Program Behavior Anomaly Detection Method Based on Improved HMM

doi:10.3969/j.issn.1671-1122.2016.09.022

Abstract

Abstract:

Anomaly detection of program behavior is an important part of network anomaly detection. In traditional HMM, the probability of transition and the probability of the observed value is only related to the previous state, which leads to high false alarm rate and low detection rate. In this paper an improved 2HMM detection method is proposed, which is based on local regularity of the system calls. And in order to reduce the training time, the model uses a more simple parameter estimation algorithm. Finally, through the experiment, compared with the traditional HMM and traditional 2HMM,the superiority of the model is proved.

Key words: program behavior, anomaly detection, HMM

CLC Number:

TP309

Xin WU, Yuesong YAN, Xiaoran LIU. Program Behavior Anomaly Detection Method Based on Improved HMM[J]. Netinfo Security, 2016, 16(9): 108-112.

Figures/Tables 4

References 14

[1]	HOFMEYR S A,FORREST S,SOMAYAJI A.Intrusion Detection Using Sequence of System Calls[J].Journal of Computer Security,1998,6(3),151-180.
[2]	WARRENDER C,FORREST S,PEARLMUTTER B.Detecting Intrusions using System Calls: Alternative Data Models[C]//IEEE. 1999 IEEE Symposium on Security and Privacy,May 9-12, 1999,Oakland,CA.NJ:IEEE,1999:133-145.
[3]	党小超,马峻,郝占军.基于Improved-HMM的进程行为异常检测[J].计算机工程与设计,2011,32(4):1264-1267.
[4]	赵婧,魏彬,罗鹏,等.基于隐马尔科夫模型的入侵检测方法[J].四川大学学报,2016,48(1),106-110.
[5]	董玲,张宏莉,叶麟.基于系统调用序列分析入侵检测的层次化模型[J].智能计算机与应用,2014,4(4):13-16.
[6]	王琼,倪桂强,潘志松,等.基于改进隐马尔科夫模型的系统调用异常检测[J].数据采集与处理,2009,24(4):508-513.
[7]	郑海洋. 系统调用在主机入侵检测中的研究与应用[D].广州:广东工业大学,2011.
[8]	杨连群,温晋英,刘树发,等. 一种改进的图分割算法在用户行为异常检测中的应用[J]. 信息网络安全,2016(6):35-40.
[9]	郭彦明,陈黎飞,郭躬德.DNA序列的二阶隐马尔科夫模型分类[J].计算机系统应用,2015,24(9):22-28.
[10]	汤健,孙春来,毛克峰,等. 基于主元分析和互信息维数约简策略的网络入侵异常检测[J]. 信息网络安全,2015(9):78-83.
[11]	陈军霞,刘紫玉.基于Baum-Welch算法HMM模型的孤词算法研究[J].河北科技大学学报,2015,36(1):52-57.
[12]	钟锐. 基于隐马尔科夫模型的入侵检测系统研究[D].南昌:江西理工大学,2010.
[13]	吴晓平,周舟,李洪成. Spark框架下基于无指导学习环境的网络流量异常检测研究与实现[J]. 信息网络安全,2016(6):1-7.
[14]	UNM.University of New Mexico’s Computer Immune Systems Project[EB/OL]. ,2016-1-15.