基于条件随机场的入侵检测方法研究
发布时间:2018-09-17 08:49
【摘要】:入侵检测是一项历久弥新的技术,只要有信息技术的地方就有计算机入侵,只要存在入侵就需要入侵检测系统。入侵检测从产生至今发生了非常大的变化,从简单到复杂,从单一到多样化。PE文件作为计算机程序的核心能够体现程序的行为,其行为通过系统服务接口API来完成。因此API序列的组成就代表了程序的行为组成。条件随机场模型是一种近几年提出的一种用于语言处理方面的序列标注问题和命名实体识别方面的机器学习的方法,是一种判别式的无向图模型,该模型通过可观测状态序列构建未观测标注序列的条件分布,根据概率公理选择条件概率较大的标注序列作为其对应的状态序列,实现对分析对象的分类。序列数据的处理和丰富的特征标签结合在一起,使条件随机场模型特别适用于感知上下文要求的分类。 基于以上理论,本文采用一种基于统计和条件随机场模型的机器学习的方法,以PE文件为数据源,进行入侵检测方面的研究。 本文的研究工作主要包括以下创新点: (1)针对PE文件结构,获取并分析PE文件头部信息,总结PE文件的结构性异常,无需对程序监控和文件脱壳,在程序运行之前就可以根据异常项判断程序是否为病毒文件或者被病毒感染入侵。 (2)通过分析程序的PE文件提取API函数调用序列,,将其分割为长度为k的短序列与攻击树匹配,再对攻击树各节点计算其发生的概率及恶意性权值,最后综合计算攻击树根节点代表事件的危险指数用来估计该程序与木马的相似程度,从而判断程序为木马程序或者包含木马部分的可能性,以准确地检测和防范木马攻击。 (3)结合PE文件中API函数的上下文信息和领域知识,以API调用序列作为观察序列,文件类别作为标记序列,对每一个API函数进行标注,运用条件随机场模型,通过训练集的训练判断每个API函数的标注类别,最终对待测文件的API序列中的每一个观察序列进行标注,根据标注的具体比例,判断PE文件的类别,最终实现将基于PE文件的入侵检测问题转换成入侵与非入侵的二分类问题,同时结合病毒文件的结构性异常分析,实现较好的入侵检测的效果。 (4)在磁盘监控和PE文件结构解析的基础上,进行入侵检测模型的设计与实现。
[Abstract]:Intrusion detection is a new technology. As long as there is information technology, there will be computer intrusion, as long as there is intrusion, intrusion detection system is needed. Intrusion detection has changed a lot from simple to complex. As the core of computer program, the behavior of intrusion detection can be realized by the system service interface (API). Therefore, the composition of the API sequence represents the behavior composition of the program. Conditional Random Field Model (CRF) is a machine learning method proposed in recent years for language processing in sequence labeling and named entity recognition. It is a discriminant undirected graph model. The model constructs conditional distribution of unobserved annotated sequences through observable state sequences, and selects annotated sequences with high probability of conditional conditions as corresponding state sequences according to probability axioms to realize the classification of analysis objects. The combination of sequence data processing and rich feature tags makes conditional random field model especially suitable for context-aware classification. Based on the above theory, this paper adopts a method of machine learning based on statistics and conditional random field model, and takes PE file as data source to study intrusion detection. The research work of this paper mainly includes the following innovations: (1) according to the structure of PE file, we obtain and analyze the header information of PE file, summarize the structural anomalies of PE file, and do not need to monitor the program and de-shell the file. Before the program runs, it is possible to judge whether the program is a virus file or infected by a virus according to the abnormal items. (2) extract the API function call sequence by analyzing the PE file of the program. It is divided into a short sequence with a length of k to match the attack tree, and then the probability of occurrence and the malicious weight of each node of the attack tree are calculated. Finally, the comprehensive calculation of the attack tree root node represents the event risk index is used to estimate the degree of similarity between the program and the Trojan horse, thereby judging the program as a Trojan program or contains a Trojan horse part of the possibility, In order to accurately detect and prevent Trojan horse attack. (3) combining the context information and domain knowledge of API function in PE file, taking API call sequence as observation sequence, file category as tag sequence, each API function is annotated. The conditional random field model is used to judge the tagging categories of each API function by training the training set. Finally, each observation sequence in the API sequence of the test file is annotated. According to the specific proportion of the tagging, the classification of the PE file is judged. Finally, the problem of intrusion detection based on PE file is transformed into two classification problems of intrusion and non-intrusion, and the structural anomaly of virus file is analyzed. (4) on the basis of disk monitoring and PE file structure analysis, the intrusion detection model is designed and implemented.
【学位授予单位】:山东师范大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2245343
[Abstract]:Intrusion detection is a new technology. As long as there is information technology, there will be computer intrusion, as long as there is intrusion, intrusion detection system is needed. Intrusion detection has changed a lot from simple to complex. As the core of computer program, the behavior of intrusion detection can be realized by the system service interface (API). Therefore, the composition of the API sequence represents the behavior composition of the program. Conditional Random Field Model (CRF) is a machine learning method proposed in recent years for language processing in sequence labeling and named entity recognition. It is a discriminant undirected graph model. The model constructs conditional distribution of unobserved annotated sequences through observable state sequences, and selects annotated sequences with high probability of conditional conditions as corresponding state sequences according to probability axioms to realize the classification of analysis objects. The combination of sequence data processing and rich feature tags makes conditional random field model especially suitable for context-aware classification. Based on the above theory, this paper adopts a method of machine learning based on statistics and conditional random field model, and takes PE file as data source to study intrusion detection. The research work of this paper mainly includes the following innovations: (1) according to the structure of PE file, we obtain and analyze the header information of PE file, summarize the structural anomalies of PE file, and do not need to monitor the program and de-shell the file. Before the program runs, it is possible to judge whether the program is a virus file or infected by a virus according to the abnormal items. (2) extract the API function call sequence by analyzing the PE file of the program. It is divided into a short sequence with a length of k to match the attack tree, and then the probability of occurrence and the malicious weight of each node of the attack tree are calculated. Finally, the comprehensive calculation of the attack tree root node represents the event risk index is used to estimate the degree of similarity between the program and the Trojan horse, thereby judging the program as a Trojan program or contains a Trojan horse part of the possibility, In order to accurately detect and prevent Trojan horse attack. (3) combining the context information and domain knowledge of API function in PE file, taking API call sequence as observation sequence, file category as tag sequence, each API function is annotated. The conditional random field model is used to judge the tagging categories of each API function by training the training set. Finally, each observation sequence in the API sequence of the test file is annotated. According to the specific proportion of the tagging, the classification of the PE file is judged. Finally, the problem of intrusion detection based on PE file is transformed into two classification problems of intrusion and non-intrusion, and the structural anomaly of virus file is analyzed. (4) on the basis of disk monitoring and PE file structure analysis, the intrusion detection model is designed and implemented.
【学位授予单位】:山东师范大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 向尕,曹元大;基于攻击分类的攻击树生成算法研究[J];北京理工大学学报;2003年03期
2 李建平;王慧强;卢爱平;郝洪亮;冯光升;;基于条件随机场的网络安全态势量化感知方法[J];传感器与微系统;2010年10期
3 刘巍伟;石勇;郭煜;韩臻;沈昌祥;;一种基于综合行为特征的恶意代码识别方法[J];电子学报;2009年04期
4 叶志明;;PE文件格式对定位病毒特征码的作用[J];计算机光盘软件与应用;2013年01期
5 胡广朋;程辉;邵玉宝;;基于层叠条件随机场的网络入侵识别[J];江苏科技大学学报(自然科学版);2008年05期
6 顾佼佼;姜文志;栗飞;胡文萱;;基于条件随机场的实时入侵检测系统框架实现[J];海军航空工程学院学报;2011年05期
7 胡卫;张昌宏;马明田;;基于动态行为监测的木马检测系统设计[J];火力与指挥控制;2010年02期
8 张春明;陈天平;张新源;郑连清;;基于攻击树的网络安全事件发生概率评估[J];火力与指挥控制;2010年11期
9 王晓燕;金聪;谈华永;;基于Win32 API和SVM的未知病毒检测方法[J];计算机工程与应用;2011年07期
10 朱莎莎;刘宗田;付剑锋;朱芳;;基于条件随机场的中文时间短语识别[J];计算机工程;2011年15期
相关硕士学位论文 前3条
1 陈刚;基于PE文件的软件水印研究[D];湖南大学;2008年
2 孙诚;内部威胁检测技术研究[D];国防科学技术大学;2008年
3 范吴平;Win32 PE文件病毒的检测方法研究[D];电子科技大学;2012年
本文编号:2245343
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2245343.html
