Yingying Zhu,Mao Ye,Xin Zhao,Lijuan Li,Xi Meng

2008-01-01

Abstract:The invention discloses a network intrusion detection method which makes decomposition based on an inherent subsequence mode, including the following steps: 1, network data interception and pretreatment are done; 2, the sequence of a normal training set and a suspected sequence respectively go through the inherent sequence pattern mining, wherein, a sequence chart is established for the sequences; a closed path in the sequence chart is located and identified as a candidate sequence for the inherent subsequence mode; the inherent subsequence modes composing each candidate sequence are located according to the original sequence; 3, stratification is made in accordance with the support degree; 4, anomaly detection is done as follows: firstly, the inherent subsequence modes of the suspected sequence and the normal sequence respectively and independently form a plurality of layers in accordance with the respective support degree, then the inherent subsequence mode of the suspended sequence and the normal subsequence are matched in the corresponding layer, finally, the anomaly degree is calculated based on the number of matches so as to judge whether the suspected sequence is abnormal. The method overcomes the deficiencies in the prior art and can accurately and effectively identify the existing attacks and the increasing number of new attacks.

朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

ZHU Ying-ying,YE Mao,LIU Nai-qi,LI Zheng,ZHENG Kai-yuan

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.18.034

2008-01-01

Computer Engineering and Applications Journal

Abstract:Considering the shortcomings of Windows system intrusion detection and the advantages of the Linux system intrusion detection based on the sequence of the system call,a kernel-level host intrusion detection program based on the BP neural network algorithm to study and classify the sequence of Windows Native API is proposed in this paper.Experiment results prove that the sequence of Native API can be used for intrusion detection.Windows Native API means the kernel model API,which is similar to the Linux system call.The neural network is trained to learn the normal and abnormal sequence of Native API.In the intrusion detection,use the trained neural network to classify the emerging Native API sequence,and find whether the intrusion happens.

Yingying Zhu,Mao Ye,Naiqi Liu,Xin Zhao,Xue Li

DOI: https://doi.org/10.1109/icnc.2008.101

2008-01-01

Abstract:The problem of network intrusion detection is an active research issue. Based on the techniques of sequence data mining, we propose a completely new approach based on intrinsic subsequence to detect intrusions in the network connection data. An intrinsic subsequence means that all items in it are always present together as a whole in the sequence. The total number of an intrinsic subsequence appeared in a sequence is referred to as absolute support. The intrinsic subsequences with approximate absolute support form a layer A sequence is supposed to be composed of a set of intrinsic subsequences. And the anomalies are always shown as a composition of some unusual intrinsic subsequences. The abnormal sequence can be detected by decomposing the sequence into a number of layers and finding the differences of the corresponding layers between the normal and suspect sequence data. An original algorithm for intrusion detection by using the idea of decomposition is proposed. The experiments on the data sets of KDD 99 illuminate the utility and efficiency of our new approach.

高艳,管晓宏,孙国基,冯力

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.03.017

2004-01-01

Chinese Journal of Computers

Abstract:This paper presents an intrusion detection method based on the information obtained from real time key sequences. By analyzing the keystroke characteristics and algorithms for keystroke identification with a large numbers of experiments,a weighted Bayesian method using stroke sequences of particular keys as data source is developed. The keystroke models of normal users are established first and then applied to match the keystroke sequences of all users in real time to determine if intrusion taking place. This method can not only perform user authentication beyond login names and passwords, but also constantly monitor the dynamic behaviors of users’ keystroke processes to prevent abusive usage of a particular account of the false users. The paper also discusses the key issues of system implementation and presents the detection results from a real system. Experiments on 1912 login keystroke sequences of 15 users show that the weighted Bayesian method can achieve a false negative ratio of 0.58% and a false positive ratio of 1.64% for user verification, in comparison with the traditional Bayesian method with the about ratios of 2.90% and 6.38%,respectively.The experiments are also performed to test the capability for monitoring the dynamic behaviors of users’ keystroke processes.The results for 1147 keystroke sequences of the same 15 users show that authors’ method is better with the false negative ratios of 2.61% and false positive 5.73% in comparison with 3.77% and 7.36% for traditional Bayesian method.

Guojun Mao,Jing Zhang,Xindong Wu

DOI: https://doi.org/10.1109/wcica.2008.4593135

2008-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. In this paper, we propose two algorithms, based on frequency patterns (FP) and tree patterns (TP) for intrusion detection respectively. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to quickly find out frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

Feng Li,Sun Jie,Zhou Xiaoming,Yang Liwei,Pen Qinke

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.04.009

2006-01-01

Abstract:In order to detect more and more serious attacks against the Windows operating system (OS), a multi-step consistency model and exponential iteration detection algorithm (EIDA) based on Native API sequences were proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. One step and two steps consistency models are built by the captured normal Native API data to describe the normal behavior of processes. In the detection process, the normal index of emerging Native API is measured continuously by EIDA. The normal indexes are analyzed through an alarm extraction algorithm, which uniquely determines the corresponding attack and provide administrator with guarantee to grasp the security situation of OS in time. The experiments under different Windows OS environment indicate that the proposed method has better accuracy.

朱莺嘤,叶茂,刘乃琦,吴康,郑凯元

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.11.020

2008-01-01

Computer Science

Abstract:Because of the high instantaneous frequency of the intrusion windows native API sequence,a novel method based on graph theory was proposed to solve the problem of the host-based intrusion detection.In our algorithm,each native API is considered as a node in the graph and the transfer of two native API is the edge between these two nodes.The route for a node is defined as the subsequence beginning from itself.The repetition of the same native API in the graph is referred to as a loop.The route of each node is recorded so that the loop can be found.When the loops are found,the weights of all edges in the loops are updated accordingly.The abnormal degree of a native API sequence can be computed using the weight difference of the neighborhood edges in the graph.Experiments on the windows platform illustrate that our method can detect the unknown intrusion and virus native API sequence efficiently.

LI Nai-jie,PENG Qin-ke

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.01.082

2007-01-01

Abstract:Anomaly detection algorithm for Windows platform is studied.A host process pattern extraction algorithm using Windows Native API sequences and based on decision tree is presented,and a wildcard is introduced in patterns,so the size of pattern set is reduced considerably.More over,transition probabilities between patterns are computed to build a global Markov Chain Model of pattern sequences,and related anomaly detection algorithm is presented.Experiments demonstrate that the algorithms can extract a pattern set of small size and high generalization ability,and can detect anomalies effectively.

Liu Yang,Wang Xuan,Long Hanlin,Tian Zhicheng,Qi Shuhan,Zhang Jiajia,Xia Wen,Tang Linlin

2021-01-01

Abstract:The invention discloses a malicious software detection method. The method comprises the following steps: determining to-be-detected target software; obtaining a system call name and a network activityevent of the target software; sorting the system call names and the network activity events of the target software in a unified mode according to timestamps, and generating aggregation dynamic characteristics of the target software through encoding; inputting the aggregation dynamic characteristics of the target software into a pre-trained target neural network model based on a sequence converterstructure to obtain an output result; and determining whether the target software is malicious software or not according to the output result. By applying the technical scheme provided by the invention, the malicious software in the terminal is effectively detected by combining the system call name of the software and the network activity event and utilizing the structure of the sequence converter, so that the normal operation of the terminal is prevented from being influenced, and the user experience is improved. The invention further discloses a malicious software detection device which hasthe corresponding technical effects.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.

ZHOU Xing,PENG Qin-ke,WANG Jing-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.076

2008-01-01

Abstract:How to extract sequence patterns of system calls is an important research topic of system call based intrusion detection approaches.This paper proposed a new method to construct variable-length patterns by using the chains of function return addresses information from call stack of the process.Compared with Wang's method,this method could generate a more integrated set of patterns.Then,constructed a two-layer hidden Markov model(HMM) based on variable-length patterns to detect abnormal behaviors.Compared with the traditional HMM method,this method could achieve lower false negatives rate and false positives rate.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Xr Yang,Qb Song,Jy Shen

2001-01-01

Abstract:In this paper we present a frequent sequence patterns mining-based algorithm used for network intrusion detection, which is an application and extension of SPADE algorithm. It is based on the idea that much behavior on the network appear as sequences of activities, according to the sequence patterns we computed, we can construct the intrusion rule base and legal action rule base, then we can detect known and novel intrusion activities by rules' matching. In addition, when system is running, we use an incremental sequence patterns mining algorithm to complement the rule library in order to avoid re-executing the algorithm on the entire dataset, thereby reducing execution time. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing methods used in commercial systems which are built using purely knowledge engineering approaches, our algorithm is more intelligent and adaptive.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

ZHAO Tie-shan,LI Zeng-zhi,GAO Bo

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.003

2005-01-01

Abstract:Intrusion detection is an important part of computer security. It is a research hotspot. A time-based sequence model applying to intrusion detection is brought forward. In some period of time of a running computer system, mean value of an event's frequency in k audits is taken as expected value at k+1th audit. Relative error of the expected value and real value at k+1th audit is computed. If the relative error is bigger than some set threshold, an intrusion occurs at K+1th audit. Simulation results open out how to select threshold. If a large amount of intrusion events appear in a short time, the model works effectively.

Kangyi Li,Hang Mu,Caiming Yang,Jianmin Zhang,Naizheng Jin,Ji Xu

DOI: https://doi.org/10.1109/ispec53008.2021.9735648

2021-01-01

Abstract:Logic target attack and sequence target attack are two types of sophisticated and vicious cyber-attacks, which have not been paid a necessary attention in most critical part, i.e., the process layer network in digital substation. The relationships of such two types attack are explored, and networked structure of an intrusion detection & prevention system for the process layer network is proposed. A whitelist-based detection scheme is also proposed; firstly, the corresponding packets are described from the packet transfer path and the circuit breaker action packet; then, the different detection methods are used to check the packets; the simulation test results and verification show that the proposed method can detect an abnormal transmission path message and a replay attack with inserted circuit breaker action packet.

Yi-Ting Huang,Yeali S. Sun,Meng Chang Chen

DOI: https://doi.org/10.1371/journal.pone.0263644

IF: 3.7

2022-05-17

PLoS ONE

Abstract:In recent years, studies on malware analysis have noticeably increased in the cybersecurity community. Most recent studies concentrate on malware classification and detection or malicious patterns identification, but as to malware activity, it still relies heavily on manual analysis for high-level semantic descriptions. We develop a sequence-to-sequence (seq2seq) neural network, called TagSeq, to investigate a sequence of Windows API calls recorded from malware execution, and produce tags to label their malicious behavior. We propose embedding modules to transform Windows API function parameters, registry, filenames, and URLs into low-dimension vectors, while still preserving the closeness property. Moreover, we utilize an attention mechanism to capture the relations between generated tags and certain API invocation calls. Results show that the most possible malicious actions are identified by TagSeq. Examples and a case study demonstrate that the proposed embedding modules preserve semantic-physical relations and that the predicted tags reflect malicious intentions. We believe this work is suitable as a tool to help security analysts recognize malicious behavior and intent with easy-to-understand tags.

multidisciplinary sciences

Susu Cui,Cong Dong,Meng Shen,Yuling Liu,Bo Jiang,Zhigang Lu

DOI: https://doi.org/10.1109/tifs.2023.3300521

IF: 7.231

2023-08-22

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning and neural networks have become increasingly popular solutions for encrypted malware traffic detection. They mine and learn complex traffic patterns, enabling detection by fitting boundaries between malware traffic and benign traffic. Compared with signature-based methods, they have higher scalability and flexibility. However, affected by the frequent variants and updates of malware, current methods suffer from a high false positive rate and do not work well for unknown malware traffic detection. It remains a critical task to achieve effective malware traffic detection. In this paper, we introduce CBSeq to address the above problems. CBSeq is a method that constructs a stable traffic representation, behavior sequence, to characterize attacking intent and achieve malware traffic detection. We novelly propose the channels with similar behavior as the detection object and extract side-channel content to construct behavior sequence. Unlike benign activities, the behavior sequences of malware and its variant's traffic exhibit solid internal correlations. Moreover, we design the MSFormer, a powerful Transformer-based multi-sequence fusion classifier. It captures the internal similarity of behavior sequence, thereby distinguishing malware traffic from benign traffic. Our evaluations demonstrate that CBSeq performs effectively in various known malware traffic detection and exhibits superior performance in unknown malware traffic detection, outperforming state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic