Soflare Abnorlllal Behavior Detection Based On Sequenrial Pattern Mining

With the continuous development of computer technology and extensive use of the Internet, the software operating environment is gradually turned from the previous static, closed environment into an open, dynamic environment, and the software systems also are changed from a centralized software system to distributed software systems. In the open network environment, when the software is running, their physical entity needs on-demand aggregation in the interim, and needs to complete the task in the case of satisfying the constraints, because this interaction is highly sporadic, it is difficult to predict the results of their interaction, so the monitoring and forecasting of software are more difficult than before. At run time there is no need to test the software to grasp and control related information, and run online diagnostics and prediction based on this information, then regulate the software.By capturing the running path the running details of the system is visually showed, it can provide quantitative basis and reliable protection for the analysis of system behavior, positioning system failure, optimizing the critical path, and finding system bottlenecks. We propose a method based on BCI(ByteCode Instrumentation) technology and sequential patterns mining, inject the probe code into the target byte code, to achieve the monitoring function of the target system dynamically at run time, and without changing the target system files. After the software information are collected, we handle these data by sequential pattern mining method.The detection of software abnormal behavior described in this article is divided into three steps, first of all, access to the data associated with software running behavior by BCI(ByteCode Instrumentation) technology,which include pair thread of father-son messages and thread class running messages; then, extract two type patterns of behavior :sequence pattern of pair thread of father-son and sequence pattern of thread class behavior, from the mass data of the software behavior through data mining, and establish software libraries for rules of conduct; Finally, compare the sequence of the software to be detected and rules of behavior patterns in the library to in order to determine whether the software behavior sequence is abnormal.If we bring the sequence mode data mining technology into the software abnormal behavior detection, there is no need for hard and cumbersome manual analysis and coding for software anomaly model, when build the characteristics of normal behavior there is no need to select the statistical methods with professional knowledge and experience as before, the anomaly detection is more automated. And for the different data streams we can use the same data mining tools, it makes software anomaly detection system more adaptive.