进程的系统调用轨迹蕴藏着程序行为不变性和用户行为不变性这两种不变性,其中,程序行为不变性可进一步细分为时间顺序不变性和频度不变性.已有的系统调用异常检测技术研究工作均集中于程序行为不变性,忽视了用户行为不变性.从系统调用中的频度不变性出发,研究了系统调用轨迹中的用户行为不变性及其描述手段,并提出采用最小熵长度描述这种不变性.在Sendmail数据集上的实验表明,最小熵长度较好地描述了系统调用轨迹中的用户行为不变性,结合程序行为不变性,可以极大地提高系统调用异常检测性能.%In system call trace of a process, there are two kinds of invariability, program behavior invariability and user behavior invariability, of which the former can be further subdivided into temporal order invariability and frequency invariability. The existing researches on system call based intrusion detection techniques focus on program behavior invariability only, ignoring user behavior invariability. Based on frequency invariability embedded in process traces, the existence and description of user behavior invariability were studied, on which the least entropy length was proposed to measure the invariability. The experiment on Sendmail datasets shows that, least entropy length excellently describes user behavior invariability and significantly improves the performance of system call anomaly detection with the help of program behavior invariability.
展开▼
