Host-based Anomaly Detection Behavior

With the development of network technology, people depend on network more and more, relating to a computer and the network security problem is becoming more and more serious. Intrusion detection system is an important part in the security architecture, which is the basis of intrusion response technology and also for the prevention of further invasions provide reference information. In recent years, much more intrusion detection research on the network data is carried out. But with the increase of network bandwidth and network traffic, people living through a variety of network applications and information management is becoming more and more widespread, the traditional detection methods on the underlying data has gradually exposed some problems and difficulties, such as not timely or accurate detection of ever-changing all kinds of intrusion behavior. Therefore, the application-level intrusion detection came into being, which is an important research direction of the intrusion detection technology.In order to explore the host abnormal behavior detection methods and techniques, this dissertation mainly focuses on the study of abnormal behavior on the host. First, we Carryied out the based work of behavior detection--behavior feature selection. By studying the behavior of feature selection algorithm to select the precise characterization of the behavior characteristics, we got the feature conditions for the detection of variety abnormal behavior. Then, it focuses on three levels of host behavior from the low to high, from the inside to the outside of the host behavior. The behavior of software running on the host is a relatively low-level behavior, while using the computer’s behavior is an advanced composite behavior, because the overall number of procedures involved in behavior. In addition, Web browser as a communication bridge between the host and the network, its access behavior to resources on the host is the external behavior of the host from the Internet to the internal host.The main contents and contributions of this dissertation are summarized as follows:(1) Behavior feature selection researchbased on information theory. Considering the diversity of behaviorattributes, based on the discussion of information theory, one method is proposed to calculate the correlation degree between various attributes associated with various types of attacks using conditional entropy. Then, the interactive entropy is calculated as the interdependence degree between the attributes with higher correlation degreeeach other. Greater the interdependence between attributes overlap the more information, thus one of them is the more redundant attribute which can not be selected as the behavior character. The attributes with higher correlation degree and less redundant information are the fine behavior characters. This methodwill not only maintain the accuracy of feature selection, but also further reduce the amount of computation. It is proved by experiments can improve the detection efficiency to a certain extent.(2) Detection technology on software abnormal behavior. Concerning on the process abnormal behavior, thesystem call sequence is often being thought as the best character of software behavior. A new concept of behavior pattern is proposed, which must meet a certain degree of support. Although the behavior pattern is difined a short sequence of system callsunder normal conditions, its length isunlimited.On the basis of behavior pattern, the traditional HMM model is improved, called IHMM. Then, we put forward the DBCPIDS detection model. Before detection, all global behaviorcharacterization patterns are mined, and then the IHMM model is trained in order to establish an improved hidden Markov chain. The model combines the global behaviorcharacterization patterns and local dynamic behavior, whici is suitable for online testing.Experiments show that the detection model has the advantage of better real-time, higher detection rate, less false alarm rate, and a better ability to adapt to environmental changes.(3) Anomaly detection model of user behavior. In order to figure users behavior nicely, this detection model is established on users’ habit of using programs. Referencing the concept of ontology and semantic from ontology theory, the semantic behavior diagram is established using the user’s daily behavior habit of the useabout computer programs or services. In the diagrm, the used program is a node, the using orders of programs is the directional side edges that be called the behavior semantic relations. Every semantic relationis defined with the appropriate degree of importance. While detecting the abnormal behavior, the program used by user is real-time captured, and then, we construct semantic graph ofphase behavior. The deviation of phase behavior semantic grasp from the normal global semantic digram is calculated. When the deviation isover a certain limit, the behavior is identified as abnormal behavior. Experiments show that behavior semantic diagram can be used to describe the person’s habit of using the computer’s behavior to detect abnormal behavior, and the detection rate and accuracy are preferable.(4) Detection browsers’ abnormal behavior on using the host resources by fusion method of multi-evidence. For browser behavior with the increasing range offunction, the analysis of its behavior patterns is executed. And then, selecting the CPU usage and other four features as evidences of browser behavior, the fundmental believable degeree is calculated corresponding to the five features. According to D-S evidencefusion theory, the five basic evidence of abnormal behavior are fused as new evidence. To determine whether the behavior isabnormal or other, how much the new evidences’support for abnormal behavior is cheched. Experiments show that the algorithm can discover attack through the browser abnormal behavior preferably.