基于條件隨機(jī)場的入侵檢測方法研究
發(fā)布時間:2018-09-17 08:49
【摘要】:入侵檢測是一項歷久彌新的技術(shù),只要有信息技術(shù)的地方就有計算機(jī)入侵,只要存在入侵就需要入侵檢測系統(tǒng)。入侵檢測從產(chǎn)生至今發(fā)生了非常大的變化,從簡單到復(fù)雜,從單一到多樣化。PE文件作為計算機(jī)程序的核心能夠體現(xiàn)程序的行為,其行為通過系統(tǒng)服務(wù)接口API來完成。因此API序列的組成就代表了程序的行為組成。條件隨機(jī)場模型是一種近幾年提出的一種用于語言處理方面的序列標(biāo)注問題和命名實(shí)體識別方面的機(jī)器學(xué)習(xí)的方法,是一種判別式的無向圖模型,該模型通過可觀測狀態(tài)序列構(gòu)建未觀測標(biāo)注序列的條件分布,根據(jù)概率公理選擇條件概率較大的標(biāo)注序列作為其對應(yīng)的狀態(tài)序列,實(shí)現(xiàn)對分析對象的分類。序列數(shù)據(jù)的處理和豐富的特征標(biāo)簽結(jié)合在一起,使條件隨機(jī)場模型特別適用于感知上下文要求的分類。 基于以上理論,本文采用一種基于統(tǒng)計和條件隨機(jī)場模型的機(jī)器學(xué)習(xí)的方法,以PE文件為數(shù)據(jù)源,進(jìn)行入侵檢測方面的研究。 本文的研究工作主要包括以下創(chuàng)新點(diǎn): (1)針對PE文件結(jié)構(gòu),獲取并分析PE文件頭部信息,總結(jié)PE文件的結(jié)構(gòu)性異常,無需對程序監(jiān)控和文件脫殼,在程序運(yùn)行之前就可以根據(jù)異常項判斷程序是否為病毒文件或者被病毒感染入侵。 (2)通過分析程序的PE文件提取API函數(shù)調(diào)用序列,,將其分割為長度為k的短序列與攻擊樹匹配,再對攻擊樹各節(jié)點(diǎn)計算其發(fā)生的概率及惡意性權(quán)值,最后綜合計算攻擊樹根節(jié)點(diǎn)代表事件的危險指數(shù)用來估計該程序與木馬的相似程度,從而判斷程序為木馬程序或者包含木馬部分的可能性,以準(zhǔn)確地檢測和防范木馬攻擊。 (3)結(jié)合PE文件中API函數(shù)的上下文信息和領(lǐng)域知識,以API調(diào)用序列作為觀察序列,文件類別作為標(biāo)記序列,對每一個API函數(shù)進(jìn)行標(biāo)注,運(yùn)用條件隨機(jī)場模型,通過訓(xùn)練集的訓(xùn)練判斷每個API函數(shù)的標(biāo)注類別,最終對待測文件的API序列中的每一個觀察序列進(jìn)行標(biāo)注,根據(jù)標(biāo)注的具體比例,判斷PE文件的類別,最終實(shí)現(xiàn)將基于PE文件的入侵檢測問題轉(zhuǎn)換成入侵與非入侵的二分類問題,同時結(jié)合病毒文件的結(jié)構(gòu)性異常分析,實(shí)現(xiàn)較好的入侵檢測的效果。 (4)在磁盤監(jiān)控和PE文件結(jié)構(gòu)解析的基礎(chǔ)上,進(jìn)行入侵檢測模型的設(shè)計與實(shí)現(xiàn)。
[Abstract]:Intrusion detection is a new technology. As long as there is information technology, there will be computer intrusion, as long as there is intrusion, intrusion detection system is needed. Intrusion detection has changed a lot from simple to complex. As the core of computer program, the behavior of intrusion detection can be realized by the system service interface (API). Therefore, the composition of the API sequence represents the behavior composition of the program. Conditional Random Field Model (CRF) is a machine learning method proposed in recent years for language processing in sequence labeling and named entity recognition. It is a discriminant undirected graph model. The model constructs conditional distribution of unobserved annotated sequences through observable state sequences, and selects annotated sequences with high probability of conditional conditions as corresponding state sequences according to probability axioms to realize the classification of analysis objects. The combination of sequence data processing and rich feature tags makes conditional random field model especially suitable for context-aware classification. Based on the above theory, this paper adopts a method of machine learning based on statistics and conditional random field model, and takes PE file as data source to study intrusion detection. The research work of this paper mainly includes the following innovations: (1) according to the structure of PE file, we obtain and analyze the header information of PE file, summarize the structural anomalies of PE file, and do not need to monitor the program and de-shell the file. Before the program runs, it is possible to judge whether the program is a virus file or infected by a virus according to the abnormal items. (2) extract the API function call sequence by analyzing the PE file of the program. It is divided into a short sequence with a length of k to match the attack tree, and then the probability of occurrence and the malicious weight of each node of the attack tree are calculated. Finally, the comprehensive calculation of the attack tree root node represents the event risk index is used to estimate the degree of similarity between the program and the Trojan horse, thereby judging the program as a Trojan program or contains a Trojan horse part of the possibility, In order to accurately detect and prevent Trojan horse attack. (3) combining the context information and domain knowledge of API function in PE file, taking API call sequence as observation sequence, file category as tag sequence, each API function is annotated. The conditional random field model is used to judge the tagging categories of each API function by training the training set. Finally, each observation sequence in the API sequence of the test file is annotated. According to the specific proportion of the tagging, the classification of the PE file is judged. Finally, the problem of intrusion detection based on PE file is transformed into two classification problems of intrusion and non-intrusion, and the structural anomaly of virus file is analyzed. (4) on the basis of disk monitoring and PE file structure analysis, the intrusion detection model is designed and implemented.
【學(xué)位授予單位】:山東師范大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
本文編號:2245343
[Abstract]:Intrusion detection is a new technology. As long as there is information technology, there will be computer intrusion, as long as there is intrusion, intrusion detection system is needed. Intrusion detection has changed a lot from simple to complex. As the core of computer program, the behavior of intrusion detection can be realized by the system service interface (API). Therefore, the composition of the API sequence represents the behavior composition of the program. Conditional Random Field Model (CRF) is a machine learning method proposed in recent years for language processing in sequence labeling and named entity recognition. It is a discriminant undirected graph model. The model constructs conditional distribution of unobserved annotated sequences through observable state sequences, and selects annotated sequences with high probability of conditional conditions as corresponding state sequences according to probability axioms to realize the classification of analysis objects. The combination of sequence data processing and rich feature tags makes conditional random field model especially suitable for context-aware classification. Based on the above theory, this paper adopts a method of machine learning based on statistics and conditional random field model, and takes PE file as data source to study intrusion detection. The research work of this paper mainly includes the following innovations: (1) according to the structure of PE file, we obtain and analyze the header information of PE file, summarize the structural anomalies of PE file, and do not need to monitor the program and de-shell the file. Before the program runs, it is possible to judge whether the program is a virus file or infected by a virus according to the abnormal items. (2) extract the API function call sequence by analyzing the PE file of the program. It is divided into a short sequence with a length of k to match the attack tree, and then the probability of occurrence and the malicious weight of each node of the attack tree are calculated. Finally, the comprehensive calculation of the attack tree root node represents the event risk index is used to estimate the degree of similarity between the program and the Trojan horse, thereby judging the program as a Trojan program or contains a Trojan horse part of the possibility, In order to accurately detect and prevent Trojan horse attack. (3) combining the context information and domain knowledge of API function in PE file, taking API call sequence as observation sequence, file category as tag sequence, each API function is annotated. The conditional random field model is used to judge the tagging categories of each API function by training the training set. Finally, each observation sequence in the API sequence of the test file is annotated. According to the specific proportion of the tagging, the classification of the PE file is judged. Finally, the problem of intrusion detection based on PE file is transformed into two classification problems of intrusion and non-intrusion, and the structural anomaly of virus file is analyzed. (4) on the basis of disk monitoring and PE file structure analysis, the intrusion detection model is designed and implemented.
【學(xué)位授予單位】:山東師范大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前10條
1 向尕,曹元大;基于攻擊分類的攻擊樹生成算法研究[J];北京理工大學(xué)學(xué)報;2003年03期
2 李建平;王慧強(qiáng);盧愛平;郝洪亮;馮光升;;基于條件隨機(jī)場的網(wǎng)絡(luò)安全態(tài)勢量化感知方法[J];傳感器與微系統(tǒng);2010年10期
3 劉巍偉;石勇;郭煜;韓臻;沈昌祥;;一種基于綜合行為特征的惡意代碼識別方法[J];電子學(xué)報;2009年04期
4 葉志明;;PE文件格式對定位病毒特征碼的作用[J];計算機(jī)光盤軟件與應(yīng)用;2013年01期
5 胡廣朋;程輝;邵玉寶;;基于層疊條件隨機(jī)場的網(wǎng)絡(luò)入侵識別[J];江蘇科技大學(xué)學(xué)報(自然科學(xué)版);2008年05期
6 顧佼佼;姜文志;栗飛;胡文萱;;基于條件隨機(jī)場的實(shí)時入侵檢測系統(tǒng)框架實(shí)現(xiàn)[J];海軍航空工程學(xué)院學(xué)報;2011年05期
7 胡衛(wèi);張昌宏;馬明田;;基于動態(tài)行為監(jiān)測的木馬檢測系統(tǒng)設(shè)計[J];火力與指揮控制;2010年02期
8 張春明;陳天平;張新源;鄭連清;;基于攻擊樹的網(wǎng)絡(luò)安全事件發(fā)生概率評估[J];火力與指揮控制;2010年11期
9 王曉燕;金聰;談華永;;基于Win32 API和SVM的未知病毒檢測方法[J];計算機(jī)工程與應(yīng)用;2011年07期
10 朱莎莎;劉宗田;付劍鋒;朱芳;;基于條件隨機(jī)場的中文時間短語識別[J];計算機(jī)工程;2011年15期
相關(guān)碩士學(xué)位論文 前3條
1 陳剛;基于PE文件的軟件水印研究[D];湖南大學(xué);2008年
2 孫誠;內(nèi)部威脅檢測技術(shù)研究[D];國防科學(xué)技術(shù)大學(xué);2008年
3 范吳平;Win32 PE文件病毒的檢測方法研究[D];電子科技大學(xué);2012年
本文編號:2245343
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2245343.html
最近更新
教材專著
