Intrusion detection is one of the most important techniques in protecting computer security, and so far many intrusion-detection models have been proposed. As an important branch of intrusion detection, anomaly detection attracts more and more attentions. Since a sequence of system calls gives a stable signature for a Linux process, behavior of the processes can be explored by analyzing the system call sequences. So, in this thesis, two methods are investigated for detection of abnormal process behavior under Linux using system call sequences. One is to learn behaviorpatterns and to detect anomaly behavior using ART1--a neural network, and theother is to use Markov chain and probability prediction to do the same job. Primary experiments confirm that both methods are feasible, and the latter one would be better due to taking account of the sequential relation of system calls in process.
|