結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究; Combining Hidden Markov Model and Support Vector Machine for Host-based Anomaly Detection Systems

NCU Institutional Repository > 管理學院 > 資訊管理研究所 > 博碩士論文 > Item 987654321/13278

jsp.display-item.identifier=請使用永久網址來引用或連結此文件: https://ir.lib.ncu.edu.tw/handle/987654321/13278

题名:	結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究;Combining Hidden Markov Model and Support Vector Machine for Host-based Anomaly Detection Systems
作者:	陳威棋;Wei-Chi Chen
贡献者:	資訊管理研究所
关键词:	支援向量機;隱藏式馬可夫模型;Windows Native API;程式行為;Program behavior;Hidden Markov Model;Windows Native API;Support Vector Machine
日期:	2006-06-30
上传时间:	2009-09-22 15:27:55 (UTC+8)
出版者:	國立中央大學圖書館
摘要:	近年來，網路上木馬與後門程式到處橫行，而一些自動化滲透工具的出現，讓攻擊所需的知識大幅減少。在各種惡意程式猖獗的網路環境上，最後把關系統安全的責任大都落在主機入侵偵測系統身上。本研究主要是以隱藏式馬可夫模型（Hidden Markov Model）及支援向量機（Support Vector Machine）為理論基礎，在微軟作業系統上提出一個主機型異常入侵偵測系統。本研究使用Windows Native API序列資料來建立程式行為模型，而且這類型資料有一個最大的特性，便是有先後順序的概念，因此我們利用隱藏式馬可夫模型這個善於表達動態序列關係的工具，來描述Windows Native API之間先後順序的機率關係，再經由隱藏式馬可夫模型將系統呼叫序列中的隱藏狀態輸出，最後將隱藏狀態轉換成向量的型式以供後續利用支援向量機來建立正常程式行為模型以及異常入侵判斷。此程式行為模型能用來刻劃正常行為的規範，所以只要所監控程式的行為被支援向量機歸類為異常，就可告知使用者得知目前此程式有異常的狀態發生。本研究也根據上述想法開發出一套異常入侵偵測的雛型系統，並在最後的實驗中，透過美國新墨西哥大學系統呼叫資料集以及本研究在微軟作業系統上自行蒐集的資料，來證明結合隱藏式馬可夫模型及支援向量機於異常偵測系統上，可以區分出目前程式執行時有異常的行為發生。 Various malicious programs, such as Trojan horse and backdoor, have become popular on the Internet in recent years. More and more automated penetration testing tools appear and now less background knowledge of attack is needed than before. As a result, the responsibility of computer is transferred to the host-based intrusion detection systems. Our research mainly combines Hidden Markov Model and Support Vector Machine and proposes a host-based anomaly detection system under Windows platforms. We use Windows Native Application Interface (API) sequences to establish the program normal behavior model. This kind of data has a significant characteristic that is the order of API appearing sequence. So we utilize the Hidden Markov Model that is good at expressing dynamic sequences relation to describe the probability relation of order between Windows Native APIs. After obtaining the hidden state sequences of Native API sequences by Hidden Markov Model, we put it into Support Vector Machine to train normal behavior of programs. If our prototype system detects the state of program belonging to the anomaly, we can inform users about the anomalous behavior of the program. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness of the combination of the Hidden Markov Model and Support Vector Machine that can distinguish anomalous program behavior from normal program behavior.
显示于类别:	[資訊管理研究所] 博碩士論文

文件中的档案:

档案	描述	大小	格式	浏览次数
index.html		0Kb	HTML	641	检视/开启

在NCUIR中所有的数据项都受到原著作权保护.

社群 sharing

数据加载中.....