CN1333553C - Program grade invasion detecting system and method based on sequency mode evacuation - Google Patents

Abstract

The present invention relates to a program level invasion detection system and method based on sequence mode digging. The system is composed of a control module, a data collection and preprocessing module, a training module, a storage module, a detection module and a detection result output module. The system is arranged on a server needing to be monitored. An abnormal detection technique based on data digging is adopted by the system. Various attack activities in a network are detected by monitoring the running condition of a privilege program in the server of the network, namely that system call generated when the privilege program runs is used as auditing data. The normal behavior of the privilege program is represented by a sequence mode in a data digging technique. A normal sequence mode is dug in training data according to the support degree or the reliable degree of a sequence, and a corresponding normal sequence mode library is established. At the time of detection, the attack behavior is recognized by comparing and matching the current sequence mode and the normal sequence mode in order to arouse the close attention of a network security manager to take corresponding processing measures to ensure security.

Description

Program level intrusion detection method based on sequential mode mining

Technical field

The present invention relates to a kind of program level intrusion detection method that is used for computer network security, belong to the network information security technology field based on sequential mode mining.

Background technology

Along with popularizing rapidly and the continuous rise of diverse network new business of computer network, network security problem has been penetrated into social life every field such as politics, military affairs, finance, economy, industry, culture, education gradually, and becomes more and more severeer.In recent years, network safety event quantity constantly rises, especially nearly trend that presented sharp increase in 1 year.Because all can there be some leak in the various piece of computer network system in design, operation and use, and, also do not have economically viable way can eliminate these hidden danger fully at present, thereby effectively Intrusion Detection Technique become the requisite means that guarantee network security.Intruding detection system (IDS; Intrusion Detection Systems) be the new generation network safety product after conventional security safeguard measures such as fire compartment wall, data encryption; it is the operating position by the state of supervisory control comuter network system, behavior and system, comes the various invasions and the attack that take place in the detection system.Along with further expanding that domestic network is used, comprise the social various aspects of government, army, enterprises and institutions, all will produce very big demand to IDS; So the high-performance IDS that development has independent intellectual property right is current pressing for.

With compare such as the network security technology of fire compartment wall, data encryption, authentication equal altitudes maturation, also there is considerable defective in present Intrusion Detection Technique, mainly is that to detect accuracy rate lower, detection speed is slower, self-learning capability is not strong.

Present Intrusion Detection Technique mainly is divided three classes: misuse detection, abnormality detection and mixing detect.It is that known attack is expressed as a kind of pattern or feature that misuse detects, and attack mode (feature) is stored in the knowledge base, judge whether to exist invasion (among the present invention, " invasion " and " attack " being used as synonym) by agenda pattern and the coupling between the attack mode during detection with monitored system or user; The key that misuse detects is how to describe and represent attack, and the speed and the efficient that how to improve data acquisition and pattern matching.The most misuse detection techniques that adopt of commercial at present IDS, this technology has very strong detectability to known attack, and its shortcoming is that knowledge base needs to bring in constant renewal in, and is difficult to detect unknown, emerging attack pattern.Abnormality detection is that system or user's normal behaviour (profile) is analyzed and represented, and foundation is about the knowledge base of normal behaviour, if monitored system or user's agenda has departed from its normal behaviour (profile) largely during detection, then thinking has invasion to exist.The advantage of abnormality detection is the knowledge that does not need too much relevant system defect, has stronger adaptability, can detect unknown or emerging attack pattern, and its major defect is that false alarm rate is higher.Mix to detect be will misuse detects and abnormality detection combines detection technique, have better detection performance usually, but a this in actual applications technology complexity comparatively.

According to the source of Audit data, intruding detection system IDS can be divided into main frame type, network-type and three kinds of systems of mixed type.Main frame type IDS detects invasion by analyzing Audit data in the main frame (as the record of the audit of operating system, system journal etc.), and the object that this system monitored generally is individual host (server).The Audit data of network-type IDS then comes the raw data packets on the automatic network, and this type systematic is being undertaken the task of protecting a network segment usually.Mixed type IDS can analyze simultaneously from main frame and the Audit data that comes automatic network, generally adopts distributed frame, and this IDS is generally used for protecting isomery or large-scale network system.

In recent years, utilize the leak of privileged program in the computer software to implement to attack a kind of quite general invasion mode that become.Has higher authority the privileged program (as the program of moving with the Root authority in the Unix system), leak and defective that the invador can utilize these programs to carry in design process, obtain the control of whole system, and then implement to attack, this will serious threat to the safety of whole system.At present, this class attack pattern and instrument are more and more; For example, a defective in the Finger service routine can make the assailant utilize the method for " buffering area overflows ", and the spoofs services program is carried out the malicious code that the assailant arranges.In recent years, find and discern intrusion behavior by the ruuning situation that monitors privileged program and become one of main detection means of main frame type IDS.Existing studies show that, the system call sequence that privileged program is produced when normal operation is a basically identical; But when the program irregular operating (program branching of execution etc. is often attacked, distorted or carry out not to program), the sequence when system call sequence that it produced and normal operation has comparatively evident difference.

The intruding detection system IDS that the present invention relates to is the main frame type IDS that a kind of ruuning situation by the supervision privileged program detects invasion, and this system adopts the abnormality detection technology based on data mining.Data mining (DM, data mining) is meant from a large amount of, incomplete, noisy, fuzzy data, extracts unknown, effective, information available.The essential distinction of data mining and traditional data analysis (for example inquiry, form, on-line Application analysis) is that data mining is in the clear and definite prerequisite of the hypothesis mined information of going down not.The resulting information of data mining has in advance not intellectual, validity and three principal characters of availability.Data mining generally includes three steps: data preparation, excavation, result explain and estimate.

Referring to Fig. 1, introduce three conventional steps of data mining.Wherein data preparation generally comprises data and selects (date selection), data preliminary treatment (data preprocessing) and data conversion (datatransformation).The purpose that data are selected is to determine the operand of mining task, i.e. target data (target data); In different applications, the structure and the content of target data are not quite similar, and may be relational database, object-oriented database, temporal database, text data, Web data, image and video data etc.The data preliminary treatment comprises that elimination noise, data type conversion, elimination repeat record etc.The purpose of data conversion is normally subdued data dimension (promptly finding out real useful feature from initial characteristics, feature or the variable number that will use during with the minimizing data mining), the perhaps form that becomes mining algorithm to handle data conversion.In excavation phase, task and the purpose of at first wanting explicit data to excavate are selected corresponding algorithm on this basis, and implement dredge operation; The task of data mining mainly comprises data summary, classification, cluster, correlation analysis, variance analysis etc.; The specified data mining algorithm is the core of excacation, when selection algorithm, except the requirement that will consider mining task and actual motion system, also should consider handled data characteristic.The result explains and the operation of evaluation can be finished by user or machine; The groundwork in this stage is that the result that excavation phase draws is made an explanation, estimates and handles, for example the result being converted to the understandable another kind of user represents, judge whether the pattern of excavating meets the demands, and rejects redundant or irrelevant pattern, will excavate result visualization.The line that has arrow among the figure is represented: wherein each step can skip to any one step of its back by the upper end line, because for once concrete data mining operation, certain or some steps among this figure are omissible.

Data mining technology mainly contains sequential mode mining, association rule mining, fuzzy clustering, regression analysis, rough set or the like.The intruding detection system IDS that the present invention relates to has adopted the sequential mode mining technology.

Summary of the invention

In view of this, the purpose of this invention is to provide a kind of program level intrusion detection method based on sequential mode mining, the detection system that this method is used is a software product, is configured on the webserver that will monitor; This method adopts the abnormality detection technology based on data mining, and the ruuning situation by privileged program in the monitor network server detects the various attack activity in the network.The system call (system call) that this method is produced when moving with privileged program is as Audit data, utilize sequence pattern in the data mining technology to represent the normal behaviour of a privileged program, support (support) or confidence level (confidence) according to sequence are excavated the normal sequence pattern in training data, and set up corresponding normal sequence pattern storehouse; Discern attack by current sequence pattern and normal sequence pattern are compared and mate when detecting, thereby cause safety officer's close attention and take measures areput.

In order to achieve the above object, the invention provides a kind of program level intrusion detection method based on sequential mode mining, this method is to utilize the program level intruding detection system based on sequential mode mining to realize, described system configuration is on the webserver of needs monitoring, the system call that is produced when utilizing the privileged program operation is as Audit data, by the ruuning situation of privileged program in the monitor network server, adopt abnormality detection technology based on data mining to detect in the webserver and whether invade; This detection system includes: control module, data acquisition and pretreatment module, training module, memory module, detection module and testing result output module; It is characterized in that: this method comprises following operating procedure:

(1) detection system starts;

When (2) detection system is waited for the input of job information and instruction, the operating state and the running parameter of system are set by control module, so that after input " starting working " instruction after this, automatically check the situation that is provided with of system by control module, enter two kinds of different operating states respectively:, carry out subsequent step if the operating state of system is set to physical training condition; If the operating state of system is set to detected state, then redirect execution in step (7);

(3) data acquisition and pretreatment module are imported original training data from predefined data-interface, and after this original training data carried out preliminary treatment, export it to training module;

(4) training program that is provided with from control module read step (2) of training module if be set to first kind of training program, is carried out subsequent step; If be set to second kind of training program, redirect execution in step (6);

(5) training module utilizes training data, trains according to first kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, message to control module transmission " training finishes " finishes training work, redirect execution in step (7);

(6) training module utilizes training data, trains according to second kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, sends the message of " training finishes " to control module, finishes training work;

(7) control module is checked set detection scheme in the step (2) automatically, if be set to first kind of detection scheme, carries out subsequent step; If be set to second kind of training program, redirect execution in step (9);

(8) system carries out testing according to first kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to first kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation;

(9) system carries out testing according to second kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to second kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation.

In the described step (2), if the operating state of system is set to physical training condition, the running parameter that needs to be provided with has two kinds, is respectively:

First kind of training program, minimum support minsup and minimum confidence level minconf; Or

Number W, the sequence length l (1) of second kind of training program, sequence length, l (2) ..., l (W) and minimum support minsup (1), minsup (2) ..., minsup (W), wherein l (j) is a j sequence length, minsup (j) is a j minimum support, j is the natural number in interval [1, W];

If the operating state of system is set to detected state, the running parameter that needs to be provided with has two kinds, is respectively: first kind of detection scheme, window length and decision threshold; Or

Second kind of detection scheme, window length and decision threshold.

Original training data in the described step (3) is M the system call stream that contains parameter that certain privileged program that system will monitor is produced when normally moving in history, M is the natural number more than or equal to 1, wherein each system call stream is a plurality of system calls that this privileged program is produced in normal course of operation in history, that arrange according to time sequencing, and the system call in each system call stream all contains parameter;

Original Audit data in described step (8) and (9) is the system call stream that contains parameter that monitored privileged program was produced in the monitored time, this system call stream is a plurality of system calls of arranging according to time sequencing, and wherein each system call all contains parameter.

The preliminary treatment of in described step (3) and (8) and (9) original training data and original Audit data being carried out respectively all is the parameter filtering with each system call in the system call stream, and the system call after the filtering parameter is arranged according to original time sequencing; In the described step (3), M system call stream that contains parameter becomes the not system call stream of containing parameter: R respectively through after the preliminary treatment ₁, R ₂..., R _M, R wherein _iBe i the not system call stream of containing parameter, i is the natural number in interval [1, M], and R _iIn include r _iIndividual system call is expressed as (s ₁ ⁱ, s ₂ ⁱ..., s _Ri ⁱ), s wherein _j ⁱBe j the system call of arranging in chronological order in this system call stream; Pretreated total number r=r as system call in M the system call stream of training data ₁+ r ₂+ ...+r _M

Training module utilizes training data in the described step (5), trains according to first kind of training program, and the concrete steps of setting up normal sequence pattern storehouse are as follows:

(51) by M system call stream R ₁, R ₂..., R _MGenerate M system call sequence stream S ₁, S ₂..., S _M, S wherein _iExpression is by R _iThe system call sequence stream that generates, and $S_i=(\mathrm{Se}{q}_1^i,{\mathrm{Seq}}_2^i,......,{\mathrm{Seq}}_{r_i-1}^i),$ Seq in the formula _j ⁱBe j the system call sequence of arranging in chronological order, and ${\mathrm{Seq}}_j^i=(S_j^i,S_{j+1}^i),$ Be that each system call sequence is made up of 2 system calls of arranging according to time sequencing, just the length of each system call sequence all is 2;

(52) calculate M system call sequence stream S ₁, S ₂..., S _MIn the support and the confidence level of each system call sequence; Wherein support and confidence level are defined as follows respectively:

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ S wherein _i ^*And s _j ^*Represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Support equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn the sequence sum, i.e. support (Seq)=number (Seq)/(r-M); Number in the formula (Seq) represents sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Occurrence number in S, r-M is M system call sequence stream S ₁, S ₂..., S _MTotal number of middle sequence, support (Seq) represents sequence $\mathrm{Seq}=\left(s_i^{*}\text{,}{s}_j^{*}\right)$ Support, support support (Seq) is used to describe sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ At S ₁, S ₂..., S _MIn probability of occurrence;

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ S wherein _i ^*And s _j ^*Represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Confidence level equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn first system call be S _i ^*The occurrence number of sequence; Here, with S ₁, S ₂..., S _MIn first system call be s _i ^*Sequence table be shown ${\mathrm{Seq}}^{*}=(s_i^{*},s^{*}),$ S wherein ^*Represent any system call, then have: sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Confidence level confidence (Seq)=number (Seq)/number (Seq ^*), number (Seq in the formula ^*) be sequence ${\mathrm{Seq}}^{*}=(s_i^{*},s^{*})$ At S ₁, S ₂..., S _MIn occurrence number; Confidence level confidence (Seq) is used to describe sequence flows S ₁, S ₂..., S _MFirst system call of middle sequence is s _i ^*Prerequisite under, second system call is s _j ^*Conditional probability;

(53) set parameter in the read step (2) from control module: minimum support minsup and minimum confidence level minconf;

(54) with M system call sequence stream S ₁, S ₂..., S _MMiddle support extracts more than or equal to the sequence of minsup, constitutes to satisfy the sequence pattern storehouse that support requires; If support is designated as Seq respectively more than or equal to total K of the sequence of minsup ^* ₁, Seq ^* ₂..., Seq ^* _K, K is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _s={ Seq ^* ₁, Seq ^* ₂..., Seq ^* _K;

(55) sequence of confidence level in M the system call sequence stream more than or equal to minconf extracted, constitute and satisfy the sequence pattern storehouse that support requires; If confidence level is designated as Seq respectively more than or equal to total L of the sequence of minconf ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L, L is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _c={ Seq ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L;

(56) choose the sequence pattern storehouse Ω that satisfies the support requirement simultaneously _sWith the sequence pattern storehouse Ω that satisfies the confidence level requirement _cCommon factor Ω _b, Ω is then arranged _b=Ω _s∩ Ω _cThis Ω _bBe the normal sequence pattern storehouse that training module will be set up in this step (5).

Training module utilizes training data in the described step (6), trains according to second kind of training program, and the concrete steps of setting up normal sequence pattern storehouse are as follows:

(61) set parameter in the read step (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(62) by training data R ₁, R ₂..., R _MIn each system call stream, generate W the different system call sequence of sequence length respectively and flow: S ^I1, S ^I2..., S ^Iw, S wherein ^IjExpression is by R _iThe sequence length that generates is the system call sequence stream of l (j), and $S^{\mathrm{ij}}=({\mathrm{Seq}}_1^{\mathrm{ij}},{\mathrm{Seq}}_2^{\mathrm{ij}},......,{\mathrm{Seq}}_{r_i-l\left(j\right)+1}^{\mathrm{ij}}),$ Seq in the formula _k ^IjExpression S ^IjIn k the system call sequence that length is l (j) arranging in chronological order, and ${\mathrm{Seq}}_k^{\mathrm{ij}}=(s_k^i,s_{k+1}^i,......,s_{k+l\left(j\right)-1}^i);$ Promptly can generate M * W system call sequence stream by the normal behaviour training data, wherein sequence length is that the system call sequence stream of l (j) has M: S ^1j, S ^2j..., S ^MjJust this M system call sequence flows the training subclass Sj={S that constitutes ^1j, S ^2j..., S ^Mj, it is total in this training subclass that r-M * l (j)+a M length is the system call sequence of l (j); In this step operation, total W of the training subclass that training module generates, this W training subclass is made of the system call sequence of different length respectively;

(63) according to the order of natural number j from 1 to W, calculation training subclass S respectively ^j={ S ^1j, S ^2j..., S ^MjIn the support of each system call sequence; Describedly be used to describe sequence Seq ^jAt training subclass S ^jSupport support (the Seq of middle probability of occurrence ^j) be defined as follows:

A length is the sequence Seq of l (j) ^jSupport equal this sequence at training subclass S ^jIn occurrence number divided by S ^jIn the sequence sum, i.e. support (Seq ^j)=number (Seq ^j)/(r-M * l (j)+M), number (Seq in the formula ^j) expression sequence Seq ^jAt training subclass S ^jM system call sequence stream S ^1j, S ^2j..., S ^MjIn occurrence number;

(64) from control module set W minimum support minsup (1), minsup (2) in the read step (2) ..., minsup (W), wherein minsup (j) is at training subclass S ^jJ the minimum support that the sequence that middle length is l (j) is provided with;

(65) will train subclass S ^jMiddle support extracts more than or equal to the sequence of minsup (j), constitutes to satisfy the sequence pattern storehouse Ω (j) that support requires; If S ^jMiddle support is individual more than or equal to the total K (j) of the sequence of minsup (j), is designated as Seq respectively ₁ ^J*, Seq ₂ ^J*..., Seq _{K (j)} ^J*, then satisfy the sequence pattern storehouse that support requires $\mathrm{\Ω}$ $\left(j\right)$ $=\{{\mathrm{Seq}}_1^{j^{*}},{\mathrm{Seq}}_2^{j^{*}},......,{\mathrm{Seq}}_{K\left(j\right)}^{j^{*}}\},$ Thereby obtain W satisfy sequence pattern storehouse Ω (1), Ω (2) that support requires ..., Ω (W); This W sequence pattern storehouse of satisfying the support requirement promptly is the normal sequence pattern storehouse Ω 2={ Ω (1) that training module will be set up in this step (6), Ω (2) ..., Ω (W) }.

System is as follows according to the concrete steps that first kind of detection scheme carries out testing in the described step (8):

(81) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program is produced in real time in the monitored time from server, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment

The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}}),$ Wherein K the system call that expression is arranged in chronological order, k be the interval [1, ] in natural number; Each system call in this system call stream is output to detection module successively according to time sequencing;

(82) detection module is flowed by system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ Generation system calling sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}{\mathrm{eq}}_1,\stackrel{\‾}{S}{\mathrm{eq}}_2,......,\stackrel{\‾}{S}{\mathrm{eq}}_{\stackrel{\‾}{r}-1}),$ Wherein $\stackrel{\‾}{S}{\mathrm{eq}}_i=({\stackrel{\‾}{s}}_i,{\stackrel{\‾}{s}}_{i+1})$ Be i the system call sequence of arranging in chronological order, In the length of each system call sequence all be 2, i be interval [1,

] in natural number;

(83) detection module will

In each system call sequence and step (56) in the normal sequence pattern storehouse Ω that sets up _bIn sequence carry out matching ratio; Simultaneously, for

In each system call sequence Carry out following calculating: if $\stackrel{\‾}{S}{\mathrm{eq}}_i\∈{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1;$ If $\stackrel{\‾}{S}{\mathrm{eq}}_i\∉{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0;$ That is to say, if

With normal sequence storehouse Ω _bIn certain sequence identical, then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Otherwise, $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0;$ Through after the above-mentioned computing, obtain sequence

Wherein

The expression sequence

Classification, if $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Then show

It is normal sequence; If $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0,$ Then show It is unusual sequence;

(84) detection module window length of first kind of set detection scheme in the read step (2) from control module is then to sequence Carry out windowing process, obtain decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right),$ In the formula, D (k) represents system call sequence

Corresponding decision value, w represents the window length of first kind of set in the step (2) detection scheme, and $w\≤k\≤\stackrel{\‾}{r}-1,$ The growth step-length of k is 1; System call sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}{\mathrm{eq}}_i,\stackrel{\‾}{S}{\mathrm{eq}}_2,......,\stackrel{\‾}{S}{\mathrm{eq}}_{\stackrel{\‾}{r}-1})$ In each system call sequence of w system call sequence and back thereof all distinguish corresponding decision value;

(85) detection module decision threshold of first kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior;

Above-mentioned steps (81) to step (85), the calculating of the generation of the obtaining of the system call that monitored program is performed or system call stream, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.

System is as follows according to the concrete steps that second kind of detection scheme carries out testing in the described step (9):

(91) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program is produced in real time in the monitored time from server system, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}}),$ Wherein K the system call that expression is arranged in chronological order, k be the interval [1, ] in natural number; Each system call in this system call stream is output to detection module successively according to time sequencing;

(92) detection module reads set parameter in the step under the physical training condition (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(93) flow for system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ In each system call after the individual system call of l (W) Detection module with

For terminal point form W length be respectively l (1), l (2) ..., the system call sequence of l (W), this W sequence is expressed as respectively

Wherein Be that length is the system call sequence of l (j), promptly $\stackrel{\‾}{S}{\mathrm{eq}}_k^j=({\stackrel{\‾}{s}}_{k-l\left(j\right)+1},{\stackrel{\‾}{s}}_{k-l\left(j\right)+2},......,{\stackrel{\‾}{s}}_k),$ J is the natural number in interval [1, W];

(94) for W system call sequence for the terminal point composition Detection module successively will according to the order of natural number j from 1 to W The sequence pattern storehouse of setting up in the same step (65) Ω (j) compares: if satisfy $\stackrel{\‾}{S}e{q}_k^j\∈\mathrm{\Ω}\left(j\right),$ Then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1;$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ That is to say, if W sequence In have the normal sequence storehouse Ω that sets up in a sequence and the step (65)=Ω (1), Ω (2) ..., Ω (W) } in certain sequence identical, then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ Obtain sequence through above-mentioned computing

Wherein

The expression system call

The classification of pairing program behavior: if $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Then show Pairing program behavior is a normal behaviour; If $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0,$ Then show

Pairing program behavior is an abnormal behaviour;

(95) detection module window length of second kind of set detection scheme in the read step (2) from control module is then to sequence Carry out windowing process, obtain system call

Corresponding decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left({\stackrel{\‾}{s}}_i\right),$ In the formula, w represents the window length of second kind of set in the step (2) detection scheme, and $w+l\left(w\right)-1\≤k\≤\stackrel{\‾}{r},$ The growth step-length of k is 1; System call stream $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ In each system call of w+l (W)-1 system call and back thereof all distinguish corresponding decision value;

(96) detection module decision threshold of second kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior;

Above-mentioned steps (91) to step (96), the calculating of the generation of the obtaining of the system call that monitored program is performed or system call stream, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.

The present invention is a kind of program level intrusion detection method based on sequential mode mining, has bigger different with more existing main frame type intrusion detection methods; Characteristics of the present invention and advantage mainly are:

(1) compare with some present commercial main frame type intrusion detection methods, outstanding feature of the present invention is integrated two kinds of optional training programs in training module, and integrated two kinds of optional detection schemes in detection module correspondingly; Though the complexity that this has increased system has strengthened the operation flexibility of system, has enlarged the range of application of system.In the testing environment that detection speed and detection efficiency are had relatively high expectations, can adopt first kind of training program and first kind of detection scheme; And in the testing environment that accuracy in detection is had relatively high expectations, then can adopt second kind of training program and second kind of detection scheme.

(2) detection method of the present invention has very strong practicality and operability.The detection system that this method is used can flexible configuration on the webserver of needs monitoring, no longer need extra hardware; It can detect the abnormal conditions of privileged program in the webserver, and this unusual common mean invasion and attack, and then make the various attack activity that takes place in safety officer's recognition network system.

(3) under the situation that adopts first kind of training program and first kind of detection scheme, it is the various normal behaviour patterns (promptly a taking into account system calls the correlation between adjacent two system calls in the stream) that 2 system call sequence is represented a privileged program that detection method of the present invention is utilized length.Compare with conventional detection, the data volume of the normal sequence pattern that this method need be stored is less, and operand required when carrying out sequences match in the detection is also smaller, so less to taking of host resource, detection speed is than very fast.Testing result during actual tests is used shows, when some comparatively simple privileged program (as the Login program) of monitoring, adopts first kind of training program and first kind of detection scheme can obtain very high detection efficiency.

(4) under the situation that adopts second kind of training program and second kind of detection scheme, detection method of the present invention utilizes the different system call sequence of multiple length to represent the various normal behaviour patterns of a privileged program, though can increase the memory data output of system and the operand in the detection like this, but improved the accuracy of program behavior modal representation, thereby improved the detection accuracy rate largely.Testing result during actual tests is used shows, when monitoring comparatively complicated privileged program (as the Sendmail program), adopts second kind of training program and second kind of detection scheme can obtain very high detection accuracy rate.

(5) training examples that adopts in the training stage of a lot of main frame type intrusion detection methods requires existing positive example usually, and counter-example is arranged again.Detection method of the present invention only needs positive example (the system call data that privileged program is produced) when normal operation when training, and do not need counter-example, greatly reduces the difficulty that training data is collected, and has expanded the range of application of system.System when original training data and original Audit data are carried out preliminary treatment, filtering the parameter of system call, make pretreated data be convenient to more handle and storage, also reduced system and wanted data quantity stored in the training stage.In addition, detection method of the present invention has adopted the matching way of " complete sequence relatively " when detecting.Compare with some existing main frame type intrusion detection methods, the computing workload during this sequences match method can reduce to detect, thus reduction is to the consumption of the resource of system's place main frame.

(6) detection method of the present invention and system have stronger versatility and good extensibility, the function of each module in the system and correlation also be applicable to based on other detection method, be the program level intruding detection system IDS of Audit data with the system call.

Description of drawings

Fig. 1 is the general step schematic diagram of data mining.

Fig. 2 is that the structure of system of the present invention is formed schematic diagram.

Fig. 3 is the detection method flow chart of system of the present invention.

Fig. 4 is the system of the present invention decision value curve chart that the testing result output module shows in implementing test.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

Referring to Fig. 2, introduce the composition structure of a kind of program level intruding detection system based on sequential mode mining of the present invention.This system is a software product, be that each module is formed by corresponding program unit, be configured on the server that needs monitoring, the system call that is produced when utilizing the privileged program operation is as Audit data, by the ruuning situation of privileged program in the monitor network server, adopt abnormality detection technology based on data mining to detect in the webserver and whether invade.This system is made up of control module, data acquisition and pretreatment module, training module, memory module, detection module, testing result output module.

Control module is responsible for the operation of whole system is controlled in the system, and the operating state and the running parameter of system can be set by this module; Data acquisition and pretreatment module are responsible for obtaining original training data or Audit data (be in the program operation process produced system call) from server, and after original training data or Audit data carried out preliminary treatment (parameter that filtering appts calls), send into training module or detection module respectively, be used for training or detection; The work of training module is to utilize training data to train, and sets up normal sequence pattern storehouse; Memory module is used to store the normal sequence pattern storehouse that training module is set up, and during for detection, coupling can be retrieved for detection module in this sequence pattern storehouse; Detection module utilizes Audit data to carry out testing, produces testing result (decision value and warning message); The testing result output module is responsible for showing the decision value of detection module generation, and according to the warning message of detection module attack is reported to the police.

System of the present invention has two kinds of operating states, is respectively physical training condition and detected state.Under physical training condition, there are two kinds of optional training programs in system, is respectively first kind of training program and second kind of training program; Correspondingly, under detected state, also there are two kinds of optional detection schemes in system, is respectively first kind of detection scheme and second kind of detection scheme.Need to prove: system must train before detecting in advance, and first kind of training program is corresponding with first kind of detection scheme, and second kind of training program is corresponding with second kind of detection scheme.If what be provided with during i.e. training is first kind of training program, can only be set to first kind of detection scheme during detection; If what be provided with during training is second kind of training program, also can only be set to second kind of detection scheme during detection.In addition, can utilize two kinds of training programs to carry out twice training, system just can select in two kinds of detection schemes any one to carry out work when detecting like this; But, this way can make the memory data output of system increase.

Referring to Fig. 3, introduce the workflow of system of the present invention:

(1) system start-up.

(2) during the input of system wait job information and instruction, the operating state and the running parameter of system are set, can import the instruction of " starting working " after setting completed by control module; After system receives this instruction,, enter two kinds of different operating states respectively:, carry out subsequent step if system is set to physical training condition by the situation that is provided with that control module is checked system automatically; If system is set to detected state, then redirect execution in step (7).

If working state of system is set as physical training condition, the running parameter that needs to be provided with has two kinds, is respectively:

First kind of training program, minimum support minsup and minimum confidence level minconf; Or number W, the sequence length l (1) of second kind of training program, sequence length, l (2) ..., l (W) and minimum support minsup (1), minsup (2) ..., minsup (W), wherein l (j) is a j sequence length, minsup (j) is a j minimum support, j is the natural number in interval [1, W];

If the operating state of system is set to detected state, the running parameter that needs to be provided with has two kinds, is respectively: first kind of detection scheme, window length and decision threshold; Or second kind of detection scheme, window length and decision threshold.

If have default operating state and running parameter after the system start-up, set operating state and running parameter during promptly last operation; If do not need to change these default settings, then can directly import the instruction of " starting working ", make system carry out the work of corresponding state.

(3) data acquisition and pretreatment module are imported original training data from predefined data-interface, and after this original training data carried out preliminary treatment, export it to training module;

So-called original training data is several system calls streams that certain privileged program that system will monitor is produced when normally moving in history, and wherein each system call stream is a plurality of system calls that this privileged program is produced in the process of a subnormal operation in history, that arrange according to time sequencing.And the system call in each system call stream all contains parameter.Be easy analysis, the present invention supposes total M (M is the natural number more than or equal to 1) of system call stream in the original training data.So-called original training data is carried out preliminary treatment is parameter filtering with each system call in each system call stream, and the system call after the filtering parameter is arranged according to original time sequencing.M system call flow point that contains parameter Jing Guo not become M the not system call stream of containing parameter: R after the preliminary treatment ₁, R ₂..., R _M, R wherein _iRepresent i system call stream, i is the natural number in interval [1, M], and R _iIn include r _iIndividual system call, that is: s ₁ ⁱ, s ₂ ⁱ..., s _Ri ⁱ, s wherein _j ⁱBe j the system call of arranging in chronological order in this system call stream; Pretreated total number r=r as system call in M the system call stream of training data ₁+ r ₂+ ...+r _MAbove-mentioned M system call stream R ₁, R ₂..., R _MThe privileged program normal behaviour in history of having represented system to monitor.

(4) training program that is provided with from control module read step (2) of training module if be set to first kind of training program, is carried out subsequent step; If be set to second kind of training program, redirect execution in step (6);

(5) training module utilizes training data, trains according to first kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, sends the message of " training finishes " to control module, so far, and the training end-of-job; Redirect execution in step (7); The concrete operations of this step the contents are as follows:

(51) by M system call stream R ₁, R ₂..., R _MGenerate M system call sequence stream S ₁, S ₂..., S _M, S wherein _iExpression is by R _iThe system call sequence of arranging according to time sequencing that generates flows, and $S_i=({\mathrm{Seq}}_1^i,{\mathrm{Seq}}_2^i,......,{\mathrm{Seq}}_{r_i-1}^i),$ Seq wherein _j ⁱBe j system call sequence arranging in chronological order (1≤i≤M, 1≤j≤ri-1), ${\mathrm{Seq}}_j^i=(s_j^i,s_{j+1}^i),$ Be that each system call sequence is made up of 2 system calls of arranging according to time sequencing or the length of each system call sequence all is 2.

(52) calculate M system call sequence stream S ₁, S ₂..., S _MIn the support and the confidence level of each system call sequence; Wherein support and confidence level are defined as follows respectively:

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ Wherein si* and sj* represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Support equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn the sequence sum, i.e. support (Seq)=number (Seq)/(r-M); Number in the formula (Seq) represents sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Occurrence number in S, r-M is M system call sequence stream S ₁, S ₂..., S _MTotal number of middle sequence, support (Seq) represents sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Support, support support (Seq) is used to describe sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ At S ₁, S ₂..., S _MIn probability of occurrence;

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ S wherein _i ^*And s _j ^*Represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_i^{*})$ Confidence level equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn first system call be s _i ^*The occurrence number of sequence; Here, with S ₁, S ₂..., S _MIn first system call be s _i ^*Sequence table be shown $\mathrm{Se}{q}^{*}=(s_i^{*},s^{*}),$ S wherein ^*Represent any system call, then have: sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Confidence level confidence (Seq)=number (Seq)/number (Seq ^*), number (Seq in the formula ^*) be sequence ${\mathrm{Seq}}^{*}=\left({s_i^{*},s}^{*}\right)$ At S ₁, S ₂..., S _MIn occurrence number; Confidence level confidence (Seq) is used to describe sequence S ₁, S ₂..., S _MIn first system call be s _i ^*Prerequisite under, second system call is s _j ^*Conditional probability;

(53) set parameter in the read step (2) from control module: minimum support minsup and minimum confidence level minconf;

(54) with M system call sequence stream S ₁, S ₂..., S _MMiddle support extracts more than or equal to the sequence of minsup, constitutes to satisfy the sequence pattern storehouse that support requires; If support is designated as Seq respectively more than or equal to total K of the sequence of minsup ^* ₁, Seq ^* ₂..., Seq ^* _K, K is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _s={ Seq ^* ₁, Seq ^* ₂..., Seq ^* _K;

(55) sequence of confidence level in M the system call sequence stream more than or equal to minconf extracted, constitute and satisfy the sequence pattern storehouse that support requires; If confidence level is designated as Seq respectively more than or equal to total L of the sequence of minconf ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L, L is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _c={ Seq ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L;

(56) choose the sequence pattern storehouse Ω that satisfies the support requirement simultaneously _sWith the sequence pattern storehouse Ω that satisfies the confidence level requirement _cCommon factor Ω _b, Ω is then arranged _b=Ω _s∩ Ω _cThis Ω _bBe the normal sequence pattern storehouse that training module will be set up in this step (5).

(6) training module utilizes training data, trains according to second kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, sends the message of " training finishes " to control module, so far, and the training end-of-job; The concrete operations of second kind of training program of training module the contents are as follows:

(61) set parameter in the read step (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(62) by M training data R ₁, R ₂..., R _MIn each system call stream, generate W the different system call sequence of sequence length respectively and flow: S ^I1, S ^I2..., S ^IW, S wherein ^IjExpression is by R _iThe sequence length that generates be l (j) system call sequence stream (1≤j≤W here, 1≤i≤M), and

Seq in the formula _k ^IjExpression S ^IjIn k the system call sequence that length is l (j) arranging in chronological order, and ${\mathrm{Seq}}_k^{\mathrm{ij}}=(s_k^i,s_{k+1}^i,......,s_{k+l\left(j\right)-1}^i);$ Like this, can generate M * W system call sequence stream by the normal behaviour training data, wherein sequence length is that the system call sequence stream of l (j) has M: S ^1j, S ^2j..., S ^MjBe easy analysis, suppose that the training subclass that this M system call sequence stream constitutes is S ^j={ S ^1j, S ^2j..., S ^Mj, it is total in this training subclass that r-M * l (j)+a M length is the system call sequence of l (j); In this step operation, total W of the training subclass that training module generates, this W training subclass is made of the system call sequence of different length respectively;

(63) according to the order of natural number j from 1 to W, calculation training subclass S respectively ^j={ S ^1j, S ^2j..., S ^MjIn the support of each system call sequence, this support support (Seq ^j) be used to describe sequence Seq ^jAt training subclass S ^jMiddle probability of occurrence, it is defined as follows:

A length is the sequence Seq of l (j) ^jSupport equal this sequence at training subclass S ^jIn occurrence number divided by S ^jIn sequence sum (1≤j≤W), i.e. support (Seq ^j)=number (Seq ^j)/(r-M * l (j)+M), number (Seq in the formula ^j) expression sequence Seq ^jAt training subclass S ^jM system call sequence stream S ^1j, S ^2j..., S ^MjIn occurrence number;

(64) from control module set W minimum support minsup (1), minsup (2) in the read step (2) ..., minsup (W), wherein minsup (j) is at training subclass S ^jJ the minimum support that the sequence that middle length is l (j) is provided with (1≤j≤W);

(65), will train subclass S for 1≤j≤W ^jMiddle support extracts more than or equal to the sequence of minsup (j), constitutes to satisfy the sequence pattern storehouse Ω (j) that support requires; Suppose S ^jMiddle support is individual more than or equal to the total K (j) of the sequence of minsup (j), is designated as Seq respectively ₁ ^J*, Seq ₂ ^J*..., Seq _{K (j)} ^J*Then satisfy the sequence pattern storehouse that support requires $\mathrm{\Ω}$ $\left(j\right)$ $=\{{\mathrm{Seq}}_1^{j^{*}},{\mathrm{Seq}}_2^{j^{*}},......,{\mathrm{Seq}}_{k\left(j\right)}^{j^{*}}\},$ Like this, can obtain W satisfy sequence pattern storehouse Ω (1), Ω (2) that support requires ..., Ω (W), wherein the sequence pattern storehouse that constitutes of the sequence that from training subclass Sj, extracts of Ω (j) expression (1≤j≤W).This W satisfy sequence pattern storehouse that support requires promptly be the normal sequence pattern storehouse Ω that training module will be set up in this step (6)=Ω (1), Ω (2) ..., Ω (W) }.

(7) control module is checked set detection scheme in the step (2) automatically, if be set to first kind of detection scheme, carries out subsequent step; If be set to second kind of training program, redirect execution in step (9);

(8) system carries out testing according to first kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to first kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation;

Original Audit data in this step (8) and the step (9) is the system call stream that monitored privileged program was produced in the monitored time, this system call stream is a plurality of system calls of arranging according to time sequencing, and each system call wherein all contains parameter.The preliminary treatment of in these two steps original Audit data being carried out is that the parameter of each system call filtered out during system call was flowed, and becomes the not system call stream of containing parameter; Again the system call after the filtering parameter is arranged according to original time sequencing.

The detecting operation that detection module carries out according to first kind of detection scheme comprises following concrete steps:

(81) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program is produced in real time in the monitored time from server, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}}),$ Wherein

K the system call that expression is arranged in chronological order, k be the interval [1,

] in natural number; Each system call in this system call stream is output to detection module successively according to time sequencing:

(82) detection module is flowed by system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ Generation system calling sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}{\mathrm{eq}}_1,\stackrel{\‾}{S}{\mathrm{eq}}_2,......,\stackrel{\‾}{S}{\mathrm{eq}}_{\stackrel{\‾}{r}-1}),$ Wherein $\stackrel{\‾}{S}{\mathrm{eq}}_i=({\stackrel{\‾}{s}}_i,{\stackrel{\‾}{s}}_{i+1})$ Be i the system call sequence of arranging in chronological order, In the length of each system call sequence all be 2, i be interval [1, ] in natural number;

(83) detection module will

In each system call sequence and step (56) in the normal sequence pattern storehouse Ω that sets up _bIn sequence carry out matching ratio; Simultaneously, for In each system call sequence

Carry out following calculating: if $\stackrel{\‾}{S}{\mathrm{eq}}_i\∈{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1;$ If $\stackrel{\‾}{S}{\mathrm{eq}}_i\∉{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0;$ That is to say, if

With normal sequence storehouse Ω _bIn certain sequence identical, then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Otherwise, $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0;$ Through after the above-mentioned computing, obtain sequence

Wherein

The expression sequence

Classification, if $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Then show

It is normal sequence; If $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0,$ Then show

It is unusual sequence;

(84) detection module window length of first kind of set detection scheme in the read step (2) from control module is then to sequence Carry out windowing process, obtain decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right),$ In the formula, D (k) represents system call sequence Corresponding decision value, w represents the window length of first kind of set in the step (2) detection scheme, and $w\≤k\≤\stackrel{\‾}{r}-1,$ The growth step-length of k is 1; System call sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}{\mathrm{eq}}_1,\stackrel{\‾}{S}{\mathrm{eq}}_2,......,\stackrel{\‾}{S}{\mathrm{eq}}_{\stackrel{\‾}{r}-1})$ In each system call sequence of w system call sequence and back thereof all distinguish corresponding decision value;

(85) detection module decision threshold of first kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior; Here, " current behavior " of monitored privileged program be with respect to , it be meant that monitored privileged program carries out with

Be w " system call sequence " of terminal point, promptly

Be meant also that monitored privileged program carries out with Be w+1 " system call " of terminal point, promptly

Above-mentioned steps (81) to step (85), the calculating of the generation of the obtaining of the system call that monitored program is performed or system call stream, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.Just after monitored privileged program executes w system call, it whenever executes a new system call again, detection system just can generate a new system call sequence, then this sequence is mated with the sequence pattern storehouse, and then obtain (new) decision value, and " current behavior " of monitored privileged program made once judgement.

(9) system carries out testing according to second kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to second kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation.

Detection module is as follows according to the concrete steps that second kind of detection scheme detects in this step (9):

(91) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program is produced in real time in the monitored time from server system, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment

The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}}),$ Wherein K the system call that expression is arranged in chronological order, k be the interval [1, ] in natural number; Then, each system call in this system call stream is output to detection module successively according to time sequencing;

(92) detection module reads set parameter in the step under the physical training condition (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(93) flow for system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ In each system call after the individual system call of l (W) ${\stackrel{\‾}{s}}_k(l\left(W\right)\≤k\≤\stackrel{\‾}{r}),$ Detection module with

For terminal point form W length be respectively l (1), l (2) ..., the system call sequence of l (W), this W sequence is expressed as respectively

Wherein

Be that length is the system call sequence of l (j), promptly $\stackrel{\‾}{S}e{q}_k^j=({\stackrel{\‾}{s}}_{k-l\left(j\right)+1},{\stackrel{\‾}{s}}_{k-l\left(j\right)+2},......,{\stackrel{\‾}{S}}_k)$ J is the natural number in interval [1, W];

(94) for

W system call sequence for the terminal point composition Detection module successively will according to the order of natural number j from 1 to W

The sequence pattern storehouse of setting up in the same step (65) Ω (j) compares: if there is a j (1≤j≤W), make $\stackrel{\‾}{S}{\mathrm{eq}}_k^j\∈\mathrm{\Ω}\left(j\right),$ Then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1;$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ That is to say, if W sequence In have the normal sequence storehouse Ω that sets up in a sequence and the step (65)=Ω (1), Ω (2) ..., Ω (W) } in certain sequence identical, then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ Obtain sequence through above-mentioned computing

Wherein

The expression system call

The classification of pairing program behavior: if $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Then show

Pairing program behavior is a normal behaviour; If $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0,$ Then show Pairing program behavior is an abnormal behaviour;

(95) detection module window length of second kind of set detection scheme in the read step (2) from control module is then to sequence Carry out windowing process, obtain system call Corresponding decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left({\stackrel{\‾}{s}}_i\right),$ In the formula, w represents the window length of second kind of set in the step (2) detection scheme, and $w+l\left(W\right)-1\≤k\≤\stackrel{\‾}{r},$ The growth step-length of k is 1; System call stream $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ In each system call of w+l (W)-1 system call and back thereof all distinguish corresponding decision value;

(96) detection module decision threshold of second kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior; Here, " current behavior " of monitored privileged program be with respect to , it be meant that monitored privileged program carries out with

W system call for terminal point

It may be noted that in above-mentioned steps (91) to step (96) calculating of the generation of the obtaining of the system call (stream) that monitored program is performed, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.Just after monitored privileged program executes w+l (W)-2 system call, it whenever executes a new system call again, detection system can be that terminal point is formed W (new) system call sequence with this system call just, carry out sequences match then, and then obtain (new) decision value, and " current behavior " of monitored privileged program made judgement.

The embodiment that uses below by a test illustrates performance of the present invention.In this Application Example, program level intruding detection system of the present invention is configured on the Sendmail mail server of certain website, is used to detect the various attack activity at this server.This experimental example comprises two Application Examples, and the operating state of system is set as physical training condition among first embodiment, and the operating state of system is set as detected state among second embodiment.

The operating procedure of introducing the embodiment that this system trains earlier is as follows:

Step 1: start-up system.

Step 2: the operating state of user's configuration-system and running parameter: the operating state of system is made as physical training condition, training program is made as second kind of training program, the number W of sequence length is made as 3, the length of 3 kinds of sequences is made as l (1)=2 respectively, l (2)=3, l (3)=4 is made as minsup (1)=0.00005 respectively with 3 minimum supports, minsup (2)=0.00002, minsup (3)=0.00001.

Step 3: control module is checked the situation that is provided with to working state of system automatically, finds that the operating state of system is set as physical training condition, so execution in step 4.

Step 4: data acquisition and pretreatment module from the input of data designated interface, are carried out original training data preliminary treatment to original training data then, and are exported pretreated training data to training module.Original training data has 13 system call streams (being M=13), comprises 289193 system calls (being r=289193) altogether; The data volume of these 13 system call streams differs bigger, and wherein Zui Da system call stream contains 183018 system calls, accounts for the over half of total quantity, and minimum system call stream only contains 170 system calls.Original training data becomes 13 not system call streams of containing parameter after preliminary treatment, these system call streams all are output to training module.

Step 5: training module set training program from control module read step 2, find that training program is set as second kind of training program, so execution in step 6.

Step 6: training module utilizes training data, trains according to second kind of training program, sets up normal sequence pattern storehouse, and this sequence pattern stock is gone into memory module, sends the message of " training finishes " at last to control module.In this step operation, the length that is produced by training data (13 system call stream) is 2,3, sequence in 4 the system call stream has 289180 respectively, 289167,289154, wherein mutually different sequence has 168 respectively, 259,316, and support is respectively more than or equal to 0.00005,0.00002,0.00001 sequence (promptly satisfy support require sequence) have 57 respectively, 144,316, the normal sequence pattern storehouse Ω that training module is set up={ Ω (1), Ω (2), Ω (3) } promptly form Ω (1) wherein by these sequences, Ω (2), sequence among the Ω (3) has 57 respectively, 144,316.

The operating procedure of introducing the embodiment that this system detects again is as follows:

Step 1: start-up system.

Step 2: the operating state of user's configuration-system and running parameter: operating state is made as detected state, detection scheme is made as second kind of detection scheme, window length is made as 20, decision threshold is made as 0.85.

Step 3: control module is checked the situation that is provided with to working state of system automatically.The operating state of discovery system is set as detected state, so execution in step 4.

Step 4: control module is checked detection scheme set in the step 2 automatically.Find that detection scheme is set as second kind of detection scheme, so execution in step 5.

Step 5: system carries out testing according to second kind of detection scheme.At this moment, data acquisition and pretreatment module can be obtained original Audit data and in real time to its preliminary treatment from host computer system; Detection module is then controlled according to second kind of detection scheme pretreated Audit data is carried out real-time analysis, generates testing result (decision value and warning message); The testing result output module shows the decision value that detection module generates in real time, and according to the warning message of detection module attack is reported to the police.System is in carrying out testing, the Sendmail mail server has suffered a sccp to attack (the sccp attack script can utilize special command-line option that sendmail is appended to an email message on certain file, and the local user utilizes this script can obtain root path); Detection system has been done 2909 judgements at work altogether, and wherein the number of times of Bao Jinging (behavior of sendmail privileged program being judged to the number of times of attack) is 304 times.The behavior owing to sendmail program during the Sendmail mail server is attacked that it may be noted that has only occurred in some time period unusually, reports to the police so detection system has only been carried out 304 times in 2909 judgements.Fig. 4 is that this system testing result output module in testing shows the decision value curve of (output); In this decision value curve, when decision value was lower than decision threshold 0.85, detection system will be reported to the police.By above testing result as seen, system of the present invention can successfully realize the detection to attack.

In a word, the embodiment that test of the present invention is implemented is successful, has realized goal of the invention.

Claims (8)

1, a kind of program level intrusion detection method based on sequential mode mining, this method is to utilize the program level intruding detection system based on sequential mode mining to realize, described system configuration is on the webserver of needs monitoring, the system call that is produced when utilizing the privileged program operation is as Audit data, by the ruuning situation of privileged program in the monitor network server, adopt abnormality detection technology based on data mining to detect in the webserver and whether invade; This detection system includes: control module, data acquisition and pretreatment module, training module, memory module, detection module and testing result output module; It is characterized in that: described detection method comprises following operating procedure:

(1) detection system starts;

When (2) detection system is waited for the input of job information and instruction, the operating state and the running parameter of system are set by control module, so that after input " starting working " instruction after this, automatically check the situation that is provided with of system by control module, enter two kinds of different operating states respectively:, carry out subsequent step if the operating state of system is set to physical training condition; If the operating state of system is set to detected state, then redirect execution in step (7);

(3) data acquisition and pretreatment module are imported original training data from predefined data-interface, and after this original training data carried out preliminary treatment, export it to training module;

(4) training program that is provided with from control module read step (2) of training module if be set to first kind of training program, is carried out subsequent step; If be set to second kind of training program, redirect execution in step (6);

(5) training module utilizes training data, trains according to first kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, message to control module transmission " training finishes " finishes training work, redirect execution in step (7);

(6) training module utilizes training data, trains according to second kind of training program, sets up normal sequence pattern storehouse, and after this sequence pattern stock gone into memory module, sends the message of " training finishes " to control module, finishes training work;

(7) control module is checked set detection scheme in the step (2) automatically, if be set to first kind of detection scheme, carries out subsequent step; If be set to second kind of training program, redirect execution in step (9);

(8) detection system is carried out testing according to first kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to first kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation;

(9) detection system is carried out testing according to second kind of detection scheme: obtained original Audit data in real time and it is carried out preliminary treatment from server by data acquisition and pretreatment module earlier, according to second kind of detection scheme pretreated Audit data is carried out real-time analysis by detection module again, generate the testing result that comprises decision value and/or warning message at least, the testing result output module shows this detection decision value in real time, and according to warning message attack is reported to the police the detection of end operation.

2, the program level intrusion detection method based on sequential mode mining according to claim 1 is characterized in that: in the described step (2), if the operating state of system is set to physical training condition, the running parameter that needs to be provided with has two kinds, is respectively:

First kind of training program, minimum support minsup and minimum confidence level minconf; Or

Number W, the sequence length l (1) of second kind of training program, sequence length, l (2) ..., l (W) and minimum support minsup (1), minsup (2) ..., minsup (W), wherein l (j) is a j sequence length, minsup (j) is a j minimum support, j is the natural number in interval [1, W];

If the operating state of system is set to detected state, the running parameter that needs to be provided with has two kinds, is respectively: first kind of detection scheme, window length and decision threshold; Or

Second kind of detection scheme, window length and decision threshold.

3, the program level intrusion detection method based on sequential mode mining according to claim 1, it is characterized in that: the original training data in the described step (3) is M the system call stream that contains parameter that certain privileged program that system will monitor is produced when normally moving in history, M is the natural number more than or equal to 1, wherein each system call stream is a plurality of system calls that this privileged program is produced in normal course of operation in history, that arrange according to time sequencing, and the system call in each system call stream all contains parameter;

Original Audit data in described step (8) and (9) is the system call stream that contains parameter that monitored privileged program was produced in the monitored time, this system call stream is a plurality of system calls of arranging according to time sequencing, and wherein each system call all contains parameter.

4, according to claim 1 or 3 described program level intrusion detection methods based on sequential mode mining, it is characterized in that: the preliminary treatment of in described step (3) and (8) and (9) original training data and original Audit data being carried out respectively all is the parameter filtering with each system call in the system call stream, and the system call after the filtering parameter is arranged according to original time sequencing; In the described step (3), M system call stream that contains parameter becomes the not system call stream of containing parameter: R respectively through after the preliminary treatment ₁, R ₂..., R _M, R wherein _iBe i the not system call stream of containing parameter, i is the natural number in interval [1, M], and R _iInclude r _iIndividual system call is expressed as (s ₁ ⁱ, s ₂ ⁱ..., s _Ri ⁱ), s wherein _j ⁱBe j the system call of arranging in chronological order in this system call stream; Pretreated total number r=r as system call in M the system call stream of training data ₁+ r ₂+ ...+r _M

5, the program level intrusion detection method based on sequential mode mining according to claim 1, it is characterized in that: training module utilizes training data in the described step (5), train according to first kind of training program, the concrete steps of setting up normal sequence pattern storehouse are as follows:

(51) by M system call stream R ₁, R ₂..., R _MGenerate M system call sequence stream S ₁, S ₂..., S _M, S wherein _iExpression is by R _iThe system call sequence stream that generates, and $S_i=({\mathrm{Seq}}_1^i,$ ${\mathrm{Seq}}_1^i,......,{\mathrm{Seq}}_{r_i-1}^i),$ Seq in the formula _j ⁱBe j the system call sequence of arranging in chronological order, and ${\mathrm{Seq}}_j^i=(s_j^i,s_{j+1}^i),$ Be that each system call sequence is made up of 2 system calls of arranging according to time sequencing, just the length of each system call sequence all is 2;

(52) calculate M system call sequence stream S ₁, S ₂..., S _MIn the support and the confidence level of each system call sequence; Wherein support and confidence level are defined as follows respectively:

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ S wherein _i ^*And s _j ^*Represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Support equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn the sequence sum, i.e. support (Seq)=number (Seq)/(r-M); Number in the formula (Seq) represents sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Occurrence number in S, r-M is M system call sequence stream S ₁, S ₂..., S _MTotal number of middle sequence, support (Seq) represents sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Support, support support (Seq) is used to describe sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ At S ₁, S ₂..., S _MIn probability of occurrence;

It for a length 2 sequence $\mathrm{Seq}=(s_i^{*},s_j^{*}),$ S wherein _i ^*And s _j ^*Represent a definite system call respectively, $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Confidence level equal this sequence at M system call sequence stream S ₁, S ₂..., S _MIn occurrence number divided by S ₁, S ₂..., S _MIn first system call be s _i ^*The occurrence number of sequence; Here, with S ₁, S ₂..., S _MIn first system call be s _i ^*Sequence table be shown ${\mathrm{Seq}}^{*}=(s_i^{*},s^{*}),$ S wherein ^*Represent any system call, then have: sequence $\mathrm{Seq}=(s_i^{*},s_j^{*})$ Confidence level confidence (Seq)=number (Seq)/number (Seq ^*), number (Seq in the formula ^*) be sequence ${\mathrm{Seq}}^{*}=(s_i^{*},s^{*})$ At S ₁, S ₂..., S _MIn occurrence number; Confidence level confidence (Seq) is used to describe sequence flows S ₁, S ₂..., S _MFirst system call of middle sequence is s _i ^*Prerequisite under, second system call is s _j ^*Conditional probability;

(53) set parameter in the read step (2) from control module: minimum support minsup and minimum confidence level minconf;

(54) with M system call sequence stream S ₁, S ₂..., S _MMiddle support extracts more than or equal to the sequence of minsup, constitutes to satisfy the sequence pattern storehouse that support requires; If support is designated as Seq respectively more than or equal to total K of the sequence of minsup ^* ₁, Seq ^* ₂..., Seq ^* _K, K is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _s={ Seq ^* ₁, Seq ^* ₂..., Seq ^* _K;

(55) sequence of confidence level in M the system call sequence stream more than or equal to minconf extracted, constitute and satisfy the sequence pattern storehouse that support requires; If confidence level is designated as Seq respectively more than or equal to total L of the sequence of minconf ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L, L is the natural number that is less than or equal to natural number r-M, then satisfies the sequence pattern storehouse Ω that support requires _c={ Seq ⁺ ₁, Seq ⁺ ₂..., Seq ⁺ _L;

(56) choose the sequence pattern storehouse Ω that satisfies the support requirement simultaneously _sWith the sequence pattern storehouse Ω that satisfies the confidence level requirement _cCommon factor Ω _b, Ω is then arranged _b=Ω _s∩ Ω _cThis Ω _bBe the normal sequence pattern storehouse that training module will be set up in this step (5).

6, the program level intrusion detection method based on sequential mode mining according to claim 1, it is characterized in that: training module utilizes training data in the described step (6), train according to second kind of training program, the concrete steps of setting up normal sequence pattern storehouse are as follows:

(61) set parameter in the read step (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(62) by training data R ₁, R ₂..., R _MIn each system call stream, generate W the different system call sequence of sequence length respectively and flow: S ^I1, S ^I2..., S ^IW, S wherein ^IjExpression is by R _iThe sequence length that generates is the system call sequence stream of l (j), and $S^{\mathrm{ij}}=({\mathrm{Seq}}_1^{\mathrm{ij}},{\mathrm{Seq}}_2^{\mathrm{ij}},......,{\mathrm{Seq}}_{r_i-l\left(j\right)+1}^{\mathrm{ij}}),$ Seq in the formula _k ^IjExpression S ^IjIn k the system call sequence that length is l (j) arranging in chronological order, and ${\mathrm{Seq}}_k^{\mathrm{ij}}=(s_k^i,s_{k+1}^i,......,s_{k+l\left(j\right)-1}^i);$ Promptly can generate M * W system call sequence stream by the normal behaviour training data, wherein sequence length is that the system call sequence stream of l (j) has M: S ^1j, S ^2j..., S ^MjJust this M system call sequence flows the training subclass S that constitutes ^j={ S ^1j, S ^2j..., S ^Mj, it is total in this training subclass that r-M * l (j)+a M length is the system call sequence of l (j); In this step operation, total W of the training subclass that training module generates, this W training subclass is made of the system call sequence of different length respectively;

(63) according to the order of natural number j from 1 to W, calculation training subclass S respectively ^j={ S ^1j, S ^2j..., S ^MjIn the support of each system call sequence; Describedly be used to describe sequence Seq ^jAt training subclass S ^jSupport support (the Seq of middle probability of occurrence ^j) be defined as follows:

A length is the sequence Seq of l (j) ^jSupport equal this sequence at training subclass S ^jIn occurrence number divided by S ^jIn the sequence sum, i.e. support (Seq ^j)=number (Seq ^j)/(r-M * l (j)+M), number (Seq in the formula ^j) expression sequence Seq ^jAt training subclass S ^jM system call sequence stream S ^1j, S ^2j..., S ^MjIn occurrence number;

(64) from control module set W minimum support minsup (1), minsup (2) in the read step (2) ..., minsup (W), wherein minsup (j) is at training subclass S ^jJ the minimum support that the sequence that middle length is l (j) is provided with;

(65) will train subclass S ^jMiddle support extracts more than or equal to the sequence of minsup (j), and if formation satisfies sequence pattern storehouse Ω (j) of support requirement S ^jMiddle support is individual more than or equal to the total K (j) of the sequence of minsup (j), is designated as Seq respectively ₁ ^J*, Seq ₂ ^J*..., Seq _{K (j)} ^J*, then satisfy the sequence pattern storehouse that support requires $\mathrm{\Ω}\left(j\right)=\{{\mathrm{Seq}}_1^{j*},{\mathrm{Seq}}_2^{j*},......,{\mathrm{Seq}}_{K\left(j\right)}^{j*}\};$ Thereby obtain W satisfy sequence pattern storehouse Ω (1), Ω (2) that support requires ..., Ω (W); This W satisfy sequence pattern storehouse that support requires promptly be the normal sequence pattern storehouse Ω that training module will be set up in this step (6)=Ω (1), Ω (2) ..., Ω (W) }.

7, the program level intrusion detection method based on sequential mode mining according to claim 5 is characterized in that: system is as follows according to the concrete steps that first kind of detection scheme carries out testing in the described step (8):

(81) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program was produced in the right monitored time in real time from server, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}}),$ Wherein K the system call that expression is arranged in chronological order, k be the interval [1, ] in natural number; Each system call in this system call stream is output to detection module successively according to time sequencing;

(82) detection module is flowed by system call $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......,{\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ Generation system calling sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}e{q}_1,\stackrel{\‾}{S}e{q}_2,......,\stackrel{\‾}{S}e{q}_{\stackrel{\‾}{r}-1}),$ Wherein $\stackrel{\‾}{S}{\mathrm{eq}}_i=({\stackrel{\‾}{s}}_i,{\stackrel{\‾}{s}}_{i+1})$ Be i the system call sequence of arranging in chronological order,

In the length of each system call sequence all be 2, i be interval [1,

] in natural number;

(83) detection module will

In each system call sequence and step (56) in the normal sequence pattern storehouse Ω that sets up _bIn sequence carry out matching ratio; Simultaneously, for

In each system call sequence

Carry out following calculating: if $\stackrel{}{S}{\mathrm{eq}}_i\∈{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1;$ If $\stackrel{\‾}{S}{\mathrm{eq}}_i\∉{\mathrm{\Ω}}_b,$ Then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0;$ That is to say, if With normal sequence storehouse Ω _bIn certain sequence identical, then $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Otherwise, $\mathrm{class}(\stackrel{\‾}{S}{\mathrm{eq}}_i=0);$ Through after the above-mentioned computing, obtain sequence

Wherein

The expression sequence

Classification, if $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=1,$ Then show It is normal sequence; If $\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right)=0,$ Then show It is unusual sequence;

(84) detection module window length of first kind of set detection scheme in the read step (2) from control module is then to sequence $(\mathrm{class}\left({\stackrel{\‾}{S}\mathrm{eq}}_1\right),\mathrm{class}\left({\stackrel{\‾}{S}\mathrm{eq}}_2\right),......,\mathrm{class}\left({\stackrel{\‾}{S}\mathrm{eq}}_{\stackrel{\‾}{r}-1}\right))$ Carry out windowing process, obtain decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left(\stackrel{\‾}{S}{\mathrm{eq}}_i\right),$ In the formula, D (k) represents system call sequence

Corresponding decision value, w represents the window length of first kind of set in the step (2) detection scheme, and $w\≤k\≤\stackrel{\‾}{r}-1,$ The growth step-length of k is 1; System call sequence stream $\stackrel{\‾}{S}=(\stackrel{\‾}{S}e{q}_1,\stackrel{\‾}{S}e{q}_2,......,\stackrel{\‾}{S}e{q}_{\stackrel{\‾}{r}-1})$ In each system call sequence of w system call sequence and back thereof all distinguish corresponding decision value;

(85) detection module decision threshold of first kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior;

Above-mentioned steps (81) to step (85), the calculating of the generation of the obtaining of the system call that monitored program is performed or system call stream, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.

8, the program level intrusion detection method based on sequential mode mining according to claim 6 is characterized in that: system is as follows according to the concrete steps that second kind of detection scheme carries out testing in the described step (9):

(91) data acquisition and pretreatment module are obtained the system call stream that monitored privileged program is produced in real time in the monitored time from server system, and this system call stream is carried out becoming not comprising of containing parameter after the preliminary treatment

The system call stream of individual system call $\stackrel{\‾}{R}=({\stackrel{\‾}{S}}_1,{\stackrel{\‾}{S}}_2,......,{\stackrel{\‾}{S}}_{\stackrel{\‾}{r}}),$ Wherein

K the system call that expression is arranged in chronological order, k be the interval [1, ] in natural number; Each system call in this system call stream is output to detection module successively according to time sequencing;

(92) detection module reads set parameter in the step under the physical training condition (2) from control module: the number W of sequence length and sequence length l (1), l (2) ..., l (W), wherein l (j) is a j sequence length, j is the natural number in interval [1, W];

(93) flow for system call $\stackrel{\‾}{R}=({\stackrel{\‾}{S}}_1,{\stackrel{\‾}{S}}_2,......,{\stackrel{\‾}{S}}_{\stackrel{\‾}{r}})$ In each system call after the individual system call of l (W)

, detection module with For terminal point form W length be respectively l (1), l (2) ..., the system call sequence of l (W), this W sequence is expressed as respectively

Wherein Be that length is the system call sequence of l (j), promptly $\stackrel{\‾}{S}{\mathrm{eq}}_k^j=({\stackrel{\‾}{s}}_{k-l\left(j\right)+1},{\stackrel{\‾}{s}}_{k-l\left(j\right)+2},......,{\stackrel{\‾}{s}}_k),$ J is the natural number in interval [1, W];

(94) for

W system call sequence for the terminal point composition

Detection module successively will according to the order of natural number j from 1 to W The sequence pattern storehouse of setting up in the same step (65) Ω (j) compares: if satisfy $\stackrel{\‾}{S}{\mathrm{eq}}_k^j\∈\mathrm{\Ω}\left(j\right),$ Then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1;$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ That is to say, if W sequence In have the normal sequence storehouse Ω that sets up in a sequence and the step (65)=Ω (1), Ω (2) ..., Ω (W) } in certain sequence identical, then $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Otherwise, $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0;$ Obtain sequence through above-mentioned computing

Wherein The expression system call

The classification of pairing program behavior: if $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=1,$ Then show

Pairing program behavior is a normal behaviour; If $\mathrm{class}\left({\stackrel{\‾}{s}}_k\right)=0,$ Then show Pairing program behavior is an abnormal behaviour;

(95) detection module window length of second kind of set detection scheme in the read step (2) from control module is then to sequence Carry out windowing process, obtain system call

Corresponding decision value: $D\left(k\right)=\frac{1}{w}\underset{i=k-w+1}{\overset{k}{\mathrm{\Σ}}}\mathrm{class}\left({\stackrel{\‾}{s}}_i\right),$ In the formula, w represents the window length of second kind of set in the step (2) detection scheme, and $w+l\left(W\right)-1\≤k\≤\stackrel{\‾}{r},$ The growth step-length of k is 1; System call stream $\stackrel{\‾}{R}=({\stackrel{\‾}{s}}_1,{\stackrel{\‾}{s}}_2,......{,\stackrel{\‾}{s}}_{\stackrel{\‾}{r}})$ In each system call of w+l (W)-1 system call and back thereof all distinguish corresponding decision value;

(96) detection module decision threshold of second kind of set detection scheme in the read step (2) from control module, and utilize this decision threshold and decision value D (k) that " current behavior " of monitored privileged program made judgement; Concrete decision method is: if D (k) more than or equal to decision threshold, is judged to normal behaviour with " current behavior " of monitored privileged program, otherwise, it is judged to attacks or intrusion behavior;

Above-mentioned steps (91) to step (96), the calculating of the generation of the obtaining of the system call that monitored program is performed or system call stream, sequence and coupling, decision value and the judgement of program behavior all carried out synchronously.