of malicious code detecting method based on dendritic cell algorithm | |
| Yu et al. | Anomaly intrusion detection based upon data mining techniques and fuzzy logic | |
| VS | Multi Label Deep Learning classification approach for False Data Injection Attacks in Smart Grid. | |
| CN104615936A (en) | Behavior monitoring method for VMM (virtual machine monitor) layer of cloud platform | |
| Kim et al. | Cost-effective valuable data detection based on the reliability of artificial intelligence | |
| Chiu et al. | Frequent pattern based user behavior anomaly detection for cloud system | |
| CN110086767A (en) | A kind of hybrid intrusion detection system and method | |
| CN114938287B (en) | Power network abnormal behavior detection method and device integrating service characteristics | |
| WO2023015783A1 (en) | Intelligent terminal operating system vulnerability repairing method and system based on vulnerability intelligence | |
| CN115378711A (en) | Industrial control network intrusion detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |