Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Xinmei HOU,Kaikun DONG

DOI: https://doi.org/10.3969/j.issn.2095-2163.2016.05.009

2016-01-01

Abstract:With the advent of the information age, more and more people pay attention to the network security. Safety engineers have treated malicious virus and programs as the protection key, network security offensive and defensive game never stops. This paper proposes a malicious behavior backend monitoring scheme based on Windows Service, detecting and intercepting the abnormal behaviors with DLL injection and API HOOK caused by virus from Multi?Demensions. This method covers the shortage of single detection dimension. It is particularly worth mentioning here that this paper adopts a way of kernel?level injection by analysing kernel?level system calls, and works out the limitation on injection behaviors by mainstream OS, makes the cross?platform general injection possible. Finally, this system runs in backend in a Windows Service way, reduces the energy consumption and improves the operation stability. Meanwhile, the paper proposes the conception of “Selfish Protection Set”, which provides a deeper research direction for malicious behaviors monitoring.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Haojin Zhu

2007-01-01

Abstract:Monitoring program behavior is one of the highlighted research topics of host-based anomaly detection recently.The key is to construct a program behavior-based anomaly detection model.Some existing anomaly detection techniques based on system call sequences are analyzed and discussed in this paper.They are compared from three dimensions: the information extracted from system call,the system call level used in anomaly detection and the information recorded by anomaly detector.Future work in this direction is also presented.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

BAO Xinlong,LUO Wenjian,CAO Xianbin,WANG Xufa

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.08.051

2005-01-01

Abstract:Based on real-time catching registry table behaviors of applications, a novel registry table anomaly behaviors detecting technology is proposed. The kernel ideas and detailed implementation methods are described by taking Internet Explore browser for example, and the practical experiments are done. The experimental results prove that this technology is feasible and effective.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.

ZHAO Shuang,LIU Lu,TAO Jing,MA Xiao-bo

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.01.054

2011-01-01

Abstract:This paper proposes an architecture of program behavior analysis at ring 0 level based on virtual machine on Windows platform and a program behavior analysis system named Malbox is implemented,which is able to detect program's process,file,registry and network behavior in a closed virtual environment.Experiments based on various malware samples prove that Malbox is efficient and performs well on detecting the host and network behavior of programs.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

Xiao-zhe LI,Mei-jun ZANG,Yi-qi DAI

DOI: https://doi.org/10.3969/j.issn.1672-464X.2008.04.015

2008-01-01

Abstract:Nowadays,Windows operating system is the most prevalent OS,and its security problem is widely concerned by users.System call interception is an efficient way to control accesses to the Windows system resource.This paper introduces and implements an API HOOK method to intercept Windows system calls,and exploits it to control host behaviors.By experiments,we prove that this system call interception method can control host access to system resources,which improves the security level of Windows OS.

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

ZHANG Qixun,HAN Jing,CHENG Li,ZHANG Baisheng,GONG Zican

DOI: https://doi.org/10.12142/ZTECOM.202203011

2022-01-01

Abstract:Microservices have become popular in enterprises because of their excellent scalability and timely update capabilities . However, while fine-grained modularity and service-orientation decrease the complexity of system development, the complexity of system operation and maintenance has been greatly increased, on the contrary. Multiple types of system failures occur frequently, and it is hard to detect and diag-nose failures in time. Furthermore, microservices are updated frequently. Existing anomaly detection models depend on offline training and cannot adapt to the frequent updates of microservices. This paper proposes an anomaly detection approach for microservice systems with multi-source data streams. This approach realizes online model construction and online anomaly detection, and is capable of self-updating and self-adapting. Experimental results show that this approach can correctly identify 78.85％of faults of different types.

Wei Dong,Luyao Luo,Chun Chen,Jiajun Bu,Xue Liu,Yunhao Liu

DOI: https://doi.org/10.1109/tpds.2016.2542815

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Detecting and diagnosing anomalies in networked embedded systems like sensor networks is a very difficult task, due to the variable workloads and severe resource constraints. We notice that most node-level debugging tools can provide detailed program information inside the node but fail to detect when and where a problem occurs in the network. On the other hand, most network-level diagnosis tools can effectively detect a problem from the network but fail to narrow down the problem within the node because they lack detailed program information. To close the gap, we propose D2, a new anomaly detection and diagnosis method by combining program profiling and symptom mining. D2 employs binary instrumentation to perform lightweight function count profiling. Based on the statistics, D2 uses PCA (Principal Component Analysis) based approach for automatically detecting network anomalies. Compared to previous methods, D2 is able to point programmers closer to the most likely causes by a novel approach combining statistical tests and program call graph analysis. We implement our method based on TinyOS 2.1.1 and evaluate its effectiveness by case studies in the development of a working sensor network. Results show that our method is effective for detecting and diagnosing problems in real-world sensor network systems, and at the same time, incurs an acceptable overhead.

TAO Jing,MA Xiao-bo,ZHAO Juan,ZHENG Qing-hua

DOI: https://doi.org/10.3969/j.issn.1001-0548.2007.06.026

2007-01-01

Abstract:Abnormal behaviors of hosts are complicated and diversified caused by many factors. However, they are often incarnated by the usage of resouces such as CPU, memory, bandwidth, etc. In this paper, a novel method for anomaly detection based on Host Resource Availability (HRA) is presented. Firstly, an index system is established to describe the usage of host resource. Secondly, a normal profile of HRA is extracted by experiment. Finally, an algorithm called Double-Threshold Anomaly Detection Algorithm (DTADA ) is put forward according to the particularity of HRA. Application testing shows that our method has a satisfied result.

Dan Yang,Xiaohong Zhang,Yufu Chen,Ziliang Wang,Meng Yan

DOI: https://doi.org/10.1109/ICWS55610.2022.00062

2022-07-01

Abstract:Software architecture is undergoing a transition from monolithic architectures to microservices to achieve resilience, agility, and scalability in the software life circle. However, microservice architecture is not perfect and suffers from intermittent faults, leading to economic and user losses. Therefore, it is essential to detect anomalies in microservice systems accurately. The key limitation of current approaches lies in a lack of ability to detect multitype anomalies, excessive resource overhead, and requirements of expert knowledge. In this paper, we present a Deep Attentive anomaly detection approach with Multimodal data named DAM. With multimodal fusion, attentive LSTM, and a dynamic threshold selecting algorithm, DAM could detect anomalies accurately and efficiently in an unsupervised manner. We evaluate our approach by injecting six types of anomalies on a widely used microservice system, Train-Ticket. The result shows that DAM could detect multitype anomalies well, with 80.46% F-measure, achieving 16.76% and 29.52% improvement over two state-of-the-art baselines (Donut and DAGMM), respectively.

Computer Science

Cai Hongmin,Wu Naiqi,Teng Shaohua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.05.076

2012-01-01

Abstract:Networks attack means emerge endlessly along with the growing serious network security problems.As a kind of main malicious code,Trojan horse program brings great troubles to computer users in the areas of infringing personal privacies and remotely monitoring the computers of others,etc.The authors implement a distributed Trojan horse program detection system by applying the deep packet inspection technology to the detection of Trojan horse program,we use regular expression to match the attack mode in detecting the Trojan horse program,therefore have strengthened the security of networks.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.