中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/13278
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 78937/78937 (100%)
Visitors : 39425237      Online Users : 335
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/13278


    Title: 結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究;Combining Hidden Markov Model and Support Vector Machine for Host-based Anomaly Detection Systems
    Authors: 陳威棋;Wei-Chi Chen
    Contributors: 資訊管理研究所
    Keywords: 支援向量機;隱藏式馬可夫模型;Windows Native API;程式行為;Program behavior;Hidden Markov Model;Windows Native API;Support Vector Machine
    Date: 2006-06-30
    Issue Date: 2009-09-22 15:27:55 (UTC+8)
    Publisher: 國立中央大學圖書館
    Abstract: 近年來,網路上木馬與後門程式到處橫行,而一些自動化滲透工具的出現,讓攻擊所需的知識大幅減少。在各種惡意程式猖獗的網路環境上,最後把關系統安全的責任大都落在主機入侵偵測系統身上。本研究主要是以隱藏式馬可夫模型(Hidden Markov Model)及支援向量機(Support Vector Machine)為理論基礎,在微軟作業系統上提出一個主機型異常入侵偵測系統。 本研究使用Windows Native API序列資料來建立程式行為模型,而且這類型資料有一個最大的特性,便是有先後順序的概念,因此我們利用隱藏式馬可夫模型這個善於表達動態序列關係的工具,來描述Windows Native API之間先後順序的機率關係,再經由隱藏式馬可夫模型將系統呼叫序列中的隱藏狀態輸出,最後將隱藏狀態轉換成向量的型式以供後續利用支援向量機來建立正常程式行為模型以及異常入侵判斷。此程式行為模型能用來刻劃正常行為的規範,所以只要所監控程式的行為被支援向量機歸類為異常,就可告知使用者得知目前此程式有異常的狀態發生。 本研究也根據上述想法開發出一套異常入侵偵測的雛型系統,並在最後的實驗中,透過美國新墨西哥大學系統呼叫資料集以及本研究在微軟作業系統上自行蒐集的資料,來證明結合隱藏式馬可夫模型及支援向量機於異常偵測系統上,可以區分出目前程式執行時有異常的行為發生。 Various malicious programs, such as Trojan horse and backdoor, have become popular on the Internet in recent years. More and more automated penetration testing tools appear and now less background knowledge of attack is needed than before. As a result, the responsibility of computer is transferred to the host-based intrusion detection systems. Our research mainly combines Hidden Markov Model and Support Vector Machine and proposes a host-based anomaly detection system under Windows platforms. We use Windows Native Application Interface (API) sequences to establish the program normal behavior model. This kind of data has a significant characteristic that is the order of API appearing sequence. So we utilize the Hidden Markov Model that is good at expressing dynamic sequences relation to describe the probability relation of order between Windows Native APIs. After obtaining the hidden state sequences of Native API sequences by Hidden Markov Model, we put it into Support Vector Machine to train normal behavior of programs. If our prototype system detects the state of program belonging to the anomaly, we can inform users about the anomalous behavior of the program. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness of the combination of the Hidden Markov Model and Support Vector Machine that can distinguish anomalous program behavior from normal program behavior.
    Appears in Collections:[Graduate Institute of Information Management] Electronic Thesis & Dissertation

    Files in This Item:

    File SizeFormat


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明