Research On Anomaly Intrusion Detection Model Based On Program Behavior Profiles

Intrusion detection system is a high-level defence system on network security. This paper discuss a program-based anomaly detection approach, which takes both advantage of the ability of anomaly detection in detecting novel attacks and the stability of program behavior in intrusion analysis compared with other observables. We design a program-based anomaly detection model under Unix and explicate chiefly pattern extraction module, detection module and detection parameters amending module. A variable-length patterns extracting approach based on Teiresias algorithm is adopted to model the normal program behavior, and a two-step matching algorithm is applied to implement variable-length pattern matching. We apply an intrusion decision measure based on threshold to determine if an intrusion happens. In order to select detection parameters, we put forward a new matching algorithm to choose the scope of threshold and make an experiment using the emulational data provided by the University of New Mexico. The result of the experiment indicates that false positive can be reduced effectively by adjusting suitably the value Ox matching gene, under the precondition of threshold confirmed.