Intrusion detection based on system calls and homogeneous Markov chains

作     者：Tian Xinguang Duan Miyi Sun Chunlai Li Wenfa 

作者机构：Inst. of Computing Technology Beijing Jiaotong Univ. Beijing 100029 P. R. China Inst. of Computing Technology Chinese Academy of Sciences Beijing 100080 P. R. China 

出 版 物：《Journal of Systems Engineering and Electronics》 (系统工程与电子技术（英文版）)

年 卷 期：2008年第19卷第3期

页      面：598-605页

核心收录：

学科分类：08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：the National Grand Fundamental Research "973" Program of China (2004CB318109) the High-Technology Research and Development Plan of China (863-307-7-5) the National Information Security 242 Program ofChina (2005C39) 

主　　题：intrusion detection Markov chain anomaly detection system call. 

摘      要：A novel method for detecting anomalous program behavior is presented, which is applicable to hostbased intrusion detection systems that monitor system call activities. The method constructs a homogeneous Markov chain model to characterize the normal behavior of a privileged program, and associates the states of the Markov chain with the unique system calls in the training data. At the detection stage, the probabilities that the Markov chain model supports the system call sequences generated by the program are computed. A low probability indicates an anomalous sequence that may result from intrusive activities. Then a decision rule based on the number of anomalous sequences in a locality frame is adopted to classify the program＇s behavior. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for on-line detection. It has been applied to practical host-based intrusion detection systems.