An Intrusion Detection System Based On Dynamic Call Sequence Analysis With Hidden Markov Model

Intrusion detection collects and analyses information from key points in computer host or network system,and finds out whether there are any violations of security policy and signs of being attacked in host or network.Anomaly detection is one of the intrusion detection methods,which assumes that the intruder's activities are abnormal to those of the normal subject.The difficulty of this method lies in how to build a normal behavior portrait library and how to design statistical algorithms to effectively detect abnormal behavior.The program execution path can be represented by a call sequence,and people can perform intrusion detection by analyzing the call sequence.To be specific,when a call sequence shows abnormal performance,there may be malicious intrusion.Call sequence analysis can be divided into static analysis and dynamic analysis.Static analysis directly analyzes the source code model of the monitored program,while dynamic analysis monitors and analyzes the phenomena appeared when the program runs dynamically without considering the internal structure and internal characteristics of the program to build the model.This paper aims to design and execute an offline intrusion detection system based on program dynamic call sequence anomaly detection,which is used to detect the intrusion by running applications under Linux system.The system combines static analysis with dynamic analysis,and trains a high-order hidden Markov model which can represent the normal behavior of the program.The static analysis results are used to initialize the high-order HMM,while the dynamic call sequence is used to train the model.Static source code analysis module is used to extract information from the source code of the program to be detected and analyze the possible sequence of audit events.The module includes four sub-modules:function CFG extraction module,branch prediction module,call statistics module and aggregation module.According to the source code of the detected program,the function call relationship of the program can be obtained by static analysis with the help of lexical analysis,grammatical analysis,semantic analysis and branch prediction tools of the compiler,and precisely locate all system call/library function calls contained in the function,and all possible transfer relations of system call/library call,and quantify the possibility of transfer relations according to the results of branch prediction,and finally get the transfer relations of audit events.The output of this module will be used as the input parameter of the training module to initialize the hidden Markov model.In the process of application running,we can get the sequence of system call/library function call.Since each observation state represents a call,the call sequence constitutes exactly the observation sequence of the model.In this paper,the classical Baum-Welch parameter estimation algorithm is used to modify the initial model parameters,so as to realize the learning process of the model.After learning,we will get a new hidden Markov model to describe the behavior of normal users more accurately.In the practical application process,the deviation between the function call/system call sequence and the model is quantified through the obtained mathematical model by training,and then the behavior is distinguished according to the degree of deviation.Behaviors with large deviation will be judged as abnormal behaviors.Compared with the existing intrusion detection system,this system has the following characteristics:(1)It improves the problem that static analysis is difficult to quantify and with low scalability.(2)The problem of sample description deviation of normal behaviors with dynamic analysis is improved to avoid complete dependence on training samples during model construction.(3)Some properties of state transition probability of the hidden Markov model are used.The system uses the improved high order hidden Markov model,considering both the efficiency and accuracy.(4)The method put forward in this paper makes full use of the intermediate results in the analysis process,which expands the dimension of detection and improves the reliability of detection.