CN1731310A - Intrusion detection method for host under Windows environment - Google Patents

Abstract

The invention discloses a method for detecting the host machine inbreak on windows environment, which analyzes and establishes the designed multistage Native API module and the relative of the Native API sequences to find out the abnormal inbreak. It collects the Native APIs data of the designed routine and stores it into the database on real practice stage. The data initial analysis comprises a first stage analysis and a second stage analysis, it analyzes and processes the change of the first stage and the second stage conditions of the data gather to establish the first module and the second module; it computes the normal value of the first and the second Native APIs by index iteration detecting algorithm on measuring stage.

Description

Host computer intrude detecting method under the Windows environment

Technical field

The present invention relates to the computer network security technology field, the host computer intrude detecting method under particularly a kind of Windows environment.

Background technology

Windows is as the desktop operating system of global main flow, and the influence that causes after it is under attack is very big.From August 5 calendar year 2001, the whole world of " Code Red " worm outburst, up to the large-scale outbreak on August 12nd, 2003 " Blast worm ", the threat that brings from Windows operating system leak on the internet approaches to each network user.Be because the economic loss that the various worm attacks that the Windows system vulnerability causes cause below.

Table 1 is because the economic loss that the outburst of Windows worm causes

Worm	Economic loss	The worm brief introduction
			Code?Red	26.2 hundred million dollars	Utilize IDA/IDQ ISAPI expansion buffer-overflow vulnerability (MS01-33)
Nimdar	6.4 hundred million dollars	The back door that utilizes MS00-78, MS01-20, MS01-21 and Code Red to stay
			Slammer	12.5 hundred million dollars	MS SQLServer 2000 remote stack are overflowed (MS02-39)
Blaster	2,000,000,000 dollars	MS RPC DCOM remotely exploitable buffer overflow (MS03-26)

In present Internet, these worms shown in the table 1 also still continue propagating on network, and are constantly creating economic loss." Code Red " worm has utilized Windows IIS ida/idq buffer-overflow vulnerability to invade, and " Blaster worm " utilized the buffer-overflow vulnerability of Windows RPC/DCOM to invade and propagate.These have brought the worm of grave danger all to have a common trait to global network, promptly invade by the leak of operating system, duplicate, scan and propagate in invaded machine simultaneously.Hence one can see that, and hacker's invasion and the network security of all giving us that spreads that has a worm of invading feature have been brought huge threat.Therefore, we carry out active detecting and take precautions against the safety that will greatly improve windows platform the various invasions of windows platform.

Intruding detection system on windows platform mainly is confined to by detecting the mode of network packet, as Snort and RealSecure etc. at present.In the Windows environment, also there is not effective Host Based intruding detection system.The Snort of windows platform and RealSecure mainly adopt network packet are caught and characteristic matching, the network traffics that meet attack signature are reported to the police, it is not a kind of Host Based intruding detection system, therefore be in switching network or network data when encrypted when detected system, it almost can not detect, and this also is the major defect of Network Intrusion Detection System.The Snare for windows system that Intersectalliance company releases only is to the various main frame audit logs in the Windows system and security strategy is collected and simple displaying, and realize that by the server/client mode the unified of main frame anomalous event collect and handle, it greatly depends on the audit function of Windows system itself, therefore dispose when being changed when the auditing system of Windows itself or security strategy, can directly influence data collected in the Snare system, the Snare detection system lacks the modeling analysis to system action in the main frame and user behavior in addition, therefore its rate of failing to report and rate of false alarm are very high, and Snare can not effectively automatically analyze invasion.The LinkTrust HIDS that iS-One China company releases, mainly be that system journal on the various main frames and network behavior are analyzed, it mainly relies on the feature in diverse network or the host computer system to carry out check and analysis and the Native API sequence of Windows main frame kernel level is not invaded analysis unusually, and can produce a large amount of wrong reports and fail to report.Owing to relate to resources a large amount of in the system carried out Collection and analysis, therefore use numerous functions of LinkTrust HIDS to bring very large load simultaneously to main frame; Tripwire is a file and catalogue integrity checking instrument, and it can carry out the MD5 verification by the file to appointment, and help system keeper and user monitor any variation that some vital documents and catalogue take place.By formulating some basic security strategies, when being destroyed or distort, file, manually adopts strick precaution or remedial measures by the keeper by Tripwire reporting system keeper.Tripwire analyzes by file and the accessed situation of registration table analyzed in the Windows system whether the invasion generation is arranged at present, owing to can not detect the All Files system fully in real time, and can only timesharing the variation of file or registration table is write down and mate warning, this is difficult to realize detecting in real time on the one hand, on the other hand because user oneself installs and uninstall also can cause a large amount of wrong reports.People such as Roberto have proposed the expansion access control system WHIPS under the Windows XP environment, this access control system is realized by Kernel Driver, and the Native API in the Windows XP system is classified, summed up crucial and dangerous Native API, WHIPS is mainly used in key under the Windows environment and dangerous Native API is detected and take safety prevention measure, each critical system service of process triggers being filtered and judge whether by reference monitor (Reference Monitor) is dangerous system service, system service if not danger, it will be directly passed to kernel and carry out, otherwise will be stopped, and not allow to carry out.(Access Control Database carries out under the control strategy that ACD) provides and the control procedure of whole reference monitor is all a special small database.But the WHIPS model that people such as Roberto propose is based on rule base in essence, in the access control process, only mate by the rule in the rule base, thereby simple control such as take allow to carry out and do not allow to carry out simply, the generation of the unusual invasion in its judgement system effectively.

Therefore, at above these systems based on the deficiency in the unusual Study of Intrusion Detection of windows platform, and in conjunction with the advantage of these systems, we have proposed use Windows Native API data as information source, set up the multistage consistent model under the normal system behavior, begin abnormality detection work under the Windows environment with this.Set up detection model at windows platform by kernel function Native API, this can observe and analyze from system bottom the bigger attack of threats such as buffer overflow attack, Denial of Service attack, and it is different from essence by network and obtains the Network Intrusion Detection System that the attack signature packet detects.Realize that the abnormality detection under the Windows environment will be to stoping assault and taking precautions against spreading of worm on a large scale and will play huge impetus.

Summary of the invention

The objective of the invention is to overcome the shortcoming of above-mentioned prior art, provide a kind of by Windows kernel level system call function Native API is obtained, and set up each process correspondence multistage consistent model (Multi-Steps Native APIs Consistency Model, MSNACM) in detecting in real time, various intrusion behaviors are detected by my index iteration detection method and the Windows environment of reporting to the police under host computer intrude detecting method.

For achieving the above object, the technical solution used in the present invention is:

1) system data Native APIs's obtains

When the process of appointment is initiated the system service call request each time, at first enter the kernel of Windows system by DriverEntry routine load driver equipment, this driving arrangement utilizes the KeServiceDescriptorTable data structure to finish system service distributing list (System ServiceDispatch Table, SSDT) visit and modification, and utilize the KeServiceDescriptorTable data structure to determine the address of system service allocation table, system backs up the original SSDT of system earlier, secondly, at the corresponding function of intercepting and capturing of each Native API configuration, and these function calls addresses are written among " the Function addr " in the original system delivery of services table, and it is corresponding one by one, function pointer is pointed to intercept and capture function, obtain all related datas of each Native API that the appointment process produces in the operating system with this system service table of intercepting and capturing the Windows main frame, these data comprise the title of Native api function, ID and parameter length information, after having intercepted and captured these information, withdraw from the intercepting and capturing process, and turn back to the system service that is called of execution;

2) by the data message of the Native APIs that gets access to the process in the Windows operating system is set up normal behavior model, and with the abnormal conditions in this model detection system

By multistage consistent method for establishing model the Native APIs data of obtaining are trained, by two tuple { B _k, O _kIn database, set up the consistent model of single order with second order, the consistent model of single order is by two tuple { B _k, O _kRepresent B wherein _kBe Native APIs _kThe frequency of occurrences in the training set, O _kBe the single order index of correlation, by all B in the pair set _kBy the position size that ascending order is arranged, two tuple { B _k, O _kTo training set T _S ⁽¹⁾In each Native API data and observed process between set up a relation mapping table, usually, the consistent model of single order can use following expression:

M ₁={ (B ₁, O ₁) ..., (B _k, O _k) (1≤k≤n) same uses two tuple { B _{(k-1) k}, O _{(k-1) k}Represent the consistent model of second order, set up training set T _S ⁽²⁾In each Native API and a relation mapping table between the observed process, M ₂={ (B ₁₂, O ₁₂) ..., (B _{(k-1) k}, O _{(k-1) k)}(1≤k≤n);

3) index iteration detection method (Exponential Recursive Detection Algorithm, ERDA), positive ordinary index by each Native API correspondence of cycle calculations calculates the degree of correlation between it and the detected process, the invasion thereby the variation by the index of oscillation notes abnormalities

Definition

E (s _k): in Native API sequence, current Native API is s _kThe time the positive ordinary index of process behavior;

E (s _K-1, s _k): in Native API sequence, current Native API is to being (s _K-1, s _k) time the positive ordinary index of process behavior;

G: current sequence correlativity index is used to measure the sequence of current length and the maximal correlation degree between normal behaviour process;

F (s _k): departure function, be used to measure unexpected Native API and bring effect for the normal behaviour of appointment process, also, work as s _K-1A back Native APIs _kNot at first order modeling M ₁When middle, by calculating the previous Native APIIs that has existed _kThe weighting correlativity measure of the influence of this situation to a normal procedure, to f (s _k) be defined as follows:

$f\left(s_k\right)={\hat{O}}_k*{\hat{B}}_k$

Single order phase pair potential is estimated

The single order correlation is estimated

Arthmetic statement

$\mathrm{Step}1:E\left(s_0\right)=e^{-\frac{1}{{\mathrm{<figure-callout\; id="0"\; label="B"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">B</figure-callout>}}_0^{\&prime;}}}({\mathrm{<figure-callout\; id="0"\; label="s"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">s</figure-callout>}}_0\&Element;T_S)---(1-1)$

G＝B ₀′

Step?k：

s _k-1∈M ₁，s _k∈M ₁，(s _k-1，s _k)∈M ₂

① $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ G=G+B_k+B_{(k-1)k}\end{array}\right.---(1-2)$

$s_{k-1}\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

② $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G-{\hat{B}}_k)*0.5(G>{\hat{B}}_k)\\ G*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.---(1-3)$

$s_{k-1}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

③ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G+{\hat{B}}_k-f\left(s_k\right))*0.5(G+{\hat{B}}_k>f\left(s_k\right))\\ (G+{\hat{B}}_k)*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.---(1-4)$

$s_{k-1}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

④ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=(G+f\left(s_k\right))*0.5\end{array}\right.---(1-5)$

$s_{k-1}\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

⑤ $\left\{\begin{array}{c}E(s_k,s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=0.5G+f\left(s_k\right)\end{array}\right.---(1-6)$

As above formula (1-1) is to shown in (1-6), index iteration detection method loop iteration calculates the Native API and the right positive ordinary index of Native API of each appearance, shown in (1-2), when initial going on foot, by searching the single order gesture ratio of initial Native API in the consistent model of single order, and with its as initialization value to E (s ₀) carry out initialization, finish since second rank up to process, then by regulating current Native API (s _K-1, s _k) correlativity exponential sum weight O _kCalculate the normal index E (s of its correspondence _K-1, s _k), from the experiment test of true environment, consider s respectively _K-1And s _kWhether belong to the consistent model M of single order ₁And (s _K-1, s _k) whether belong to the consistent model M of second order ₂Five kinds of situations i.e. (1-2)～(1-6), if (1-2) formula explanation s _kAnd s _K-1Belong to the consistent model M of single order ₁, and while (s _K-1, s _k) belong to the consistent model M of second order ₂, then by the relevant ratio calculation correlativity of circulation stack single order index G with the second order gesture.In case, s _K-1, s _kAnd (s _K-1, s _k) the consistent model M with second order of consistent model with single order ₁And M ₂Between without any mapping relations, four kinds of situations describing by formula (1-3) to (1-6) are calculated the positive ordinary index of its correspondence, as formula (1-3) to shown in (1-6), when $s_{k-1}\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,$ $s_k\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1$ And $(s_{k-1},s_k)\&NotElement;M_2$ The time, current s is described _K-1And s _kDo not belong to the consistent model M of single order ₁, and while (s _K-1, s _k) do not belong to the consistent model M of second order yet ₂, they are all inconsistent with multistage consistent model, therefore current observed sequence (s _K-1, s _k) and the correlativity of multistage model become very little, therefore s _K-bCorresponding single order phase pair potential is as s _kSingle order phase pair potential estimate

(s wherein _K-bFor from s _kA nearest preceding b consistent model M with single order ₁Consistent Native API), if current correlativity index G greater than Then deduct by correlativity index G Multiply by relative drop-out value 0.5 again as current observed sequence (s _K-1, s _k) corresponding correlativity index; And if current correlativity index G less than

Illustrate that then G is less, then observed sequence (s _K-1, s _k) current total correlation G half before only having, wherein select s _K-bCorresponding single order phase pair potential B _K-bAs s _kSingle order phase pair potential estimate

Work as s _kConsistent model M with single order ₁When inconsistent, then from s _kA nearest preceding b consistent model M with single order ₁Consistent Native APIs _K-bSingle order phase pair potential and s _kSingle order phase pair potential equates, but is different to the influence of system;

4) the warning extraction algorithm by proposing makes the anomalous event that occurs in the index iterative detection rate to continuous variation fluctuation find exactly and extract, and carries out correct warning, the index of oscillation F that is defined as follows _Ij

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})(\mathrm{WL}\&le;i\&le;n-\mathrm{WL}-1)---(1-7)$

Wherein WL is a moving window length;

From index of oscillation F _IjDefinition as can be seen, when the index iterative detection rate sum of i window deducts the index iterative detection sum of j window, just be the fluctuation between i and the j window, following three kinds of situations are then arranged:

$F_{\mathrm{ij}}=\left\{\begin{array}{c}{F}_{\mathrm{ij}}>0\\ F_{\mathrm{ij}}=0\\ F_{\mathrm{ij}}<0\end{array}\right.---(1-8)$

Wherein work as F _Ij＞0 o'clock, the index iterative detection rate of i window illustrated the upwards fluctuation of index iterative detection value greater than the index iterative detection rate of j window, and system trends towards normally; Work as F _Ij＜0 o'clock, the index iterative detection rate of i window illustrated that less than the index iterative detection rate of j window index iterative detection value fluctuates downwards, and system trends towards unusually; Work as F _Ij=0 o'clock, not fluctuation between i window and the j window is described, system status is constant;

Moving window length WL:

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i-1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j-1})$ Reach maximum, that is to say:

$\mathrm{WL}=W{L}_{(i,j)}(\mathrm{iff}(\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})\&RightArrow;\max )---(1-9)$

Get WL=30 and measure, can make that the warning amount is little as moving window length, again can be so that almost there is not rate of failing to report;

5) to the less process of index iterative detection value having occurred, take to forbid the current observed process or the behavior of its thread, adopt PostThreadMessage () or PostMessage () function to end the malice thread by force for the thread transmission WM_QUIT or the WM_DESTORY message of appointment.

The present invention is based on the index iteration detection method of the consistent model of multistage Native APIs, the invasion that notes abnormalities of the correlativity between the consistent model of multistage Native API by analyzing and set up the appointment process the Windows environment under and the Native API sequence of detected process generation.

Description of drawings

Fig. 1 is the schematic diagram that the present invention intercepts and captures Windows system service allocation table;

Fig. 2 the present invention is directed to the testing result figure that RPC/DCOM leak (MS03-026) invasion is attacked, and wherein horizontal ordinate is the Native API step number that detected process Svchost.exe produces, and ordinate is positive ordinary index;

Fig. 3 is the intrusion detection figure () as a result that the present invention is directed to RPC/DCOM long filenames heap Overflow Vulnerability (MS03-039), and wherein horizontal ordinate is the Native API step number that detected process Svchost.exe produces, and ordinate is positive ordinary index;

Fig. 4 is the intrusion detection figure (two) as a result that the present invention is directed to RPC/DCOM long filenames heap Overflow Vulnerability (MS03-039), and wherein horizontal ordinate is the Native API step number that detected process Svchost.exe produces, and ordinate is positive ordinary index;

Fig. 5 is the intrusion detection figure as a result that the present invention is directed to RPC Lactor buffer-overflow vulnerability, and wherein horizontal ordinate is the Native API step number that detected process Svchost.exe produces, and ordinate is positive ordinary index;

Fig. 6 is the intrusion detection figure as a result that the present invention is directed to the .ida/idq leak (MS01-033) of IIS index server, and wherein horizontal ordinate is the Native API step number that detected process Inetinfo.exe produces, and ordinate is positive ordinary index;

To be the present invention expand the intrusion detection figure of long-range leak (MS01-023) to .printer ISAPI to Fig. 7, and wherein horizontal ordinate is the Native API step number that detected process Inetinfo.exe produces, and ordinate is positive ordinary index;

Fig. 8 is the intrusion detection figure that the present invention is directed to IIS Unicode directory traversal leak (MS00-078), and wherein horizontal ordinate is the Native API step number that detected process Inetinfo.exe produces, and ordinate is positive ordinary index;

Fig. 9 the present invention is directed to the testing result figure that ASN.1 storehouse BER decoding heap destroys Denial of Service attack (MS04-007), and wherein horizontal ordinate is the Native API step number that detected process Lsass.exe produces, and ordinate is positive ordinary index.

Embodiment

Doing into below in conjunction with accompanying drawing to the present invention, single order describes in detail.

Referring to Fig. 1, when the application program under the user model is that Application is when being moved, it will call the encapsulation function Win32 API among the dynamic link library Kernel32.dll, encapsulation function Win32 API in dynamic link library Kernel32.dll can call the function that encapsulates among the dynamic link library Ntdll.dll again and really call corresponding system service, and call function KiSystemSerivce () carries out the handle that interrupt INT 2E instruction turns to kernel mode to processor CPU and carries out appointment in interrupting description list then.This handle will copy to the kernel mode stack to parameter from the user model stack, and the content of register EDX is pointed to the stack frame plot that imports parameter into.When the encapsulation function Win32 API that calls in the application program in user model space finds corresponding system service and carries out in the system service allocation table System in kernel mode space Service Dispatch Table, because original system service allocation table is substituted by system service index SSDT newpointers of the present invention, therefore the present invention will here intercept and capture, system call is turned to interception system service Native API of the present invention, the present invention audits to the data of intercepting and capturing at this, and these Audit datas comprise the title of the function of the system service Native API that is intercepted and captured, ID and parameter length information.After executing the system service Native AP that is intercepted and captured and getting access to corresponding information, withdraw from the intercepting and capturing process, and turn back to the original Native API that really will carry out, processor CPU will carry out invoked original Native API sequence (as creating file system service NtCreateFile then, read file system service NtReadfile,, close file system service NtClose), to finish real invoked appointed function.

When the process of appointment is initiated the system service call request each time, all can enter top intercepting and capturing process.The application program of a user's space of operation can produce the function that a large amount of Native API finishes appointment, and these Native API can form a sequence.The Native API sequence that produces when process is under normal circumstances moved all has a metastable Native API sequence.Information by Native APIs is set up normal model to the normal condition of Windows operating system, and comes abnormal conditions in the detection system with this model.Native API also form to occur with sequence, so the present invention can be by training the Native API sequence under the normal condition, and sets up corresponding normal model, detects with this model then.In order to detect unusual invasion effectively, the present invention designed a consistent model of multistage Native APIs by name (Multi-Steps Consistency Model, MSCM).Realize that this model is divided into two stages: the training and testing stage.In the training stage, the Native APIs data of collection appointment process also are stored in the database.Analysis to raw data comprises single order analysis and second order analysis, this mainly analyze with deal with data set in single order and two scalariform attitudes shift and set up single order and second-order model; At test phase, the consistent model of multistage Native APIs has adopted the index Iterative detection algorithm to calculate normal exponential quantity at the single order and the second order Native APIs of single order and second-order model.

Before introducing the consistent model of multistage Native APIs, the present invention is described some data that wherein relate to.The present invention defines the original training set of single order and is combined into $T_S^{\left(1\right)}=\{{\mathrm{<figure-callout\; id="0"\; label="s"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">s</figure-callout>}}_0,...,s_{n-1}\},$ S wherein _kThe Native API of the appointment of process transfer is observed in expression.It directly intercepts from the process of moving, and does not pass through any processing.Therefore, at T _SIn some Native API will repeat.Therefore, specify number of times that repeats and the original training set T of Native API _SThe ratio of the whole Native API quantity that comprises be:

$B_k=\frac{\left|s_k\right|}{n}=\frac{m}{n}$

Wherein | s _k|=m is Native APIs _kAt training set T _SIn multiplicity, that is to say s _kAt T _S ⁽¹⁾In gesture.The present invention claims B _kBe single order phase pair potential ratio.

Equally, the original training data set of second order $T_S^{\left(2\right)}=\{({\mathrm{<figure-callout\; id="0"\; label="s"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">s</figure-callout>}}_0,s_1),...,(s_{n-1},s_n)\}$ Second order phase pair potential ratio be:

$B_{(k-1)k}=\frac{\left|(s_{k-1},s_k)\right|}{n}=\frac{m_{(k-1)k}}{n}$

Wherein | (s _K-1, s _k) |=m _{(k-1) k}Be that Native API is to (s _K-1, s _k) at the original training data set of second order T _S' in multiplicity.

Multistage consistent model comprises the consistent model with second order of single order.They can measure degree of correlation between the Native API sequence of appointment and the observed object.The consistent model of single order can pass through two tuple { B _k, O _kRepresent B wherein _kExpression Native APIs _kThe frequency of occurrences in the training set, O _kBe the single order index of correlation, it is by all B in the pair set _kPosition size by the ascending order arrangement.Two tuple { B _k, O _kTo training set T _S ⁽¹⁾In each Native API and associated process between set up a relation mapping table.Usually, the consistent model of single order can use following expression:

M ₁＝{(B ₁，O ₁)，...，(B _k，O _k)}(1≤k≤n)

Equally, the present invention uses two tuple { B _{(k-1) k}, O _{(k-1) k}Represent the consistent model of second order.It has set up training set T _S ⁽²⁾In each Native API and a relation mapping table between the associated process.

M ₂＝{(B ₁₂，O ₁₂)，...，(B _(k-1)k，O _(k-1)k)}(1≤k≤n)

Generally, in order to discern a sequence object, always when observed object has more node to occur, could determine to be identified object more accurately.By the invasion that notes abnormalities of the correlativity between the Native API sequence of analyzing Native API and detected process.

Definition

E (s _k): in Native API sequence, current Native API is s _kThe time the positive ordinary index of process behavior.

E (s _K-1, s _k): in Native API sequence, current Native API is to being (s _K-1, s _k) time the positive ordinary index of process behavior.

G: current sequence correlativity index.Be used to measure the sequence of current length and the maximal correlation degree between normal behaviour process.

F (s _k): departure function.Being used to measure unexpected Native API brings effect for the normal behaviour of appointment process.Also promptly, work as s _K-1A back Native APIs _kNot at first order modeling M ₁When middle, we are by calculating the previous Native APIIs that has existed _kThe weighting correlativity measure of the influence of this situation to a normal procedure.To f (s _k) be defined as follows:

$f\left(s_k\right)={\hat{O}}_k*{\hat{B}}_k$

Single order phase pair potential is estimated

The single order correlation is estimated

Arthmetic statement

Step?1：

$E\left(s_0\right)=e^{-\frac{1}{{\mathrm{<figure-callout\; id="0"\; label="B"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">B</figure-callout>}}_0^{\&prime;}}}({\mathrm{<figure-callout\; id="0"\; label="s"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">s</figure-callout>}}_0\&Element;T_S)---(1-1)$

G＝B′0

Step?k：

s _k-1∈M ₁，s _k∈M ₁，(s _k-1，s _k)∈M ₂

① $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ G=G+B_k+B_{(k-1)k}\end{array}\right.---(1-2)$

$s_{k-1}\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

② $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G-{\hat{B}}_k)*0.5(G>{\hat{B}}_k)\\ G*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.---(1-3)$

$s_{k-1}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

③ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G+{\hat{B}}_k-f\left(s_k\right))*0.5(G+{\hat{B}}_k>f\left(s_k\right))\\ (G+{\hat{B}}_k)*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.---(1-4)$

$s_{k-1}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

④ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=(G+f\left(s_k\right))*0.5\end{array}\right.---(1-5)$

$s_{k-1}\&NotElement;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,s_k\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

⑤ $\left\{\begin{array}{c}E(s_k,s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;{\mathrm{<figure-callout\; id="1"\; label="M"\; filenames="A20051004305300331.png,A20051004305300332.png"\; state="\{\{state\}\}">M</figure-callout>}}_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=0.5G+f\left(s_k\right)\end{array}\right.---(1-6)$

As described above, the present invention proposes the index Iterative detection algorithm comes loop iteration to calculate the Native API and the right positive ordinary index of Native API of each appearance.Shown in (1-2), when initial step, by searching the single order gesture ratio of initial Native API in the consistent model of single order, and with its as initialization value to E (s ₀) carry out initialization.Finish since second rank up to process, can be by regulating current Native API to (s _K-1, s _k) correlativity exponential sum weight O _kCalculate the normal index E (s of its correspondence _K-1, s _k).From the experiment test of true environment, also to consider s respectively _K-1And s _kWhether belong to M ₁And (s _K-1, s _k) whether belong to M ₂Five kinds of situations, corresponding (1-2) is to shown in (1-6).If (1-2) formula explanation s _kAnd s _K-1Belong to M ₁, and while (s _K-1, s _k) belong to M ₂, then calculate correlativity index G by the relevant ratio of circulation stack single order with the second order gesture.In case s _K-1, s _kAnd (s _K-1, s _k) with the consistent model M of single order with second order ₁And M ₂Between without any mapping relations, calculate by the positive ordinary index of other four kinds of situations its correspondence, as formula (1-3) shown in (1-6).When $s_{k-1}\&NotElement;M_1,$ $s_k\&NotElement;M_1$ And $(s_{k-1},s_k)\&NotElement;M_2$ The time, current s is described _K-1And s _kDo not belong to M ₁, and while (s _K-1, s _k) do not belong to M yet ₂, they are all inconsistent with multistage consistent model, therefore current observed sequence (s _K-1, s _k) and the correlativity of multistage model become very little, therefore s _K-bCorresponding single order phase pair potential is as s _kSingle order phase pair potential estimate (s wherein _K-bFor from s _kNearest preceding b and M ₁Consistent Native API), if current correlativity index G greater than

Then deduct by index G

Multiply by relative drop-out value 0.5 again as current observed sequence (s _K-1, s _k) corresponding correlativity index; And if current correlativity index G less than

Illustrate that then G is less, think observed sequence (s _K-1, s _k) but preceding population characteristic valuve value half before only having.Wherein select s _K-bCorresponding single order phase pair potential B _K-bAs s _kSingle order phase pair potential estimate

Be because based on such hypothesis: work as s _kAnd M ₁When inconsistent, think from s _kNearest preceding b and M ₁Consistent Native APIs _K-bSingle order phase pair potential and s _kSingle order phase pair potential equates, but is different to the influence of system.We think that such hypothesis has its rationality under actual environment.

Using Native APIs information to detect in the experiment of invasion, find when real invasion takes place E (s _k, s _j) value fluctuation very big, but be not that only dullness drops to certain minimum point, but more dipping and heaving fluctuation in whole process, occurs.This reason is because the unusual Native APIs sequence that invasion generated $T_s^a=\{{\mathrm{<figure-callout\; id="0"\; label="s"\; filenames="A20051004305300351.png,A20051004305300352.png"\; state="\{\{state\}\}">s</figure-callout>}}_0,...,s_{n-1}\}$ In single order APIs _kWith second order API to { s _k, s _jExisting normal, also have unusually, constitute by normal and exception call mixing.Owing to having mixed the big ups and downs up and down that many unusual API Calls cause among the normal NativeAPIs, the present invention has defined the index of oscillation and has described this phenomenon in order to estimate this situation better for this.Can determine uniquely by index of oscillation the present invention whether really the invasion generation is arranged, avoid repetition of alarms, thereby produce correct warning.The present invention has defined following index of oscillation F _Ij

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})(\mathrm{WL}\&le;i\&le;n-\mathrm{WL}-1)---(1-7)$

Wherein WL is a moving window length.

From index of oscillation F _IjDefinition as can be seen, when the index iterative detection rate sum of i window deducts the index iterative detection sum of j window, just be the fluctuation between i and the j window, then following three kinds of situations:

$F_{\mathrm{ij}}=\left\{\begin{array}{c}{F}_{\mathrm{ij}}>0\\ F_{\mathrm{ij}}=0\\ F_{\mathrm{ij}}<0\end{array}\right.---(1-8)$

Wherein work as F _Ij＞0 o'clock, the index iterative detection rate of i window illustrated the upwards fluctuation of index iterative detection value greater than the index iterative detection rate of j window, and system trends towards normally; Work as F _Ij＜0 o'clock, the index iterative detection rate of i window illustrated that less than the index iterative detection rate of j window index iterative detection value fluctuates downwards, and system trends towards unusually; Work as F _Ij=0 o'clock, not fluctuation between i window and the j window is described, system status is constant.

The selection meeting of moving window length finally influences the extraction of warning, if it is too little that moving window is obtained, though the value of the index iterative detection rate of the more approaching Native APIs that reality occurs in window of the index iterative detection rate in each window, but because window is smaller, frequent fluctuation will cause a large amount of warnings to occur, thereby influence observation of the present invention; If it is too big that moving window is got, though greatly reduce the quantity of warning, make observation of the present invention more convenient, but because window is too big, may make the average index iterative detection rate of the Native APIs that window is interior become bigger, extract wrong warning or miss important warning thereby can cause with actual difference.Select suitable WL to make

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i-1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j-1})$ Reach maximum, that is to say:

$\mathrm{WL}={\mathrm{WL}}_{(i,j)}(\mathrm{iff}(\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})\&RightArrow;\max )---(1-9)$

By a large amount of experiments and observation, the present invention gets WL=30 and measures as moving window length, can make that the warning amount is little, again can be so that almost there is not rate of failing to report.

The purpose of report to the police extracting is to make the present invention in the continuous variation neutralization fluctuation of index iterative detection rate, finds and extracts unusual incident having occurred, and carry out correct warning.This can analyze the variation of the index iterative detection rate that occurs in the time period, and correctly is mapped to specific intrusion event, and this function makes the keeper to observe easily and handles relevant warning.The ultimate principle of warning extraction algorithm is as follows:

If between twice minimal index iterative detection rate index of oscillation, there is at least once maximum index iterative detection rate index of oscillation, then think between this twice minimal index iterative detection rate index of oscillation, to have once unusual invasion or attack.Also promptly: work as F _{(i-l) (j-l)}→ min and F _{(i+h) (j+h)}During → min, if there is at least one F _Ij→ max then thinks at moving window (j-l) and (i+h) there is once unusual or attack α in (i-l) between (j+h) _Lh∈ A takes place.As follows:

$a_{\mathrm{lh}}\&Element;A\&LeftRightArrow;\{\&Exists;\mathrm{Fij}\&RightArrow;\max \}\&cap;\{(F_{(i-l)(j-l)}\&RightArrow;\min )\&cap;(F_{(i+h)(j+h)}\&RightArrow;\min )\}---(1-10)$

Wherein A is the complete or collected works that extract warning.

As shown in Figure 2, the present invention result that the intrusion event of RPC/DCOM interface Overflow Vulnerability is detected.There is buffer-overflow vulnerability in certain DCOM interface in WindowsNT4.0,2000, XP and Server 2003 systems, it allows long-range attack person to carry out arbitrary code on the destination server by submitting to lopsided information to be implemented in, and the Blast worm is launched a offensive at this leak.Therefore, under the environment of WindowsXP (SP0), utilizing this leak to carry out twice invasion really, initiated successful invasion for the first time, is for the second time the invasion of failure.Because this leak is to occur in the specific process that is bound on 135 ports.Therefore in experiment, the Svchost.exe process that is bundled in 135 ports is followed the tracks of.At first, the normal behaviour of Svchost.exe process is set up multistage consistent model, whole training process has approximately continued 7 days, relate to numerous functions of operating system, as share service, mail reception and operations such as transmission, Component service, after the multistage consistent model under the normal condition of the Svchost.exe process that trains also is used for to the detection of other attacks.Detect by the index Iterative detection algorithm, obtained detection effect as shown in Figure 2.Occur about about 1000 from first Native API, index iterative detection value approaches 1 gradually by 0, and this Native API that present appearance also is described and Native API are to very consistent with the multistage consistent model of the normal condition of process.System the phenomenon that index iterative detection value progressively rises can occur in the initial procedure that detects any process, even the state that tends to be steady; When the consistent model of the multistage Native APIs of the Native of process correspondence APIs sequence and process is very relevant, index iterative detection value will constantly rise, and keep relative stability.Refer to this process.When about the 1530th Native API occurred, index iterative detection value very sharply descended, and has dropped to minimum value 0.000002 soon from maximal value 0.987943, and is accompanied by bigger fluctuation.Detected for the first time successful invasion this time.After the first time, phagocytic process finished, index iterative detection value is along with the continuous appearance of multistage consistent model consistent normal Native API and approach maximal value 1 gradually, return to original plateau, thereby can be clear that the abnormal conditions of invasion for the first time.And then the invasion of initiating is for the second time attacked and also is detected.Not success is attacked in invasion for the second time, but that the index iterative detection value of system's correspondence still reduces is very fast, drops into minimum value 0 from maximal value 0.955954.The warning extraction algorithm has successfully extracted twice attack from testing process.Minimal ripple index before attacking for the first time is 0, illustrate that the Native API that occurs is very consistent with multistage consistent model, but the index of oscillation maximal value of attacking when initiating is 0.955895; Attack end back index iterative detection value for the first time and progressively go back up to maximal value 1, at this moment index of oscillation minimum value is 0.000032, according to the warning extraction algorithm, can uniquely determine very invasion to have taken place once at about 1765 Native API in the 1373rd Native API place to the.In like manner, the present invention has determined at about 2157 Native API in the 1765th Native API place to the illegal invasion to have taken place.Because those invasions that do not have a success equally are very big to the influence of the Native API sequence that the Svchost.exe process produces.By the effective detection to the invasion that do not have success, the present invention can attack some and attempt defending in advance, thereby plays the effect of prevention.Because successful attack and unsuccessful attack are also different to the final influence that system brings, successful attack is far longer than the influence of unsuccessful attack to system to the influence of system.The present invention is divided in unsuccessful attack and attacks in the category of attempting, and it only is a kind of attack attempt to destination host, but this attempt can bring certain influence to the safety case of main frame equally.Analysis and utilization that the present invention is advanced single order to this attack attempt as the appreciation information source of Host Security situation usually are so that main frame safety case within a certain period of time and the security strategy that should provide to be provided.But in the present system of the present invention, the warning that extracts from unsuccessful attack has the same order of severity with the warning of extracting from successful attack, and this can cause the keeper to take unnecessary security strategy or make the application safety strategy very dumb.

Shown in the testing result as shown in Figure 3 and Figure 4, the present invention is directed to RPC/DCOM long filenames heap Overflow Vulnerability (MS03-039) and carried out twice attack and detection.Have 3 defectives owing to be used for handling the assembly of Distributed Component Object Model (DCOM) (DCOM) interface in the RPCSS of a plurality of Windows system service, wherein can carry out arbitrary code for two, another can cause the DoS defective.Defective is owing to lopsided information processing mistake is produced.The assailant will trigger buffer zone and overflow defective, thereby successfully utilize this defective by submit the file name parameter of an overlength to target program, and the assailant can carry out arbitrary code with the local system authority in affected system, or cause RPCSS service collapse.The assailant can also take arbitrary act in system, comprise installation procedure, the view, change, or delete data, or with the new account of highest weight limit establishment.In order to verify method of the present invention, Denial of Service attack and two experiments of invasion attack in Windows 2000 Professional (SP0) system, have been carried out respectively.The present invention finds invasion by the Svchost.exe process that tracking is bundled on the port one 35.Shown in Figure 3 is the Denial of Service attack of initiating at this leak.Can observe discovery, in the original state that detects, index iterative detection value rises to plateau gradually from minimum value, and this less index of oscillation means that current tracked process operates in normal condition.Position at more than the 570th Native API, initiated Denial of Service attack, occurred in the Native API sequence of Chan Shenging and the inconsistent sample of corresponding multistage consistent model thereupon, cause index iterative detection value to drop to 0.569765 significantly, but corresponding subsequently index iterative detection value is slowly gone up, observed subsequently service processes Svchost.exe has stopped service owing to being rejected the service attack after reaching index iterative detection value 0.963562, index iterative detection value decline scope maximum reaches 0.417237 in whole process, several invasion examples that fall does not detect as described above, but the Native API sequence that produces when also reflecting Denial of Service attack more significantly and the single order and the second order correlation models of Svchost.exe process correspondence have tangible gap.Fig. 4 has shown that invasion attacks the testing result of experiment, and the invasion of initiation is attacked and will be added the user be called in the victim server main frame " e ", the illegal account of password Wei " asd#321 ".Fig. 4 has shown the testing result to whole phagocytic process, when the present invention initiates the invasion attack, because the unusual Native API that attack to produce or Native API pair have bigger gap with multistage consistent model, thereby make that the Maximum Drawdown of index iterative detection value reaches 0.954601 when the about the 580th goes on foot, slowly ging up subsequently to 0.937083, is to rise gradually and convergence maximal value 1 after 0.152018 the fuctuation within a narrow range through an index of oscillation.At this moment the present invention has withdrawed from phagocytic process, and the behavior of Svchost.exe process returns to normally again.This class is overflowed the attack of adding the disabled user by buffer zone and is used very extensively in actual environment, and the disabled user who is added can be used as the system back door allows the hacker utilize in the future.But system of the present invention can only find the unusual of index iterative detection value, but can not determine it is the harm what degree sample which type of unusual and server has been subjected to.Therefore, the present invention can monitor security of system strategy or account's variation in conjunction with other system security audit instrument, can set up Host Based multi-detector information fusion mechanism, thereby find and locate the harm that the hacker causes system rapidly and accurately for the keeper, and take corresponding countermeasure and defence measure to offer help.

Testing result as shown in Figure 5, the attack of serving leak (MS03-001) at the RPC Locator in the Windows system detects.The Locator service is the positioning service of a kind of network title, and acquiescence is loaded among the Windows NT 4.0/2000/XP.Be activated but only in Windows 2000 domain controllers and Windows NT 4.0 domain controllers, give tacit consent to, be not activated and in Windows NT 4.0workstations or member servers, Windows 2000 workstations or member servers and Windows XP, give tacit consent to.Owing to exist a unsafe buffer zone to detect in the Locator service, the assailant will cause the Locator service failure, even can allow the assailant to carry out arbitrary code in system by send an interim request of structure meticulously to the Locator service.Under the environment of Windows2000Server (SP0), carry out the attack detecting experiment, owing to be not activated RPC Locator service under the Windows 2000 Server default situations, therefore must manually start configuration, thereby guarantee that the Locator service can move automatically when each system start-up.In experiment, utilize this leak to attack will to cause the termination of RPC Locator service, that is to say that RPC Locator service is in the denial of service state.From Fig. 5, can observe, just begin constantly to become big, arrive certain phase and approached maximal value 1, and kept relative stability from minimum value in the starting stage index iterative detection value that process Svchost.exe is followed the tracks of.When the DoS attack of initiating the RPC Locator leak of Windows 2000 Server, the Native API index of sequence iterative detection value of Svchost process correspondence begins to diminish, descend, and begin to occur rapid fluctuation at certain phase, minimal index iterative detection value was once reaching 0.09402, and the whole process that the initiation invasion is attacked occurs in the sequence location place as Figure 35 about 0 to 550.After the 500th Native API, index iterative detection value becomes greatly gradually, but to the 715th Native API place, the Svchost process stops to have served owing to attacking the DoS that causes.From to the test of this leak as can be seen, can detect effectively the early stage of the DoS attack of initiating based on the index Iterative detection algorithm of the multistage consistent model of Windows Native API, and can advance single order harm and block what will produce with this.When plummeting for the first time, index iterative detection value carried out early warning, with the form reporting system keeper who reports to the police.

Testing result as shown in Figure 6, the present invention tests in Windows 2000 Server (SP0) system, overflow at the idq buffer zone of IIS index server and to attack, to on server, move a malice backdoor programs Srv.exe in the time of success attack, it will not need the illegal Telnet of username and password account to wait for process at one of 99 port binding of victim server, will cause the IIS index server to be in the denial of service state simultaneously.The result that the method that adopts the present invention to propose detects as shown in Figure 6, index iterative detection value has twice significantly fluctuation when attack initiating, and this shows that the invasion of initiation attacks between the multistage consistent model that has caused the Native API sequence that occurs and process Inetinfo.exe correspondence bigger twice difference is arranged.Be to have dropped to minimum value 0 for the first time, quite significantly drop range is arranged from maximal value 0.994494; Be to have dropped to minimum value 0 for the second time from peak value 0.801021; The index of oscillation of this twice index iterative detection value is all very big.By returning and level off to maximal value gradually after for the second time bigger fluctuation, but because this attack has caused the IIS service to restart, and variation has taken place the process number (PID) of the Inetinfo process correspondence of tracking, therefore original Inetinfo process of following the tracks of has been stopped.The index iterative detection model that proposes from twice the present invention as can be seen of significantly fluctuating widely is very accurately to the .idq invasion that detects the IIS service.

As shown in Figure 7, the attack at the .printer leak detects..printer this leak only is present in Windows 2000 servers that move IIS 5.0.Because the printing ISAPI expansion interface of IIS 5 has been set up the mapping relations (default situation under this mapping also exist) of .printer extension name to Msw3prt.dll, when the long-distance user submits URL request to .printer to, IIS 5.0 can call Msw3prt.dll and explain this request, Msw3prt.dll lacks enough buffer zone bounds checkings in addition, the long-distance user can submit a URL request at .printer of structure meticulously to, its " Host: " territory comprises the data of about 420B, this moment typical buffer zone taking place in Msw3prt.dll and overflow, allows to carry out arbitrary code potentially.In actual experiment, when will having added a user on server, the buffer overflow attack of initiating at this leak is called hax, and password is the disabled user of hax; Can cause Web service to stop to respond user's request simultaneously.After attack was finished, the Windows 2000 Server servers of being injured will reset automatically and recover service, and then make the system manager be difficult to be checked through the attack that has taken place.In experiment, experimentize on Windows 2000 Server (SP0) server.Process Inetinfo.exe to the IIS service follows the tracks of.From the experimental result of Fig. 7, can see index iterative detection value E (s _k, s _j) sharply descend during from about the 1100th Naive API, once its minimum value had reached 0, and fluctuation is very big; At about the 2300th NativeAPI place, it is normal that the Inetinfo process has been recovered, but in the end, because after buffer zone overflows generation, Web server has stopped user's request, and operating system has then restarted the IIS service, therefore, the Inetinfo process that the present invention follows the tracks of detects data and has just stopped behind the 2806th Native API, system restart a new IIS service processes.The warning extraction algorithm that proposes according to the present invention, if have at least once maximum index iterative detection rate index of oscillation between twice minimal index iterative detection value index of oscillation, then think between this twice minimal index iterative detection rate index of oscillation, to have once unusual invasion or attack.Can find, occur the big index iterative detection rate index of oscillation three times, be respectively 0.967106,0.947531 and 0.93604 from initiating to intrude into the invasion terminal procedure.And the corresponding minimal index iterative detection rate index of oscillation is 0.000127 in the whole process, is far longer than minimal ripple index of attacking before initiating 0.000001 and the minimal ripple index of attacking after finishing 0.000041.Therefore successfully confirmed to have taken place intrusion event together.

As shown in Figure 8, attack for the Unicode leak that exists among the IIS4.0 of Microsoft and the IIS5.0 and test.The origin cause of formation of Unicode leak can roughly be summed up as: from Chinese Windows IIS 4.0+SP6, also influence Chinese Windows 2000+IIS 5.0, Chinese Windows 2000+IIS5.0+SP1.There is such leak too in the Taiwan Chinese-traditional.Their utilize expansion Unicode character (as utilize " ../" replacement "/" and " ") carry out the directory traversal leak.In Windows NT, be encoded to %c1%9c, in Windows 2000 English editions, be encoded to %c0%af.At first follow the tracks of the IIS service processes Inetinfo.exe among Windows 2000 Server (SP0), its Native API sequence is carried out the detection of normal exponential quantity.The attack of initiating in the experiment is carried out at twice, is to import at the URL address field for the first time:

http：//192.168.74.220/scripts/..％c1％1c../winnt/system32/cmd.exe？/c+dir

Current purpose of attacking is to carry out the dir order under the current directory on the 192.168.74.220 of the appointment server, can realize thus the catalogue of whole server is traveled through.And attack for the second time be give an order dir c: to be used for browsing the file of c packing catalogue.Strike order is as follows:

http：//192.168.74.220/scripts/..％c1％1c../winnt/system32/cmd.exe？/c+dir+c：\

On the testing result of Fig. 8, significantly fluctuation has just appearred when initiating attacking for the first time, and index iterative detection value no longer remains on the state of maximal value 1 of leveling off to.Its fluctuation amplitude peak is by the minimum valley 0.002939 of the maximal value 0.961477 before descending when fluctuating, and fluctuating range reaches 0.958538; When carrying out attacking the second time, index iterative detection value 0.997128 during by maximum dropped to minimum value 0, and fluctuating range has reached 0.997128.When attack for the first time and for the second time finish after, the index iterative detection value of the Native API of Inetinfo process correspondence all constantly rises and levels off to maximal value 1.Analyze by the warning extraction algorithm, can find, in the front and back of attacking for the first time, the minimal index iterative detection rate index of oscillation is respectively 0.000010 and 0.000001; And the minimal index iterative detection rate index of oscillation that occurs in attacking for the first time is 0.000066, four bigger fluctuations occurred, is respectively 0.937326,0.950498,0.920928 and 0.728487.Therefore, extracted for the first time and invasion for the second time by the warning extraction algorithm.

As shown in Figure 9, destroying Denial of Service attack (MS04-007) at ASN.1 storehouse BER decoding heap detects.Abstract Syntax Notation 1 (ASN.1) is many application programs and the employed a kind of data standard of equipment in the IT industry, can use it to come standardization and the data of understanding in the various platforms.Abstract Syntax Notation 1 (ASN.1) is the data standard that is used for a plurality of application programs and equipment, and the permission data can be in various platform transmission.ASN.1 Basic Encoding Rules (BER) key concept is an encoding scheme of coding binary data flexibly.Every data are according to describing style number how to explain following Value Data, be data length then, be data itself at last, by being provided, super large value (from 0xFFFFFFFD to 0xFFFFFFFF) gives length field, can produce integer in the heap partition function overflows, though have and local this value length is confirmed and checked, in verifying function independently pointer algorithm can cause the leak generation.Microsoft ASN.1 storehouse is widely used in the Windows secure subsystem, comprises Kerberos, NTLMv2 checking, and uses the application program (SSL, EMAIL digital signature, ActiveX control signature) of various certificates.There is the integer Overflow Vulnerability in Microsoft ASN.1 storehouse on realizing, carries out malicious instructions thereby long-range attack person can utilize these leaks to cause heap to destroy.Leak influences the relevant application of MSASN1.DLL, wherein more commonly LSASS.EXE and CRYPT32.DLL (application program of any use CRYPT32.DLL).If the utilization of assailant's success this buffer-overflow vulnerability, just can be in affected system with system's privilege run time version.Then, the assailant just can carry out any operation in this system, comprising installation procedure, view, change, or delete data; Perhaps create the New Account that has complete authority.In experiment, at first trained the consistent model of multistage Native APIs of Lsass.exe process.In Windows 2000Server (SP0) system, detect then by of the attack of index Iterative detection algorithm to the Lsass.exe process.Follow the tracks of the Native API sequence of the process of Lsass.exe, the index iterative detection value of Lsass.exe process the bigger index of oscillation 0.620288 occurred at the 530th Native API place as can be seen from Figure 9.The minimal index iterative detection rate index of oscillation before and after invasion is attacked is respectively 0.000002 and 0.000130, and the minimal index iterative detection rate index of oscillation in the phagocytic process is 0.000158, greater than the index iterative detection rate index of oscillation before and after the invasion.Owing to exist once the bigger index iterative detection rate index of oscillation at least between two minimal index iterative detection rate index of oscillation before and after the invasion, just thinking has attack to take place again.Therefore can determine to have taken place intrusion event one time by analyzing.

Table 2 adopts the laboratory test results of index Iterative detection algorithm

Attacked leak	Max(F ij)	|A|	Attack type	Detected process	Experiment porch
						MS03-026	0.993747	2	Buffer?Overrun	Svchost.exe	WindowsXp(SP0)
MS03-039	0.417237	1	DoS	Svchost.exe	Windows2k?Professional(SP0)
						0.954601	1	Buffer?Overrun
	MS03-001	0.877936	1						Buffer?Overrun	Svchost.exe	Windows2k?Server(SP0)
MS01-033				0.994494	1	Buffer?Overrun	Inetinfo.exe	Windows2k?Server(SP0)
	MS01-023	0.967106	1						Buffer?Overrun	Inetinfo.exe	Windows2k?Server(SP0)
MS00-078				0.997128	2	Folder?Traverse	Inetinfo.exe	Windows2k?Server(SP0)
	MS04-007	0.620288	1						DoS	Lsass.exe	Windows2k?Server(SP0)

Shown testing result in the table 2 to 7 kinds of attacks that relate in the experiment.The present invention is respectively at WindowsXP (SP0), Windows2000 Professional (SP0), three different platforms of Windows2000 Server (SP0) are tested, and relate to the RPC/DCOM relevant vulnerability of Windows series operating system once being brought grave danger, multiple leaks such as IIS service relevant vulnerability, wherein the present invention tested three kinds with the relevant typical attack (MS03-026 of RPC service, MS03-039 and MS03-001), three kinds of typical attack (MS01-033s relevant with IIS service, MS01-023 and MS00-078) and a kind of ASN.1 storehouse BER decoding heap destruction Denial of Service attack (MS04-007).Relate to wherein that buffer zone overflows, denial of service and three kinds of dissimilar attacks of directory traversal (Folder Traverse).Native API interception system by design has been followed the tracks of three different processes: Svchost.exe, Inetinfo.exe and Lsass.exe.The security bulletin of Microsoft numbering has write down at the maximum fluctuation index M ax (F among every kind of attack detecting result as the sign of the leak of invaded or attack in the table _Ij), the warning number in the alarm logging set | A|, attack type, detected process and relevant experiment porch.Max (F wherein _Ij) be illustrated in the maximum fluctuation degree of the appearance in the whole detection sequence that detected process produces, it has represented the Native API that occurs in the current whole piece sequence and the maximum inconsistent degree between its corresponding single order and the second-order model, and this also is the main sign that is used for identifying anomalous event.A is the complete or collected works of the warning that extracts from detected process, | A| then represents the warning number that extracts, whether the warning extraction algorithm that therefrom can observe the present invention's proposition can extract once attacking effectively, attacks repetition of alarms several times and can not be divided into.Can find that from table 2 in the attack detecting that three kinds of RPC services are correlated with, RPC/DCOM interface Overflow Vulnerability (MS03-026) is attacked corresponding Max (F _Ij) maximum, reached 0.993747; And the Max (F of the DoS attack correspondence of RPC/DCOM long filenames heap Overflow Vulnerability (MS03-039) _Ij) minimum, only have 0.417237.The result who three kinds of IIS is served relevant attack detecting is very good, and nearly all very near maximal value 1, wherein corresponding Max (F is attacked in the invasion that IIS Unicode directory traversal leak (MS00-078) is carried out _Ij) maximum, this shows that the unusual Native API that this attack causes is maximum with corresponding multistage consistent model gap.We can find from table 2, and 8 attacks initiating in the experiment are all extracted effectively by the warning extraction algorithm, and the number of times of attack of initiating in warning number that extracts and the experiment fits like a glove.Therefore, normal behaviour and abnormal behaviour that index Iterative detection algorithm and the warning extraction algorithm based on multistage consistent model that the present invention proposes described observed process effectively, determined simultaneously the number of times of unusual attack well, thereby can allow the system manager understand the safety case of system more effectively, and take corresponding security strategy to stop the attack of malice.

Fundamental purpose of the present invention is by Windows kernel level system call function Native API is obtained, and (Multi-Steps Native APIsConsistency Model MSNACM) detects various intrusion behaviors by index iteration detection method of the present invention in detecting in real time and reports to the police to set up the multistage consistent model of each process correspondence.The index Iterative detection algorithm that the present invention proposes based on the consistent model of multistage Native APIs, consistent model of multistage NativeAPI by analyzing and set up the appointment process the Windows environment under and the generation of detected process Native API sequence between the correlativity invasion that notes abnormalities.Realize that this model is divided into two stages: the training and testing stage.In the training stage, the Native APIs data of collection appointment process also are stored in the database.Analysis to raw data comprises single order analysis and second order analysis, this mainly analyze with deal with data set in single order and two scalariform attitudes shift and set up single order and second-order model; At test phase, the consistent model of multistage Native APIs has adopted the index Iterative detection algorithm to calculate at the single order of single order and second-order model and the positive ordinary index of second order Native APIs.In actual applications, the present invention has also adopted the method for reporting to the police and extracting, and this method can make the present invention in the continuous variation fluctuation of index iterative detection rate, the anomalous event that occurs is found exactly and is extracted, and carry out correct warning.The index of oscillation and corresponding moving window by definition, the present invention can analyze the positive ordinary index of fluctuation by the warning extraction algorithm, take out corresponding anomalous event, this will be convenient to the reporting system keeper or the security strategy center takes the necessary security strategy to stop hacker's intrusion behavior.In experiment, 7 kinds of attacks are tested, respectively at WindowsXP (SP0), Windows2000 Professional (SP0), three different platforms of Windows2000 Server (SP0) are tested, and relate to the RPC/DCOM relevant vulnerability of Windows series operating system once being brought grave danger, multiple leaks such as IIS service relevant vulnerability, wherein detected three kinds with the relevant attack (MS03-026 of RPC service, MS03-039 and MS03-001), three kinds of attack (MS01-033s relevant with IIS service, MS01-023 and MS00-078) and a kind of ASN.1 storehouse BER decoding heap destruction Denial of Service attack (MS04-007).Experimental result shows that the consistent model of multistage Native APIs, index Iterative detection algorithm have higher precision to detect the invasion attack by the Native API sequence under the analysis Windows environment.

Claims (1)

1, the host computer intrude detecting method under the Windows environment is characterized in that:

1) system data Native APIs's obtains

When the process of appointment is initiated the system service call request each time, at first enter the kernel of Windows system by DriverEntry routine load driver equipment, this driving arrangement utilizes the KeServiceDescriptorTable data structure to finish system service distributing list (System ServiceDispatch Table, SSDT) visit and modification, and utilize the KeServiceDescriptorTable data structure to determine the address of system service allocation table, system backs up the original SSDT of system earlier, secondly, at the corresponding function of intercepting and capturing of each Native API configuration, and these function calls addresses are written among " the Function addr " in the original system delivery of services table, and it is corresponding one by one, function pointer is pointed to intercept and capture function, obtain all related datas of each Native API that the appointment process produces in the operating system with this system service table of intercepting and capturing the Windows main frame, these data comprise the title of Native api function, ID and parameter length information, after having intercepted and captured these information, withdraw from the intercepting and capturing process, and turn back to the system service that is called of execution;

2) by the data message of the Native APIs that gets access to the process in the Windows operating system is set up normal behavior model, and with the abnormal conditions in this model detection system

By multistage consistent method for establishing model the Native APIs data of obtaining are trained, by two tuple { B _k, O _kIn database, set up the consistent model of single order with second order, the consistent model of single order is by two tuple { B _k, O _kRepresent that wherein Bk is Native APIs _kThe frequency of occurrences in the training set, O _kBe the single order index of correlation, by all B in the pair set _kBy the position size that ascending order is arranged, two tuple { B _k, O _kTo training set T _S ⁽¹⁾In each Native API data and observed process between set up a relation mapping table, usually, the consistent model of single order can use following expression: M ₁={ (B ₁, O ₁) ..., (B _k, O _k) (1≤k≤n) same uses two tuple { B _{(k-1) k}, O _{(k-1) k}Represent the consistent model of second order, set up training set T _S ⁽²⁾In each Native API and a relation mapping table between the observed process, M ₂={ (B ₁₂, O ₁₂) ..., (B _{(k-1) k}, O _{(k-1) k}) (1≤k≤n);

3) index iteration detection method (Exponential Recursive Detection Algorithm, ERDA), positive ordinary index by each Native API correspondence of cycle calculations calculates the degree of correlation between it and the detected process, the invasion thereby the variation by the index of oscillation notes abnormalities

Definition

E (s _k): in Native API sequence, current Native API is s _kThe time the positive ordinary index of process behavior;

E (s _K-1, s _k): in Native API sequence, current Native API is to being (s _K-1, s _k) time the positive ordinary index of process behavior;

G: current sequence correlativity index is used to measure the sequence of current length and the maximal correlation degree between normal behaviour process;

F (s _k): departure function, be used to measure unexpected Native API and bring effect for the normal behaviour of appointment process, also, work as s _K-1A back Native APIs _kNot at first order modeling M ₁When middle, by calculating the previous Native APIIs that has existed _kThe weighting correlativity measure of the influence of this situation to a normal procedure, to f (f _k) be defined as follows:

$f\left(s_k\right)={\hat{O}}_k*{\hat{B}}_k$

Single order phase pair potential is estimated

The single order correlation is estimated

Arthmetic statement

$\mathrm{Step}1:E\left(s_0\right)=e^{-\frac{1}{B_0^{\&prime;}}}(s_0\&Element;T_S)$ (1-1)

$G=B_0^{\&prime;}$

Step?k：

s _k-1∈M ₁，s _k∈M ₁，(s _k-1，s _k)∈M ₂

① $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ G=G+B_k+B_{(k-1)k}\end{array}\right.----(1-2)$

$s_{k-1}\&NotElement;M_1,s_k\&NotElement;M_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

② $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{{\hat{Q}}_k=Q}_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G-{\hat{B}}_k)*0.5(G>{\hat{B}}_k)\\ G*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.----(1-3)$

$s_{k-1}\&Element;M_1,s_k\&NotElement;M_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

③ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=\left\{\begin{array}{c}(G+{\hat{B}}_k-f\left(s_k\right))*0.5(G+{\hat{B}}_k>f\left(s_k\right))\\ (G+{\hat{B}}_k)*0.5(G<{\hat{B}}_k)\end{array}\right.\end{array}\right.----(1-4)$

$s_{k-1}\&Element;M_1,s_k\&Element;M_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

④ $\left\{\begin{array}{c}E(s_{k-1},s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b}{,\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=(G+f\left(s_k\right))*0.5\end{array}\right.----(1-5)$

$s_{k-1}\&NotElement;M_1,s_k\&Element;M_1,(s_{k-1},s_k)\&NotElement;M_2,k>b$

⑤ $\left\{\begin{array}{c}E(s_k,s_k)=e^{-\frac{1}{G}}\\ {\hat{B}}_k=B_{k-b},{\hat{O}}_k=O_{k-b}(\&Exists;s_{k-b}\&Element;M_1\mathrm{and}(k-b\&RightArrow;\min ))\\ G=0.5G+f\left(s_k\right)\end{array}\right.----(1-6)$

As above formula (1-1) is to shown in (1-6), index iteration detection method loop iteration calculates the Native API and the right positive ordinary index of Native API of each appearance, shown in (1-2), when initial going on foot, by searching the single order gesture ratio of initial Native API in the consistent model of single order, and with its as initialization value to E (s ₀) carry out initialization, finish since second rank up to process, then by regulating current Native API (s _K-1, s _k) correlativity exponential sum weight O _kCalculate the normal index E (s of its correspondence _K-1, s _k), from the experiment test of true environment, consider s respectively _K-1And s _kWhether belong to the consistent model M of single order ₁And (s _K-1, s _k) whether belong to the consistent model M of second order ₂Five kinds of situations i.e. (1-2)～(1-6), if (1-2) formula explanation s _kAnd s _K-1Belong to the consistent model M of single order ₁, and while (s _K-1, s _k) belong to the consistent model M of second order ₂, then by the relevant ratio calculation correlativity of circulation stack single order index G with the second order gesture.In case, s _K-1, s _kAnd (s _K-1, s _k) the consistent model M with second order of consistent model with single order ₁And M ₂Between without any mapping relations, four kinds of situations describing by formula (1-3) to (1-6) are calculated the positive ordinary index of its correspondence, as formula (1-3) to shown in (1-6), when $s_{k-1}\&NotElement;M_1,s_k\&NotElement;M_1$ And

The time, current s is described _K-1And s _kDo not belong to the consistent model M of single order ₁, and while (s _K-1, s _k) do not belong to the consistent model M of second order yet ₂, they are all inconsistent with multistage consistent model, therefore current observed sequence (s _K-1, s _k) and the correlativity of multistage model become very little, therefore s _K-bCorresponding single order phase pair potential is as s _kSingle order phase pair potential estimate (s wherein _K-bFor from s _kA nearest preceding b consistent model M with single order ₁Consistent Native API), if current correlativity index G greater than

Then deduct by correlativity index G

Multiply by relative drop-out value 0.5 again as current observed sequence (s _K-1, s _k) corresponding correlativity index; And if current correlativity index G less than Illustrate that then G is less, then observed sequence (s _K-1, s _k) current total correlation G half before only having, wherein select s _K-bCorresponding single order phase pair potential B _K-bAs s _kSingle order phase pair potential estimate Work as s _kConsistent model M with single order ₁When inconsistent, then from s _kA nearest preceding b consistent model M with single order ₁Consistent Native API s _K-bSingle order phase pair potential and s _kSingle order phase pair potential equates, but is different to the influence of system;

4) the warning extraction algorithm by proposing makes the anomalous event that occurs in the index iterative detection rate to continuous variation fluctuation find exactly and extract, and carries out correct warning, the index of oscillation F that is defined as follows _Ij

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})(\mathrm{WL}\&le;i\&le;n-\mathrm{WL}-1)----(1-7)$

Wherein WL is a moving window length;

From index of oscillation F _IjDefinition as can be seen, when the index iterative detection rate sum of i window deducts the index iterative detection sum of j window, just be the fluctuation between i and the j window, following three kinds of situations are then arranged:

$F_{\mathrm{ij}}=\left\{\begin{array}{c}{F}_{\mathrm{ij}}>0\\ F_{\mathrm{ij}}=0\\ F_{\mathrm{ij}}<0\end{array}\right.----(1-8)$

Wherein work as F _Ij＞0 o'clock, the index iterative detection rate of i window illustrated the upwards fluctuation of index iterative detection value greater than the index iterative detection rate of j window, and system trends towards normally; Work as F _Ij＜0 o'clock, the index iterative detection rate of i window illustrated that less than the index iterative detection rate of j window index iterative detection value fluctuates downwards, and system trends towards unusually; Work as F _Ij=0 o'clock, not fluctuation between i window and the j window is described, system status is constant;

Moving window length WL:

$F_{\mathrm{ij}}=\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i-1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j-1})$ Reach maximum, that is to say:

${\mathrm{WL}=\mathrm{WL}}_{(i,j)}\left(\mathrm{iff}(\underset{i=k}{\overset{k+\mathrm{WL}}{\mathrm{\&Sigma;}}}E(s_i,s_{i+1})-\underset{j=k-\mathrm{WL}}{\overset{k}{\mathrm{\&Sigma;}}}E(s_j,s_{j+1})\&RightArrow;\max \right)----(1-9)$

Get WL=30 and measure, can make that the warning amount is little as moving window length, again can be so that almost there is not rate of failing to report;

5) to the less process of index iterative detection value having occurred, take to forbid the current observed process or the behavior of its thread, adopt PostThreadMessage () or PostMessage () function to end the malice thread by force for the thread transmission WM_QUIT or the WM_DESTORY message of appointment.

Images