CN109543403A - A kind of system calls behavior sequence dimension reduction method, system, device and storage medium - Google Patents

A kind of system calls behavior sequence dimension reduction method, system, device and storage medium Download PDF

Info

Publication number
CN109543403A
CN109543403A CN201811454427.3A CN201811454427A CN109543403A CN 109543403 A CN109543403 A CN 109543403A CN 201811454427 A CN201811454427 A CN 201811454427A CN 109543403 A CN109543403 A CN 109543403A
Authority
CN
China
Prior art keywords
sequence
calls
behavior
unit
dimension
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811454427.3A
Other languages
Chinese (zh)
Other versions
CN109543403B (en
Inventor
罗禹铭
罗禹城
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangyu Safety Technology (shenzhen) Co Ltd
Original Assignee
Wangyu Safety Technology (shenzhen) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangyu Safety Technology (shenzhen) Co Ltd filed Critical Wangyu Safety Technology (shenzhen) Co Ltd
Priority to CN201811454427.3A priority Critical patent/CN109543403B/en
Publication of CN109543403A publication Critical patent/CN109543403A/en
Application granted granted Critical
Publication of CN109543403B publication Critical patent/CN109543403B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines

Abstract

The invention discloses a kind of systems to call behavior sequence dimension reduction method, system, device and storage medium, the described method includes: by specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls parameter corresponding to behavior pattern;The system that one group of length is default size is obtained within a preset time and calls behavior sequence, and system calling behavior sequence is defined as unit sequence;It calls behavior sequence to be trained unit sequence from encoding model by system, the unit sequence after training is carried out by dimension-reduction treatment by encoder, the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence.The present invention captures the sequence signature that can represent system normal call behavior by automating, system call sequence dimension is effectively reduced, accuracy and the evolution rate of subsequent abnormality detection can be not only promoted, and can be effectively practiced in embedded system or chip is handled in real time.

Description

A kind of system calls behavior sequence dimension reduction method, system, device and storage medium
Technical field
The present invention relates to computer security technical fields more particularly to a kind of system to call behavior sequence dimension reduction method, is System, device and storage medium.
Background technique
At present on the market it is most of for pathological system call intrusion detection product defence gimmick be only capable of for by The clear network attack analyzed and understand, is detected taking human as the mode in definition rule library, and some via deformation Mode or for it is existing attack make the attacking ways modified by a small margin, often become pathological system call intrusion detection weakness it One, for more leisure opinion for unknown attack, such detecting mode can more say the power for having no to resist.
Another pathological system based on artificial intelligence calls intrusion detection product, is abnormal with One Class SVM( Detection) based on go the behavior pattern of automatic sorting normal users or normal procedure, it is such as following that any deviates considerably from just occurs The activity of Chang Hangwei is regarded as invading.The benefit for taking such design pattern is that system Security Officer is not required to often more The behavior pattern of new Network Intrusion, can also detect unknown attack, so kind intrusion detection mode is in recent years by widely With.
But with the arriving in big data and artificial intelligence epoch, with One Class SVM effectively conclude normal users or It is the behavior pattern of normal procedure, will becomes more and more difficult in embedded system or the implementation of chip, main cause is system tune With the dimension of sequence, it can become more and more huger with the development of artificial intelligence sub-ace spiker section and big data, and SVM is O() algorithm, i.e., calculation time complexity, can with system call sequence dimension present quadratic relationship, excessive system Calling sequence dimension, pole is unfavorable for the lower embedded system of operation power or chip is handled in real time.
Therefore, the existing technology needs to be improved and developed.
Summary of the invention
The technical problem to be solved in the present invention is that the present invention provides a kind of system tune for prior art drawbacks described above With behavior sequence dimension reduction method, system, device and storage medium, it is intended to system normal call can be represented by automating to capture The sequence signature of behavior can not only promote the accuracy of subsequent abnormality detection and drill so that system call sequence dimension is effectively reduced Rate is calculated, and can be effectively practiced in embedded system or chip is handled in real time.
The technical proposal for solving the technical problem of the invention is as follows:
A kind of system calls behavior sequence dimension reduction method, wherein the system calls the behavior sequence dimension reduction method to include:
By specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls behavior pattern institute Corresponding parameter;
The system that one group of length is default size is obtained within a preset time and calls behavior sequence, and system is called into behavior sequence It is defined as unit sequence;
Behavior sequence is called from encoding model to be trained unit sequence by system, by encoder by the unit after training Sequence carries out dimension-reduction treatment, and the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence.
The system calls behavior sequence dimension reduction method, wherein described by specific program, system calls behavior mould instantly Formula carries out real time acquisition, obtains unit time system and parameter corresponding to behavior pattern is called to specifically include:
Pre-defined t=1 is the initial time that calling behavior captures, and the per unit time intercepts a calling behavior;
It obtains unit time system and calls parameter corresponding to behavior pattern, and stored;
It repeats acquisition system and calls behavior pattern, until t=N, wherein numerical value of N is needed for one normal system calling behavior of description Sequence length.
The system calls behavior sequence dimension reduction method, wherein described to obtain one group of length within a preset time be pre- If the system of size calls behavior sequence, and system calling behavior sequence is defined as unit sequence and is specifically included:
When meeting t=N, obtains the system that one group of length is N and call behavior sequence;
Behavior sequence is called to be defined as a unit sequence X system that length is N:
The system calls behavior sequence dimension reduction method, wherein described to call behavior sequence to encode mould certainly by system Unit sequence is trained by type, and the unit sequence after training is carried out dimension-reduction treatment by encoder, obtains default dimension System calls behavioural characteristic dimensionality reduction sequence to specifically include:
One system of initialization calls behavior sequence from encoding model in advance, by system call behavior sequence from encoding model into Row training and certainly coding;
The unit sequence that multiple length are N will be inputted to be trained, until training accuracy to reach standard threshold value, and save instruction Practice the parameter in stage;
Into from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, obtain default dimension is System calls behavioural characteristic dimensionality reduction sequence.
A kind of system calls behavior sequence dimensionality reduction system, wherein the system calls the behavior sequence dimensionality reduction system to include:
Behavior pattern sensing module is called, for system to call behavior pattern to carry out real time acquisition instantly by specific program;
Behavior pattern numerical value respective modules are called, for obtaining parameter corresponding to unit time system calling behavior pattern and inciting somebody to action Parameter saves, and calls behavior sequence for obtaining the system that one group of length is default size within a preset time, and will be System calls behavior sequence to be defined as unit sequence;
Behavior sequence feature extraction module is called, for calling behavior sequence unit sequence to be carried out from encoding model by system Unit sequence after training is carried out dimension-reduction treatment by encoder by training, and the system for obtaining default dimension calls behavioural characteristic Dimensionality reduction sequence.
The system calls behavior sequence dimensionality reduction system, wherein the calling behavior pattern numerical value respective modules are specific Include:
Storage unit is obtained, calls parameter corresponding to behavior pattern for obtaining unit time system, and stored;
Acquisition unit is repeated, calls behavior pattern for repeating acquisition system, until t=N, wherein numerical value of N is description one normal Sequence length needed for system calls behavior;
As a result acquiring unit calls behavior sequence for when meeting t=N, obtaining the system that one group of length is N;
As a result definition unit, for calling behavior sequence to be defined as a unit sequence X system that length is N:
The system calls behavior sequence dimensionality reduction system, wherein the calling behavior sequence feature extraction module is specific Include:
Model generation unit calls behavior sequence from encoding model, is called and gone by system for initializing a system in advance It is trained for sequence from encoding model and encodes certainly;
Training unit is trained for will input the unit sequence that multiple length are N, until training accuracy reaches standard gate Bank value, and save the parameter of training stage;
From coding unit, for entering from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, is obtained System to default dimension calls behavioural characteristic dimensionality reduction sequence.
The system calls behavior sequence dimensionality reduction system, wherein the system calls behavior sequence from encoding model packet Encoder and decoder are included, is completed in the training stage by encoder and decoder, uses encoder during from encoding It completes.
A kind of system calling behavior sequence dimensionality reduction device, wherein call behavior sequence dimensionality reduction including system as described above System, further includes: the system that memory, processor and being stored in can be run on the memory and on the processor is called Behavior sequence dimensionality reduction program is realized as described above when the system calls behavior sequence dimensionality reduction program to be executed by the processor System calls the step of behavior sequence dimension reduction method.
A kind of storage medium, wherein the storage medium is stored with system and calls behavior sequence dimensionality reduction program, the system Behavior sequence dimensionality reduction program is called to realize the step of system as described above calls behavior sequence dimension reduction method when being executed by processor.
The invention discloses a kind of systems to call behavior sequence dimension reduction method, system, device and storage medium, the method Include: that system calls behavior pattern to carry out real time acquisition instantly by specific program, obtains unit time system and call behavior pattern Corresponding parameter;The system that one group of length is default size is obtained within a preset time and calls behavior sequence, and by system tune Unit sequence is defined as with behavior sequence;It calls behavior sequence to be trained unit sequence from encoding model by system, leads to It crosses encoder and the unit sequence after training is subjected to dimension-reduction treatment, the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence Column.The present invention captures the sequence signature that can represent system normal call behavior by automating, system calling is effectively reduced Sequence dimension can not only promote accuracy and the evolution rate of subsequent abnormality detection, and can be effectively practiced in embedded system System or chip are handled in real time.
Detailed description of the invention
Fig. 1 is the flow chart for the preferred embodiment that present system calls behavior sequence dimension reduction method;
Fig. 2 is the flow chart that present system calls step S10 in the preferred embodiment of behavior sequence dimension reduction method;
Fig. 3 is the flow chart that present system calls step S20 in the preferred embodiment of behavior sequence dimension reduction method;
Fig. 4 is the flow chart that present system calls step S30 in the preferred embodiment of behavior sequence dimension reduction method;
Fig. 5 is the schematic diagram for the preferred embodiment that present system calls behavior sequence dimensionality reduction system;
Fig. 6 is that present system calls system in the preferred embodiment of behavior sequence dimensionality reduction system that behavior sequence is called to encode mould certainly The schematic diagram of type;
Fig. 7 be present system call behavior sequence dimensionality reduction system preferred embodiment in system call behavior sequence encoder it Configuration diagram;
Fig. 8 is the running environment schematic diagram for the preferred embodiment that present system calls behavior sequence dimensionality reduction device.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer and more explicit, right as follows in conjunction with drawings and embodiments The present invention is further described.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and do not have to It is of the invention in limiting.
System described in present pre-ferred embodiments calls behavior sequence dimension reduction method, as shown in Figure 1, a kind of system is called Behavior sequence dimension reduction method, wherein the system call behavior sequence dimension reduction method the following steps are included:
Step S10, by specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls row For parameter corresponding to mode.
Detailed process is referring to Fig. 2, it calls step S10 in behavior sequence dimension reduction method for system provided by the invention Flow chart.
As shown in Fig. 2, the step S10 includes:
S11, pre-defined t=1 are the initial time that calling behavior captures, and the per unit time intercepts a calling behavior;
S12, parameter corresponding to unit time system calling behavior pattern is obtained, and is stored;
S13, acquisition system calling behavior pattern is repeated, until t=N, wherein numerical value of N is that one normal system of description calls behavior Required sequence length.
Specifically, system calls behavior pattern to be mainly reflected in following aspect: the major function of operating system is for management Hardware resource and provide good environment for Application developer make application program have preferably compatibility, in order to reach To this purpose, kernel provides a series of more kernel functions for having predetermined function, is known as system by one group and calls (system Call interface) is presented to the user, and system, which is called, is transmitted to kernel the request of application program, calls corresponding kernel function complete At required processing, processing result is returned into application program.
Further, several systems in (SuSE) Linux OS of illustrating in detail below call behavior pattern (Windows Operating system is similarly):
Fork: one new process of creation;
Clone: subprocess is created by specified requirements;
Execve: operation executable file;
Exit: stop process;
Fcntl: document control;
Open: file is opened;
Creat: new file is created;
Close: file describing word is closed;
Read: file is read;
Write written document ...
System calls behavior numerical value respective modules behavior pattern can be called corresponding different systems (can freely determine to a positive certificate Justice), such as:
fork 1;
clone 2;
execve 3…
Firstly, carrying out real time acquisition for certain specific program behavior pattern that system is called instantly, defining t=1 is that calling behavior is picked The initial time taken, the acquisition of per unit time can intercept a calling behavior;The unit time system is obtained again calls behavior The corresponding parameter of mode, and save, process above-mentioned is repeated until t=N, and wherein numerical value of N is that one normal system of description calls The system of sequence length needed for behavior, the visual difference of the size of this numerical value calls behavioral aspect self-defining.
Step S20, the system that one group of length is default size is obtained within a preset time and calls behavior sequence, and by system Behavior sequence is called to be defined as unit sequence.
Detailed process is referring to Fig. 3, it calls step S20 in behavior sequence dimension reduction method for system provided by the invention Flow chart.
As shown in figure 3, the step S20 includes:
S21, when meeting t=N, obtain one group of length be N system call behavior sequence;
S22, behavior sequence is called to be defined as a unit sequence X system that length is N:
Specifically, above-mentioned parameter refers to the number that particular system calls behavior pattern corresponding, can self-defining, Such as: pen is corresponding corresponding corresponding to number 3 to number 2, mmap to number 1, read.
When meeting t=N, the present invention calls behavior sequence for the system that one group of length is N is obtained, can be by this sequence definition For a unit sequence X:
S30, it calls behavior sequence to be trained unit sequence from encoding model by system, will be trained by encoder Unit sequence afterwards carries out dimension-reduction treatment, and the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence.
Detailed process is referring to Fig. 4, it calls step S30 in behavior sequence dimension reduction method for system provided by the invention Flow chart.
As shown in figure 4, the step S30 includes:
S31, one system of initialization calls behavior sequence from encoding model in advance, calls behavior sequence to encode mould certainly by system Type is trained and encodes certainly;
S32, it the unit sequence that multiple length are N will be inputted will be trained, until training accuracy reaches standard threshold value, and protect Deposit the parameter of training stage;
S33, default dimension is obtained into from coding stage by encoder by the unit sequence progress dimension-reduction treatment after training System call behavioural characteristic dimensionality reduction sequence.
Specifically, in the training stage, it can first initialize a system and call behavior sequence from encoding model, this model can be Based on neural network from encoding model, training process is trained one kind by the unit sequence that multiple length are N is inputted, until Training accuracy reaches standard threshold value, that is, can be reserved for the parameter in this stage, into from coding stage.
From coding stage, the framework of decoder (Decoder) will be left out, only retains encoder in neural model (Encoder) framework.
It can achieve the effect that from coding as follows:
1. the feature being abstracted in normal system calling sequence can effectively be found out:
This is characterized in (the system call sequence dimension of different software for being difficult to or even being unlikely to find through the mode artificially observed High and dimension is uneven).
2. effectively sorting algorithm can be practiced in embedded real time system:
The present invention is mainly to pass through dimensionality reduction subsequent SVM or other sorting algorithms is enable to run with minimum time complexity Sorting algorithm, can effectively be practiced in the embedded real time system of computing resource relative scarcity by (because dimension reduces).
3. the detecting accuracy rate of Malware can be promoted effectively:
Because the method for invention can effectively find out feature extremely abstract in normal system calling sequence, and dimension can drop to as far as possible It is extremely low, have shown that this measure can effectively promote SVM or the considerable degree of detecting accuracy rate of other sorting algorithms through research.
The object of the invention are as follows: automation acquisition is representative, and (the representative sequence signature meaning is that can represent herein The sequence signature of system normal call behavior) sequence signature, a system call sequence dimension (such as software is effectively reduced System call sequence are as follows: " { fork, clone, execve } ", sequence dimension be 3;The system call sequence of another software Are as follows: " { clone, execve } ", sequence dimension are 2;But in general, the dimension of the system call sequence of modern software is all higher than It is up to a hundred, even thousands of, and the system of a variety of different softwares calls dimension neither identical, and this is also at present with artificial observation Mode goes to distinguish or extract the sequence signature of normal behaviour, very very difficult reason), it can not only promote subsequent One Class The accuracy of SVM and evolution rate, and can be effectively practiced in embedded system or chip is handled in real time.
Further, as shown in figure 5, calling behavior sequence dimension reduction method based on above system, the present invention is correspondingly provided A kind of system calls behavior sequence dimensionality reduction system, and the system calls the behavior sequence dimensionality reduction system to include:
Behavior pattern sensing module 101 is called, for system to call behavior pattern to carry out real time acquisition instantly by specific program;
Behavior pattern numerical value respective modules 102 are called, call parameter corresponding to behavior pattern for obtaining unit time system And save parameter, and call behavior sequence for obtaining the system that one group of length is default size within a preset time, and System calling behavior sequence is defined as unit sequence;
Call behavior sequence feature extraction module 103, for by system calling behavior sequence from encoding model by unit sequence It is trained, the unit sequence after training is carried out by dimension-reduction treatment by encoder, the system for obtaining default dimension calls behavior Feature Dimension Reduction sequence.
Further, the calling behavior pattern numerical value respective modules 102 specifically include:
Storage unit is obtained, calls parameter corresponding to behavior pattern for obtaining unit time system, and stored;
Acquisition unit is repeated, calls behavior pattern for repeating acquisition system, until t=N, wherein numerical value of N is description one normal Sequence length needed for system calls behavior;
As a result acquiring unit calls behavior sequence for when meeting t=N, obtaining the system that one group of length is N;
As a result definition unit, for calling behavior sequence to be defined as a unit sequence X system that length is N:
Further, the calling behavior sequence feature extraction module 103 specifically includes:
Model generation unit calls behavior sequence from encoding model, is called and gone by system for initializing a system in advance It is trained for sequence from encoding model and encodes certainly;
Training unit is trained for will input the unit sequence that multiple length are N, until training accuracy reaches standard gate Bank value, and save the parameter of training stage;
From coding unit, for entering from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, is obtained System to default dimension calls behavioural characteristic dimensionality reduction sequence.
Further, the system call behavior sequence from encoding model include encoder and decoder, in the training stage In completed by encoder and decoder, completed during from encoding using encoder.
Specifically, firstly, for certain specific program, system calls trip instantly via behavior pattern sensing module 101 is called Carrying out real time acquisition for mode, (the present embodiment defines the initial time that t=1 is calling behavior acquisition, and the acquisition of per unit time can Intercept a calling behavior).
It recycles and behavior pattern numerical value respective modules 102 is called to obtain corresponding to unit time system calling behavior pattern Parameter, and be temporarily stored into call behavior pattern numerical value respective modules 102 in.Process above-mentioned is repeated until t=N, wherein numerical value of N System for sequence length needed for one normal system calling behavior of description, the visual difference of the size of this numerical value calls behavior shape Condition self-defining.
When meeting t=N, this system calls behavior sequence for the system that one group of length is N is obtained, can be by this sequence definition For a unit sequence X:, call behavior pattern numerical value respective modules 102 at this moment, it can be by this Sequence, which reaches, calls behavior sequence feature extraction module 103, calls the function of behavior sequence feature extraction module 103 that can be divided into two A stage: training stage and from coding stage.
In the training stage, calls behavior sequence feature extraction module 103 that can first initialize a system and call behavior sequence From encoding model (such as Fig. 6), this model can for it is a kind of based on neural network from encoding model, training process will input multiple length Degree be N unit sequence be trained, until training accuracy reach standard threshold value, that is, can be reserved for the parameter in this stage, into Enter from coding stage.
From coding stage, call behavior sequence feature extraction module 103 that will leave out the framework of decoder (Decoder), Only retain the framework of encoder (Encoder) in neural model.
Further, calling behavior pattern sensing module 101 of the invention can be located at operation system for (but being not limited to) is a kind of Unite end can detection process when executing used system invocation pattern detector, system invocation pattern detector can obtain at any time The mode sequences of system calling when a succession of program executes.Such as: open, read, mmap, mmap, open, Getrlimit, mmap, close(are repeatable.Because actually most of software can repeat it is certain as system call Behavior);When detecting the execution of some program for a kind of system invocation pattern detector, Mr. Yu's period program carries out system tune Mode sequences.
System can be called mould for (but being not limited to) is a kind of by calling behavior pattern numerical value respective modules 102 of the present invention The system invocation pattern that formula detector is detected, the number table of one-to-one correspondence to positive integer domain, such as: open is corresponding Corresponding corresponding to number 3 ... to number 2, mmap to number 1, read, the corresponding relationship of this number table can self-defining.
The calling behavior sequence feature extraction module 103 of the invention can be that (but being not limited to) one kind can be by system tune With behavior pattern sequence of values, by calling behavior pattern numerical value respective modules 102 it is corresponding from, such as the system of a software Calling behavior is: { read, mmap, pen }, pen are corresponding corresponding corresponding to number 3, row to number 2, mmap to number 1, read Just for mode sequence of values are as follows: { 2,3,1 } carries out the image function of dimension transformation, wherein N is positive integer field, And, the parameter setting of this image function calls behavior sequence from encoding model from system.
System of the present invention calls behavior sequence that can be based on neural network from encoding model for (but being not limited to) is a kind of From encoding model, one of kenel is as described in Figure 6, be broadly divided into encoder (Encoder) and decoder (Decoder), The present invention will use encoder (Encoder) and decoder (Decoder) in the training stage, can only make during from encoding Use encoder (Encoder).
Fig. 6 is that a kind of system calls behavior sequence from model schematic is encoded, this model can pass through encoder (Encoder) 784 dimensions will be originally inputtedInformation be reduced to 150 dimensions, and can pass through decoder (Decoder) It is 784 dimensions by the information-reply after dimensionality reduction
Fig. 7 is the configuration diagram that a kind of system calls behavior sequence encoder, this schematic diagram is for tie up one 784 System calls behavior sequence, calls behavioural characteristic dimensionality reduction sequence from the system for being encoded to 150 dimensions through this system.
In addition, as shown in figure 8, calling behavior sequence dimension reduction method and system, the present invention also accordingly to mention based on above system A kind of system has been supplied to call behavior sequence dimensionality reduction device, it includes including as described above that the system, which calls behavior sequence dimensionality reduction device, System call behavior sequence dimensionality reduction system, further include processor 10, memory 20 and display 30.Fig. 8 illustrates only system The members for calling behavior sequence dimensionality reduction device can be with it should be understood that be not required for implementing all components shown The implementation of substitution is more or less component.
The memory 20 can be the system in some embodiments and the inside of behavior sequence dimensionality reduction device called to deposit Storage unit, such as system call the hard disk or memory of behavior sequence dimensionality reduction device.The memory 20 is in further embodiments It is also possible to the External memory equipment that the system calls behavior sequence dimensionality reduction device, such as the system calls behavior sequence drop The plug-in type hard disk being equipped on dimension device, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further, the memory 20 can also both include institute's system tune Internal storage unit with behavior sequence dimensionality reduction device also includes External memory equipment.The memory 20 is installed on for storing The system calls the application software and Various types of data of behavior sequence dimensionality reduction device, such as the installation system to call behavior sequence The program code etc. of dimensionality reduction device.The memory 20 can be also used for temporarily storing the number that has exported or will export According to.In one embodiment, it is stored with system on memory 20 and calls behavior sequence dimensionality reduction program 40, which calls behavior sequence Dimensionality reduction program 40 can be performed by processor 10, to realize that system calls behavior sequence dimension reduction method in the application.
The processor 10 can be in some embodiments a central processing unit (Central Processing Unit, CPU), microprocessor or other data processing chips, for running the program code stored in the memory 20 or processing number According to, such as execute the system and call behavior sequence dimension reduction method etc..
The display 30 can be light-emitting diode display, liquid crystal display, touch-control liquid crystal display in some embodiments And OLED(Organic Light-Emitting Diode, Organic Light Emitting Diode) touch device etc..The display 30 is used The information of behavior sequence dimensionality reduction device is called and for showing visual user interface in being shown in the system.The system System calls the component 10-30 of behavior sequence dimensionality reduction device to be in communication with each other by system bus.
In one embodiment, when processor 10 executes system calling behavior sequence dimensionality reduction program 40 in the memory 20 It performs the steps of
By specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls behavior pattern institute Corresponding parameter;
The system that one group of length is default size is obtained within a preset time and calls behavior sequence, and system is called into behavior sequence It is defined as unit sequence;
Behavior sequence is called from encoding model to be trained unit sequence by system, by encoder by the unit after training Sequence carries out dimension-reduction treatment, and the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence.
Described by specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls row It is specifically included for parameter corresponding to mode:
Pre-defined t=1 is the initial time that calling behavior captures, and the per unit time intercepts a calling behavior;
It obtains unit time system and calls parameter corresponding to behavior pattern, and stored;
It repeats acquisition system and calls behavior pattern, until t=N, wherein numerical value of N is needed for one normal system calling behavior of description Sequence length.
It is described to obtain the system calling behavior sequence that one group of length is default size within a preset time, and system is called Behavior sequence is defined as unit sequence and specifically includes:
When meeting t=N, obtains the system that one group of length is N and call behavior sequence;
Behavior sequence is called to be defined as a unit sequence X system that length is N:
It is described to call behavior sequence to be trained unit sequence from encoding model by system, it will be trained by encoder Unit sequence afterwards carries out dimension-reduction treatment, and the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence to specifically include:
One system of initialization calls behavior sequence from encoding model in advance, by system call behavior sequence from encoding model into Row training and certainly coding;
The unit sequence that multiple length are N will be inputted to be trained, until training accuracy to reach standard threshold value, and save instruction Practice the parameter in stage;
Into from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, obtain default dimension is System calls behavioural characteristic dimensionality reduction sequence.
The present invention also provides a kind of storage mediums, wherein the storage medium is stored with system and calls behavior sequence dimensionality reduction Program, the system call behavior sequence dimensionality reduction program to realize that the system calls behavior sequence dimensionality reduction side when being executed by processor The step of method;As detailed above.
In conclusion the present invention, which provides a kind of system, calls behavior sequence dimension reduction method, system, device and storage medium, The described method includes: by specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system calling Parameter corresponding to behavior pattern;The system that one group of length is default size is obtained within a preset time calls behavior sequence, and System calling behavior sequence is defined as unit sequence;Behavior sequence is called to carry out unit sequence from encoding model by system Unit sequence after training is carried out dimension-reduction treatment by encoder by training, and the system for obtaining default dimension calls behavioural characteristic Dimensionality reduction sequence.The present invention captures the sequence signature that can represent system normal call behavior by automating, and is to be effectively reduced System calling sequence dimension, can not only promote accuracy and the evolution rate of subsequent abnormality detection, and can be effectively practiced in embedding Embedded system or chip are handled in real time.
Certainly, those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, It is that related hardware (such as processor, controller etc.) can be instructed to complete by computer program, the program can store In a computer-readable storage medium, described program may include the process such as above-mentioned each method embodiment when being executed. Wherein the storage medium can be memory, magnetic disk, CD etc..
It should be understood that the application of the present invention is not limited to the above for those of ordinary skills can With improvement or transformation based on the above description, all these modifications and variations all should belong to the guarantor of appended claims of the present invention Protect range.

Claims (10)

1. a kind of system calls behavior sequence dimension reduction method, which is characterized in that the system calls behavior sequence dimension reduction method packet It includes:
By specific program, system calls behavior pattern to carry out real time acquisition instantly, obtains unit time system and calls behavior pattern institute Corresponding parameter;
The system that one group of length is default size is obtained within a preset time and calls behavior sequence, and system is called into behavior sequence It is defined as unit sequence;
Behavior sequence is called from encoding model to be trained unit sequence by system, by encoder by the unit after training Sequence carries out dimension-reduction treatment, and the system for obtaining default dimension calls behavioural characteristic dimensionality reduction sequence.
2. system according to claim 1 calls behavior sequence dimension reduction method, which is characterized in that described to work as specific program Lower system calls behavior pattern to carry out real time acquisition, obtains unit time system and parameter corresponding to behavior pattern is called specifically to wrap It includes:
Pre-defined t=1 is the initial time that calling behavior captures, and the per unit time intercepts a calling behavior;
It obtains unit time system and calls parameter corresponding to behavior pattern, and stored;
It repeats acquisition system and calls behavior pattern, until t=N, wherein numerical value of N is needed for one normal system calling behavior of description Sequence length.
3. system according to claim 2 calls behavior sequence dimension reduction method, which is characterized in that it is described within a preset time It obtains the system that one group of length is default size and calls behavior sequence, and system calling behavior sequence is defined as unit sequence tool Body includes:
When meeting t=N, obtains the system that one group of length is N and call behavior sequence;
Behavior sequence is called to be defined as a unit sequence X system that length is N:
4. system according to claim 3 calls behavior sequence dimension reduction method, which is characterized in that described to be called by system Unit sequence is trained by behavior sequence from encoding model, is carried out the unit sequence after training at dimensionality reduction by encoder Reason, the system for obtaining default dimension call behavioural characteristic dimensionality reduction sequence to specifically include:
One system of initialization calls behavior sequence from encoding model in advance, by system call behavior sequence from encoding model into Row training and certainly coding;
The unit sequence that multiple length are N will be inputted to be trained, until training accuracy to reach standard threshold value, and save instruction Practice the parameter in stage;
Into from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, obtain default dimension is System calls behavioural characteristic dimensionality reduction sequence.
5. a kind of system calls behavior sequence dimensionality reduction system, which is characterized in that the system calls behavior sequence dimensionality reduction system packet It includes:
Behavior pattern sensing module is called, for system to call behavior pattern to carry out real time acquisition instantly by specific program;
Behavior pattern numerical value respective modules are called, for obtaining parameter corresponding to unit time system calling behavior pattern and inciting somebody to action Parameter saves, and calls behavior sequence for obtaining the system that one group of length is default size within a preset time, and will be System calls behavior sequence to be defined as unit sequence;
Behavior sequence feature extraction module is called, for calling behavior sequence unit sequence to be carried out from encoding model by system Unit sequence after training is carried out dimension-reduction treatment by encoder by training, and the system for obtaining default dimension calls behavioural characteristic Dimensionality reduction sequence.
6. system according to claim 5 calls behavior sequence dimensionality reduction system, which is characterized in that the calling behavior pattern Numerical value respective modules specifically include:
Storage unit is obtained, calls parameter corresponding to behavior pattern for obtaining unit time system, and stored;
Acquisition unit is repeated, calls behavior pattern for repeating acquisition system, until t=N, wherein numerical value of N is description one normal Sequence length needed for system calls behavior;
As a result acquiring unit calls behavior sequence for when meeting t=N, obtaining the system that one group of length is N;
As a result definition unit, for calling behavior sequence to be defined as a unit sequence X system that length is N:
7. system according to claim 5 calls behavior sequence dimensionality reduction system, which is characterized in that the calling behavior sequence Feature extraction module specifically includes:
Model generation unit calls behavior sequence from encoding model, is called and gone by system for initializing a system in advance It is trained for sequence from encoding model and encodes certainly;
Training unit is trained for will input the unit sequence that multiple length are N, until training accuracy reaches standard gate Bank value, and save the parameter of training stage;
From coding unit, for entering from coding stage, the unit sequence after training is carried out by dimension-reduction treatment by encoder, is obtained System to default dimension calls behavioural characteristic dimensionality reduction sequence.
8. system according to claim 7 calls behavior sequence dimensionality reduction system, which is characterized in that the system calls behavior Sequence includes encoder and decoder from encoding model, is completed in the training stage by encoder and decoder, is being encoded certainly It is completed in the process using encoder.
9. a kind of system calls behavior sequence dimensionality reduction device, which is characterized in that including such as described in any item systems of claim 5-8 System calls behavior sequence dimensionality reduction system, further includes: memory, processor and is stored on the memory and can be in the processing The system run on device calls behavior sequence dimensionality reduction program, and the system calls behavior sequence dimensionality reduction program to be held by the processor The step of system according to any one of claims 1-4 calls behavior sequence dimension reduction method is realized when row.
10. a kind of storage medium, which is characterized in that the storage medium is stored with system and calls behavior sequence dimensionality reduction program, institute It states and realizes that system calls row as described in claim any one of 1-4 when system calls behavior sequence dimensionality reduction program to be executed by processor The step of for sequence dimension reduction method.
CN201811454427.3A 2018-11-30 2018-11-30 System call behavior sequence dimension reduction method, system, device and storage medium Active CN109543403B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811454427.3A CN109543403B (en) 2018-11-30 2018-11-30 System call behavior sequence dimension reduction method, system, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811454427.3A CN109543403B (en) 2018-11-30 2018-11-30 System call behavior sequence dimension reduction method, system, device and storage medium

Publications (2)

Publication Number Publication Date
CN109543403A true CN109543403A (en) 2019-03-29
CN109543403B CN109543403B (en) 2020-09-29

Family

ID=65851381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811454427.3A Active CN109543403B (en) 2018-11-30 2018-11-30 System call behavior sequence dimension reduction method, system, device and storage medium

Country Status (1)

Country Link
CN (1) CN109543403B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175456A (en) * 2019-06-04 2019-08-27 网御安全技术(深圳)有限公司 Software action sampling method, relevant device and software systems
CN110990837A (en) * 2020-02-29 2020-04-10 网御安全技术(深圳)有限公司 System call behavior sequence dimension reduction method, system, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104268594A (en) * 2014-09-24 2015-01-07 中安消技术有限公司 Method and device for detecting video abnormal events
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN108647730A (en) * 2018-05-14 2018-10-12 中国科学院计算技术研究所 A kind of data partition method and system based on historical behavior co-occurrence

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104268594A (en) * 2014-09-24 2015-01-07 中安消技术有限公司 Method and device for detecting video abnormal events
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN108647730A (en) * 2018-05-14 2018-10-12 中国科学院计算技术研究所 A kind of data partition method and system based on historical behavior co-occurrence

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175456A (en) * 2019-06-04 2019-08-27 网御安全技术(深圳)有限公司 Software action sampling method, relevant device and software systems
CN110990837A (en) * 2020-02-29 2020-04-10 网御安全技术(深圳)有限公司 System call behavior sequence dimension reduction method, system, equipment and storage medium
CN110990837B (en) * 2020-02-29 2023-03-24 网御安全技术(深圳)有限公司 System call behavior sequence dimension reduction method, system, equipment and storage medium

Also Published As

Publication number Publication date
CN109543403B (en) 2020-09-29

Similar Documents

Publication Publication Date Title
US11709939B2 (en) Anomaly detection in real-time multi-threaded processes on embedded systems and devices using hardware performance counters and/or stack traces
Raff et al. Malware detection by eating a whole exe
Xu et al. Deeprefiner: Multi-layer android malware detection system applying deep neural networks
Liu et al. On code execution tracking via power side-channel
US10007786B1 (en) Systems and methods for detecting malware
CN109063055B (en) Method and device for searching homologous binary files
BR102015017215A2 (en) computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium
US9721120B2 (en) Preventing unauthorized calls to a protected function
Tian et al. DKISB: Dynamic key instruction sequence birthmark for software plagiarism detection
Xu et al. Interpretation-enabled software reuse detection based on a multi-level birthmark model
Liang et al. An end-to-end model for android malware detection
CN109543403A (en) A kind of system calls behavior sequence dimension reduction method, system, device and storage medium
CN107742079A (en) Malware recognition methods and system
Zhou et al. Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution
CN112464248A (en) Processor exploit threat detection method and device
CN107239698A (en) A kind of anti-debug method and apparatus based on signal transacting mechanism
Rajput et al. Remote non-intrusive malware detection for plcs based on chain of trust rooted in hardware
Dahl et al. Stack-based buffer overflow detection using recurrent neural networks
Kim et al. Polymorphic attacks against sequence-based software birthmarks
US11868473B2 (en) Method for constructing behavioural software signatures
CN110520860B (en) Method for protecting software code
Rozenberg et al. A method for detecting unknown malicious executables
Zhu et al. Sadroid: A deep classification model for android malware detection based on semantic analysis
Kim et al. Ransomware Classification Framework Using the Behavioral Performance Visualization of Execution Objects.
CN110275791A (en) A kind of application exception processing method and processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant