| Intrusion detection is very important in the defense-in-depth network security framework and a hot topic in computer network security in recent years.At present, most of the attacks exploit the vulnerabilities or flaws of the privileged processes in computer. A program profile can be generated by monitoring the program execution and capturing the system calls associated with the program. Compared to user behavior profiles, program profiles are more stable over time because the range of program behavior is more limited. Furthermore, it would be more difficult for attackers to perform intrusive activities without revealing their tracks in the execution logs. Therefore program profiles provide concise and stable tracks for intrusion detection. Now, almost all the research in learning program behavior has used short sequences of system calls as the observable, and generated a large individual database of system call sequences for each program. A program's normal behavior is characterized by its local ordering of system calls, and deviations from their local patterns are regarded as violations of an executing program. In the past, we deal with the sequence as a feature. But we don't find out the relationship between the features. So the capability is very limited, when we only use the limited data to train.In this paper, a new method based on linear prediction and Markov chain model is proposed to learn program behavior in intrusion detection. Linear prediction is employed to extract features from system calls sequences of the privileged processes, which are used to make up of the feature database of those processes by only considering the system calls of privilege programs as time series, and then the Markov chain model is founded based on the features, and Markov information source entropy and condition are used to select parameter and optimize the model. The merits of the model are simple and exact to predict. The experiments show this method is effective and efficient in real time and light load, and can be used to in practice to monitor the computer system in real time.
|
PDF Full Text Request