Research With Intrusion Detection Method Based On The Conditions Airport

Intrusion detection is a technology which has been experienced for a long time but stillfresh. Where there are information technologies there there are computer intrusions,wherethere are computer intrusions there are intrusion detection technologies. From simple tocomplex, from single to multiple very large changes have taken place of intrusion detectionsince produced. The behavior of most number of computer program are included in its PEfile. It does not act directly on the hardware but by calling various API Interface to use thevarious services that operating system provided, so the API calling sequence can be seen as theabstract of program. CRFs is a discriminative undirected graph model that been put forward inrecent years used in language processing, it estimate conditional distribution of sequencethrough observable state sequence.pick the bigger order of the conditional probability as itsstate of formation sequence. Sequence data and rich features label together make the CRFsmodel especially suitable for the classification that require cognitive context.In this article we use a machine learning method based on the statistics and conditionalrandom field model and PE files as data sources to do research on intrusion detection.(1) Obtain and analyze the head information of the PE files, summarize the structuralanomalies of the PE files for the structure of PE files. And it can judge the programs by theexception items whether are virus files or are infected and invaded by virus before the programran without monitoring the programs or shelling documents.(2) Extract API function called through analyzing the PE files of the programs, and splitthe sequence into some short sequences whose length is k and then match them with the attacktree. And then calculate the probability of occurrence and the malicious weight value for thenodes of the attack tree. Finally, calculate the dangerous index of the representative event forroot nodes of attack tree to estimate the similar degree between the program and Trojans.Thereby judge the possibility of the program whether is a Trojans program or contains part ofTrojans to to detect and keep a look out Trojans attack accurately.(3) Combine the context information and area knowledge of the API function of the PEfiles, choose the API called sequence as the observation sequence and choose the filecategory as mark sequence. Label each API function and judge every callout category of APIfunction using the conditional random fields model through training the training set.Eventually label each observation sequence of of the API sequence waiting on line. Judgecategory of the PE file according to the specific proportion of the labels. Ultimately achievethe problem of converting the intrusion detection problem based on PE file into a dichotomousquestion between intrusion and non-intrusion combined with the structural abnormalitiesanalysis of the virus file, and then achieve better results of the intrusion detection.(4) Make the design and implementation of intrusion detection system model based ondisk monitoring and analysis of the PE file structure.