本文選題：系統(tǒng)調(diào)用 + 控制流��； 參考：《東華大學(xué)》2014年碩士論文

【摘要】：計(jì)算機(jī)系統(tǒng)安全問題日益突出,異常檢測(cè)技術(shù)由于具備檢測(cè)未知攻擊的能力越來越受到普遍關(guān)注。異常檢測(cè)可以分為基于網(wǎng)絡(luò)和基于主機(jī)的異常檢測(cè),本文討論主要是基于特定主機(jī)尤其是在網(wǎng)絡(luò)上提供網(wǎng)絡(luò)服務(wù)的服務(wù)器主機(jī)的異常檢測(cè)。 好的監(jiān)測(cè)對(duì)象能夠很好的反映程序的行為輪廓,在基于主機(jī)的異常檢測(cè)當(dāng)中主要是以系統(tǒng)調(diào)用作為監(jiān)測(cè)數(shù)據(jù)源。傳統(tǒng)基于主機(jī)的異常檢測(cè)方法通過監(jiān)測(cè)系統(tǒng)調(diào)用的數(shù)據(jù)流或控制流來發(fā)現(xiàn)入侵行為,基于控制流分析的異常檢測(cè)系統(tǒng)通過監(jiān)測(cè)系統(tǒng)調(diào)用序列,構(gòu)建序列的各種模型來反映程序的控制執(zhí)行流,而基于數(shù)據(jù)流分析的異常檢測(cè)系統(tǒng)監(jiān)測(cè)各系統(tǒng)調(diào)用參數(shù)及返回值之間的數(shù)據(jù)傳遞。目前的研究中除了指出在數(shù)據(jù)流分析中加入簡單控制流信息可以提高檢測(cè)精度外,在這兩者的研究方向上出現(xiàn)了很大的分化,不能很好的吸收彼此的研究成果,造成了程序行為輪廓構(gòu)建的不完備和不準(zhǔn)確。 基于這種情況,本文提出了一種新的綜合控制流與數(shù)據(jù)流分析的新方法。該方法首先使用系統(tǒng)調(diào)用定長序列構(gòu)建模式庫,再用關(guān)聯(lián)規(guī)則挖掘方法挖掘同一模式或不同模式下屬性間的關(guān)聯(lián)規(guī)則,構(gòu)建用于檢測(cè)評(píng)估的兩種規(guī)則集。 本文最后對(duì)提出的模型進(jìn)行了仿真測(cè)試。實(shí)驗(yàn)結(jié)果表明,基于控制流上下文的數(shù)據(jù)流分析新方法能夠發(fā)現(xiàn)先前數(shù)據(jù)流分析所不能發(fā)現(xiàn)的更精準(zhǔn)更有用的規(guī)則從而檢測(cè)出更多的異常行為。
[Abstract]:The security problem of computer system is becoming more and more serious. Anomaly detection technology has attracted more and more attention because of its ability to detect unknown attacks. Anomaly detection can be divided into network-based and host-based anomaly detection. This paper mainly discusses anomaly detection based on specific hosts, especially server hosts that provide network services on the network. A good monitoring object can well reflect the behavior profile of the program. In the mainframe based anomaly detection, the system call is mainly used as the monitoring data source. The traditional anomaly detection method based on host can detect the intrusion behavior by monitoring the data flow or control flow of the system call, and the anomaly detection system based on the control flow analysis monitors the system call sequence. Various models of the sequence are constructed to reflect the control execution flow of the program, while the anomaly detection system based on the data flow analysis monitors the data transfer between the system call parameters and the return values. In the current research, besides pointing out that adding simple control flow information to the data flow analysis can improve the detection accuracy, there is a great differentiation between the two research directions, which can not absorb each other's research results very well. It results in the incompleteness and inaccuracy of program behavior profile construction. Based on this situation, a new method of integrated control flow and data flow analysis is proposed in this paper. In this method, firstly, the fixed length sequence is used to construct the schema library, then the association rules mining method is used to mine the association rules between the attributes of the same pattern or different patterns, and two rules sets are constructed to detect the evaluation. Finally, the proposed model is simulated and tested. Experimental results show that the new data flow analysis method based on control flow context can find more accurate and useful rules that cannot be found by previous data flow analysis and detect more abnormal behaviors.
【學(xué)位授予單位】：東華大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 田新廣;高立志;孫春來;張爾揚(yáng);;基于系統(tǒng)調(diào)用和齊次Markov鏈模型的程序行為異常檢測(cè)[J];計(jì)算機(jī)研究與發(fā)展;2007年09期

2 劉雪飛,馬恒太,張秉權(quán),吳伯橋,蔣建春,文偉平;基于系統(tǒng)調(diào)用的異常入侵檢測(cè)研究[J];計(jì)算機(jī)工程與應(yīng)用;2004年17期

3 王松濤,吳灝;Linux下基于可執(zhí)行路徑分析的內(nèi)核rootkit檢測(cè)技術(shù)研究[J];計(jì)算機(jī)工程與應(yīng)用;2005年11期

4 鄭琪;蔣盛益;湯庸;;概率后綴樹在入侵檢測(cè)中的應(yīng)用研究[J];計(jì)算機(jī)工程與應(yīng)用;2010年23期

5 朱鶯嚶;葉茂;劉乃琦;吳康;鄭凱元;;一種基于圖的異常入侵檢測(cè)新算法[J];計(jì)算機(jī)科學(xué);2008年11期

6 伏曉;謝立;;安全報(bào)警關(guān)聯(lián)技術(shù)研究[J];計(jì)算機(jī)科學(xué);2010年05期

7 蘇璞睿;楊軼;;基于可執(zhí)行文件靜態(tài)分析的入侵檢測(cè)模型[J];計(jì)算機(jī)學(xué)報(bào);2006年09期

8 劉輝;王俊峰;佘春東;;基于頻繁子圖挖掘的異常入侵檢測(cè)新方法[J];計(jì)算機(jī)應(yīng)用研究;2011年03期

9 柯行斌,王汝傳,陳云芳;基于主機(jī)系統(tǒng)調(diào)用序列的實(shí)時(shí)入侵檢測(cè)系統(tǒng)的模型研究[J];南京郵電學(xué)院學(xué)報(bào);2005年01期

10 李珍;田俊峰;楊曉暉;;基于系統(tǒng)調(diào)用屬性的程序行為監(jiān)控[J];計(jì)算機(jī)研究與發(fā)展;2012年08期

，

本文編號(hào)：1817333