Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

Xiaozhen Zhou,Shanping Li,Zhen Ye

DOI: https://doi.org/10.1155/2013/179390

IF: 1.43

2013-01-01

Mathematical Problems in Engineering

Abstract:Computer systems are becoming extremely complex, while system anomalies dramatically influence the availability and usability of systems. Online anomaly prediction is an important approach to manage imminent anomalies, and the high accuracy relies on precise system monitoring data. However, precise monitoring data is not easily achievable because of widespread noise. In this paper, we present a method which integrates an improved Evidential Markov model and ensemble classification to predict anomaly for systems with noise. Traditional Markov models use explicit state boundaries to build the Markov chain and then make prediction of different measurement metrics. A Problem arises when data comes with noise because even slight oscillation around the true value will lead to very different predictions. Evidential Markov chain method is able to deal with noisy data but is not suitable in complex data stream scenario. The Belief Markov chain that we propose has extended Evidential Markov chain and can cope with noisy data stream. This study further applies ensemble classification to identify system anomaly based on the predicted metrics. Extensive experiments on anomaly data collected from 66 metrics in PlanetLab have confirmed that our approach can achieve high prediction accuracy and time efficiency.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

Hong-jiao LI,Jian-hua LI

DOI: https://doi.org/10.16183/j.cnki.jsjtu.2007.11.009

2007-01-01

Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University

Abstract:By combining static analysis and dynamic learning, an efficient dataflow attribute analyzing method in program behavior-based anomaly detection was proposed. The new method focuses on both system call argument values and binary relations between arguments. Description of the new method was given and its advantages were discussed. The performance evaluations on Linux programs show that the new method is efficient and there is little overhead introduced by the dataflow attribute gained through this method.

徐明,陈纯,应晶

2004-01-01

Journal of Software

Abstract:The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (I.e. The threat level 1 calls). In the learning process, the etection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.

Wei LU,Qing-Kai ZENG

DOI: https://doi.org/10.1360/jos182841

2007-01-01

Journal of Software

Abstract:This paper presents a control-flow-based program behavior extended model EMPDA(extended model based on push down automaton)by adding invariance constraints to control flow model,which can describe some invariance properties while a program is running safely,and enhance the ability of intrusion detection.By distinguishing the importance of system calls according to practical applications,this paper divides the program behavior model into core model and secondary model to reduce the workload of the model and improve the learning efficiency.Experimental results show that the extended model has better performances in many aspects,such as coverage speed,false positive rate and the capability of intrusion detection.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Zhixia Zhang,Liping Xie

DOI: https://doi.org/10.1002/cpe.5861

2020-01-01

Abstract:At present, irrelevant or redundant features in network traffic data occupy a lot of storage and computing resources, reducing the accuracy of network anomaly detection. Aiming at this problem, a many-objective feature selection model is proposed in this article. The model takes the number of selected feature, false alarm rate, detection rate, precision and accuracy as the optimization objectives, and characterizes the performance of the feature selection method from different perspectives. At the same time, a many-objective integration optimization algorithm (IN-MaOEA) is designed to solve this model. First, the algorithm will build the evolution strategy pool and the dominance strategy pool, then a random probability strategy selection mechanism is designed to improve the algorithm's convergence and diversity. At the same time, an anomaly detection simulation was performed using the NSL-KDD dataset. Experimental results show that the IN-MaOEA algorithm can effectively improve the performance of detection.

Haojin Zhu

2007-01-01

Abstract:Monitoring program behavior is one of the highlighted research topics of host-based anomaly detection recently.The key is to construct a program behavior-based anomaly detection model.Some existing anomaly detection techniques based on system call sequences are analyzed and discussed in this paper.They are compared from three dimensions: the information extracted from system call,the system call level used in anomaly detection and the information recorded by anomaly detector.Future work in this direction is also presented.

Yaling Yu,Xiao Dong,Jingfeng Xue,Chen He,Xuyang Zhou

DOI: https://doi.org/10.2991/ameii-15.2015.55

2015-01-01

Abstract:Software anomaly behavior detection depends on the software behavior modeling. The key of software behavior model based on system call is the maturity level of the model. Based on the analysis of currently used software behavior modeling method, Combined with variable- length sequence model and VT-Path virtual path model's advantages, an improved software behavior model is presented, and apply this model to software behavior evaluation system. Experimental results show that the software behavior evaluation system based on this model is able to evaluate and judgment the malicious behavior of software.

Feng Li,Sun Jie,Zhou Xiaoming,Yang Liwei,Pen Qinke

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.04.009

2006-01-01

Abstract:In order to detect more and more serious attacks against the Windows operating system (OS), a multi-step consistency model and exponential iteration detection algorithm (EIDA) based on Native API sequences were proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. One step and two steps consistency models are built by the captured normal Native API data to describe the normal behavior of processes. In the detection process, the normal index of emerging Native API is measured continuously by EIDA. The normal indexes are analyzed through an alarm extraction algorithm, which uniquely determines the corresponding attack and provide administrator with guarantee to grasp the security situation of OS in time. The experiments under different Windows OS environment indicate that the proposed method has better accuracy.

Peijun Ma

2012-01-01

Abstract:To deal with the problems such as high complexity and low accuracy of redundancy detection,a model of redundancy detection based on control structure analysis is proposed and implemented.This paper predigests the complexity of control structure by establishing a compound node table for tokens,which reduces the complexity of redundancy detection,and then detects the idempotent operations,dead code and redundant assignment.Experimental results of the open source code of Linux show that this model can find redundant code accurately and also has a low time-complexity.With this model,it is very convenient for developers to detect and correct these kinds of defects,and thereby to further guarantee the software quality.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.

Jingyu Hua,Mingchu Li,Kouichi Sakurai,Yizhi Ren

DOI: https://doi.org/10.1007/978-3-642-04846-3_11

2009-01-01

Abstract:Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic’s. Thereby, we alleviate the conflict between precision and efficiency.

Kun Zhou,Wenyong Wang,Teng Hu,Kai Deng

DOI: https://doi.org/10.3390/e23030274

2021-02-25

Abstract:Anomaly detection research was conducted traditionally using mathematical and statistical methods. This topic has been widely applied in many fields. Recently reinforcement learning has achieved exceptional successes in many areas such as the AlphaGo chess playing and video gaming etc. However, there were scarce researches applying reinforcement learning to the field of anomaly detection. This paper therefore aimed at proposing an adaptable asynchronous advantage actor-critic model of reinforcement learning to this field. The performances were evaluated and compared among classical machine learning and the generative adversarial model with variants. Basic principles of the related models were introduced firstly. Then problem definitions, modelling processes and testing were detailed. The proposed model differentiated the sequence and image from other anomalies by proposing appropriate neural networks of attention mechanism and convolutional network for the two kinds of anomalies, respectively. Finally, performances with classical models using public benchmark datasets (NSL-KDD, AWID and CICIDS-2017, DoHBrw-2020) were evaluated and compared. Experiments confirmed the effectiveness of the proposed model with the results indicating higher rewards and lower loss rates on the datasets during training and testing. The metrics of precision, recall rate and F1 score were higher than or at least comparable to the state-of-the-art models. We concluded the proposed model could outperform or at least achieve comparable results with the existing anomaly detection models.

LUO Yu-xia,LIU Jin-gang

DOI: https://doi.org/10.3969/j.issn.1007-130x.2007.06.002

2007-01-01

Abstract:Program behavior modeling and searching is the key issue of anomaly detection. A method is presented, in which the segment ID and the offset of the program counter (PC),when system calls are invoked,are used as events.The event sequence set is produced by sliding the window in orderly events, and a normal behavior model set is built by using full 16-ary ordered trees.A full 16-ary ordered tree is designed for improving the efficiency of storing and searching rule sets.The storage byte sequence in the full 16-ary ordered tree implies the relationship information between nodes. The time complexity of searching the rule set for a rule only relates to the depth of the tree, and if the depth of the tree is fixed, the time complexity is O(1). The definition of a full 16-ary ordered tree, its features,its creating and searching algorithms are presented.

GUI Shu,GUO Li,LU Hai-xian,XIE Jin-sheng

DOI: https://doi.org/10.3969/j.issn.1002-0802.2012.09.031

2012-01-01

Abstract:With the increasing application of video surveillance system in various fields,the traditional method with manual calibration of abnormal behavior in video now could not meet the demand for analysis of massive video data.By analyzing the target's gesture,the anomaly of target's instantaneous motion could be detected.Based on gesture codebook and gesture histogram,an abnormal gesture detection method is proposed,and this method relies on no priori knowledge of the scenario and is less influenced by the change of viewpoint,the model could be updated in real time and without any supervision,thus to adapt itself to the time-varying environment,and effectively detect gesture anomaly of the target.The experiments indicate the availability,robustness and the application value of this method.

Darong Huang,Mengting Lin,Lanyan Ke,Zhenping Deng

DOI: https://doi.org/10.1155/2018/1938490

2018-11-11

Journal of Control Science and Engineering

Abstract:Considering the complexity and the criticality of the stacker equipment, in order to solve the problem that the stop accuracy of the stacker reduces or even fails to work due to abrasion of the running rail, this paper proposes a cooperative detection method based on Pulse Coupling Neural Network (PCNN) and wavelet transform theory to detect the abnormal points of the stacker running rail in industrial environment by analyzing the variation signals. First of all, considering the fact that the data is mixed up with noises because of the environment at the site and the possibility of the data acquisition equipment breaking down, a noise reduction method for the vibration signal data of stacker is constructed based on PCNN. Then, the basic theory of wavelet transform is introduced and then the rules of judging anomaly points on stackers’ running tracks are discussed based on wavelet transform. In addition, a cooperative detection method based on PCNN and wavelet transform theory is carried out based on the space-time distribution feature of the vibration of the stacker orbits in the industrial environment. Then the rationality of the proposed algorithm is verified by simulation through data provided by State Grid Measuring Center of China. This paper constructs a model of the abnormal point detection of the stackers in an industrial environment. The experimental simulation and example simulation show that the cooperative detection method based on PCNN and wavelet transform theory can effectively detect and locate the anomaly points of the stacker running tracks. The expansibility in engineering applications is promising. Lastly, some conclusions are discussed.