中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/13348
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 80990/80990 (100%)
Visitors : 41841414      Online Users : 1094
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/13348


    Title: 基於漸進式隱藏馬可夫模型與Windows系統呼叫之可調適性異常入侵偵測方法;An Adaptive Anomaly Detection Method Based on Incremental Hidden Markov Model and Windows Native API
    Authors: 施文富;Wen-Fu Shih
    Contributors: 資訊管理研究所
    Keywords: 程式行為;Windows系統呼叫;異常入侵偵測;漸進式隱藏馬可夫模型;Windows Native API;Program behavior;Intrusion Detection;Incremental Hidden Markov Model
    Date: 2007-06-25
    Issue Date: 2009-09-22 15:29:38 (UTC+8)
    Publisher: 國立中央大學圖書館
    Abstract: 近年網路攻擊的盛行使得傳統的入侵偵測方法與防火牆等技術已不足以防禦電腦的安全,而利用隱藏馬可夫模型與程式所使用的系統呼叫進行異常入侵偵測,在相關研究中已證明可達到良好的成效,但是應用隱藏馬可夫模型時,模型訓練成本過高卻造成了實際應用上的窒礙。因此,在本研究中使用異常入侵偵測的作法,針對微軟視窗作業系統,以漸進式隱藏馬可夫模型為理論基礎,實做一個具有模型調適性質之異常入侵偵測系統。我們利用漸進式隱藏馬可夫模型對正常程式行為塑模,並且以漸進式隱藏馬可夫模型中漸進式學習的特色結合訓練架構的改良來減少訓練所需的成本。此外,正常行為模型的更新與調適是異常入侵偵測系統所遭遇的一大問題,因此我們也利用從多個觀察序列學習隱藏馬可夫模型的方法,設計了一個模型調適方法,能夠幫助解決正常程式因程式更新而容易導致誤判狀況發生的問題。最後並且透過新墨西哥大學所提供之Sendmail系統呼叫資料集,以及自行蒐集之Windows系統呼叫資料,證明本研究所提出的方法確實能夠區分程式的執行有異常的入侵行為,程式更新時也能夠對於模型進行相對的調適,能夠降低誤判的情況,且經實驗顯示,進行訓練所需時間與所需記憶體空間亦將較原本節省約66%與93%。 Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective.
    Appears in Collections:[Graduate Institute of Information Management] Electronic Thesis & Dissertation

    Files in This Item:

    File SizeFormat


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明