跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 陳威棋
Wei-Chi Chen
論文名稱: 結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究
Combining Hidden Markov Model and Support Vector Machine for Host-based Anomaly Detection Systems
指導教授: 陳奕明
Yi-Ming Chen
口試委員:
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理學系
Department of Information Management
畢業學年度: 94
語文別: 中文
論文頁數: 60
中文關鍵詞: 支援向量機隱藏式馬可夫模型Windows Native API程式行為
外文關鍵詞: Program behavior, Hidden Markov Model, Windows Native API, Support Vector Machine
相關次數: 點閱:18下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 近年來,網路上木馬與後門程式到處橫行,而一些自動化滲透工具的出現,讓攻擊所需的知識大幅減少。在各種惡意程式猖獗的網路環境上,最後把關系統安全的責任大都落在主機入侵偵測系統身上。本研究主要是以隱藏式馬可夫模型(Hidden Markov Model)及支援向量機(Support Vector Machine)為理論基礎,在微軟作業系統上提出一個主機型異常入侵偵測系統。
    本研究使用Windows Native API序列資料來建立程式行為模型,而且這類型資料有一個最大的特性,便是有先後順序的概念,因此我們利用隱藏式馬可夫模型這個善於表達動態序列關係的工具,來描述Windows Native API之間先後順序的機率關係,再經由隱藏式馬可夫模型將系統呼叫序列中的隱藏狀態輸出,最後將隱藏狀態轉換成向量的型式以供後續利用支援向量機來建立正常程式行為模型以及異常入侵判斷。此程式行為模型能用來刻劃正常行為的規範,所以只要所監控程式的行為被支援向量機歸類為異常,就可告知使用者得知目前此程式有異常的狀態發生。
    本研究也根據上述想法開發出一套異常入侵偵測的雛型系統,並在最後的實驗中,透過美國新墨西哥大學系統呼叫資料集以及本研究在微軟作業系統上自行蒐集的資料,來證明結合隱藏式馬可夫模型及支援向量機於異常偵測系統上,可以區分出目前程式執行時有異常的行為發生。

    Various malicious programs, such as Trojan horse and backdoor, have become popular on the Internet in recent years. More and more automated penetration testing tools appear and now less background knowledge of attack is needed than before. As a result, the responsibility of computer is transferred to the host-based intrusion detection systems. Our research mainly combines Hidden Markov Model and Support Vector Machine and proposes a host-based anomaly detection system under Windows platforms.
    We use Windows Native Application Interface (API) sequences to establish the program normal behavior model. This kind of data has a significant characteristic that is the order of API appearing sequence. So we utilize the Hidden Markov Model that is good at expressing dynamic sequences relation to describe the probability relation of order between Windows Native APIs. After obtaining the hidden state sequences of Native API sequences by Hidden Markov Model, we put it into Support Vector Machine to train normal behavior of programs. If our prototype system detects the state of program belonging to the anomaly, we can inform users about the anomalous behavior of the program.
    A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness of the combination of the Hidden Markov Model and Support Vector Machine that can distinguish anomalous program behavior from normal program behavior.

    圖目錄 III 表目錄 V 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機及目的 3 1.3 研究範圍 3 1.4 研究貢獻 4 1.5 章節架構 4 第二章 相關研究 5 2.1 異常入侵偵測分析的資料來源 5 2.2 序列分析方法 7 2.3 隱藏式馬可夫模型運用於異常入侵偵測系統上 10 2.3.1 隱藏式馬可夫模型 10 2.3.2 基於隱藏式馬可夫模型的主機異常偵測 11 2.4 支援向量機運用於異常入侵偵測系統上 15 2.4.1 支援向量機 15 2.4.2 基於支援向量機的主機異常偵測 16 第三章 結合HMM與SVM於異常偵測系統 19 3.1 為何採用隱藏式馬可夫模型及支援向量機 19 3.2 如何結合隱藏式馬可夫模型及支援向量機之說明 20 3.3 應用隱藏式馬可夫模型 23 3.3.1 如何建立序列關係模型 24 3.3.2 隱藏狀態序列特徵擷取 25 3.3.3 參數的初始估計以及狀態個數的選擇 26 3.4 應用支援向量機 27 3.5 實作於微軟作業系統上的議題探討 28 3.5.1 存取Windows上系統資源的流程 28 3.5.2 攔截Native API呼叫 29 3.5.3 選擇哪些種類的Native API 31 第四章 系統流程與架構 33 4.1 運作流程 33 4.1.1 訓練正常行為階段 33 4.1.2 異常入侵偵測階段 34 4.2 系統架構 35 4.3 模組設計 36 4.3.1 開發環境與工具介紹 37 4.3.2 Windows Native API收集模組實作 37 4.3.3 特徵擷取模組實作 38 4.3.4 正常行為訓練模組實作 38 4.3.5 異常偵測模組實作 38 第五章 實驗分析 40 5.1 利用UNM資料集來驗證「結合HMM與SVM」的可行性 40 5.2 滑動視窗長度大小選擇 43 5.3 程式正常行為與異常行為的異常程度比較 44 5.4 IE與其他windows應用程式行為的異常程度比較 45 5.5 針對IE上的WMF漏洞攻擊來進一步地探討 46 第六章 結論 53 6.1 研究貢獻 53 6.2 未來研究方向 53 參考文獻 55 中文參考文獻 55 英文參考文獻 55 相關網站 60

    中文參考文獻
    [林景仁 2004] 林景仁 “一種以系統呼叫異常為判斷基礎之入侵防禦系統” ,中央大學資訊管理系,碩士論文,2004
    [官炳宏 2005] 官炳宏 “結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法”,中央大學資訊管理系,碩士論文,2005
    [王子彥 2005] 王子彥 ”基於資料探勘技術之監視型間諜程式偵測系統” ,台灣科技大學資訊工程系,碩士論文,2005
    [賴申洲 2005] 賴申洲 ”運用混合式分析方法於辨識新型攻擊” 中原大學資訊工程系,碩士論文,2005
    英文參考文獻
    [ACGSZ2005] S. Andersson, A. Clark, G. Mohay, B. Schatz, J. Zimmermann ,”A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX” ,21st Annual Computer Security Applications Conference 2005
    [BGM2004] R.Battistoni, E. Gabrielli, and L. V. Mancini. A host intrusion prevention system for Windows operating systems. In ESORICS’04, 2004.
    [BKJK2005] T.M. Bae, C.S. Kim, S.H. Jin, S.H. Kim, K.H. Ro, Y.M. “Semantic Event Detection in Structured Video Using Hybrid HMM/SVM”. Image and Video Retrieval Springer-Verlag ,2005
    [BUR1998] C. J. C. Burges “A tutorial on support vector machines for pattern recognition,”Data Mining and Knowledge Discovery, vol. 2, no. 2, 1998
    [CHO2002] S.-B. Cho, “Incorporating soft computing techniques into a probabilistic intrusion detection system,” IEEE Trans. On Systems, Man and Cybernetics-Part C:Applications and Reviews, vol. 32, no. 2, pp. 154-160, May 2002.
    [CHS2005] W.H. Chen, S.H. Hsu , H.P. Shen, Application of SVM and ANN for intrusion detection, Computers Operations Research, Volume 32, Issue 10, pp. 2617-2634, 2005.
    [CH2003] S. Cho, S. Han, "Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems", Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2003
    [CP2003] S.B.Cho, H.J. Park, “Efficient anomaly detection by modeling privilege flows using hidden Markov model”, Computers and Security, 2003
    [FHSL1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120-128. IEEE, May 1996.
    [HC2003] S.-J. Han and S.-B. Cho, "Combining multiple host-based detectors using decision tree," Lecture Notes in Computer Science 2903, Springer, Berlin, 2003.
    [HC2006] S.J. Han and S.B. Cho, "Evolutionary neural network for anomaly detection based on program''s behavior," IEEE Transactions on Systems, Man and Cybernetics-Part B, 559-570, 2006
    [HCL2003] C. W. Hsu, C. C. Chang , C. J. Lin, 2003, A practical guide to support vector classification. Available: http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf.
    [HFS1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji. , “Intrusion detection using sequences of system calls”, Journal of Computer Security, Volume 6, pages 151-180, 1998.
    [HHB2003] X.D. Hoang, J. Hu, P. Bertok, “A Multi-layer Model for Anomaly Intrusion Detection ”IEEE International Conference on Networks (ICON), 1, 531-536, September 2003
    [HH2004] X.A Hoang, J. Hu,” An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls”, Proceedings. 12th IEEE International Conference on ICON, Nov. 2004
    [JH1998] T. Jaakkola and D. Haussler. Exploiting generative models in discriminative classifiers. In Advances in Neural Information Processing Systems 11, 1998
    [JXX2005] W. Jiang, Y. Xu ,Y. Xu “A Novel Intrusions Detection Method Based on HMM Embedded Neural Network” In Advances in Natural Computation: First International Conference, ICNC 2005, Changsha, China, August 27-29, 2005
    [KC2005] H.S. Kim, S.D. Cha “Empirical evaluation of SVM-based masquerade detection using UNIX commands” Computers & Security, Volume 24, 2005
    [KNOP2005] D.S Kim, H.N.Nguyen, S.Y. Ohn, J. S. Park “Fusions of GA and SVM for Anomaly Detection in Intrusion Detection System” Second International Symposium on Neural Networks, 2005
    [LS1998] W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, 1998.
    [LV2002] Y Liao , V.R. Vemuri . Use of K-nearest neighbor classifier for intrusion detection. Computers Security 2002
    [LSSP2005] J. Long, D. G. Schwartz, S. Stoecklin, M. Patel, “Application of Loop Reduction to Learning Program Behaviors for Anomaly Detection”, IEEE International Conference on Information Technology ,ITCC 2005.
    [LBH2005] G Florez-Larrahondo, S Bridges, EA Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure”, 20th National Conference on Artificial Intelligence,2005
    [MS2005] D.J. Malan and M. D. Smith , “Host-Based Detection of Worms through Peer-to-Peer Cooperation” ,ACM Workshop on Rapid Malcode. Fairfax, Virginia. November 2005
    [NEB2000] G. Nebbet.“Windows NT/2000 native API reference”, 2000
    [PC2002] H. J. Park and S. B. Cho, “Privilege flows modeling for effective intrusion detection based on HMM”, Department of Computer Science, Yonsei University, Korea, 2002.
    [QXBG2002] Y. Qiao, X. W. Xin , Y.Bin and S.Ge:“Anomaly intrusion detection method based on HMM”, Electronics Letters, 20th, 2002
    [RAB1989] Lawrence R. Rabiner, Fellow, IEEE, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989.
    [RDY2003] X Rao, C.X. Dong, S.Q. Yang. “An intrusion detection system based on support vector machine.” Journal of Software, 2003.
    [RIE2006] C. Ries “ROOTKIT IN WINDOWS” VigilantMinds Inc, 2006
    [RJ1986] L. R. Rabiner, B. H. Juang, “An Introduction to Hidden Markov Models”,IEEE ASSP Magazine, January 1986.
    [SAEH2004] S. Stolfo, F Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses” CU Tech Report Feb. 23, 2004.
    [SBS2003] B. Schlkopf, C. J. C. Burges & A. J. Smola, 1999, “Introduction to support vector learning, advances in kernel methods-support vector learning,” Cambridge, 1999
    [TM2003] K. Tan and R. Maxion. Determining the operational limits of an anomaly based intrusion detector. IEEE Journal on selected areas in communications, 21(1):96-110, Jan. 2003.
    [WDD2000] A. Wespi, M. Dacier, H. Debar, "Intrusion Detection Using Variable-Length Audit Trail Patterns", Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2000
    [WFP1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 133-152, Oakland, California,1999.
    [WGZ2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection”, In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, Aug. 2004
    [XCY2004] M. Xu, C. Chen, J. Ying, “Anomaly detection based on system call classification”, Journal of Software, 2004
    [YD2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models” Pattern Recognition . 2003.
    [YLCEX2001] N Ye, XY Li, Q Chen, SM Emran, M Xu, “Probabilistic techniques for intrusion detection based on computer audit data”, IEEE Trans on Systems, 2001.
    [YSZLW2003] Q.B. Yin, L.R. Shen, R.B. Zhang, X.Y. Li, H.Q. Wang , “Intrusion detection based on hidden Markov model”, In Proceedings of 2003 International Conference on Machine Learning and Cybernetics, Nov. 2003
    [ZFZ2003] X.Q. Zhang, P.Z. Fan, Z.L. Zhu. “A new anomaly detection method based on hierarchical HMM”. PDCAT2003,China, (2003), 249-252
    相關網站
    [CL 2001] C.C. Chang and C.J. Lin, LIBSVM : a library for support vector machines, 2001. Software at http ://www.csie.ntu.edu.tw/ ~cjlin/Libsvm
    [FSEC] F-secure weblog http://www.f-secure.com/weblog/
    [GMSS] Global Market Share Statistics Website http://marketshare.hitslink.com/report.aspx?qprid=2
    [JAHM] Jahmm Website, a Java implementation of Hidden Markov Model related algorithm, http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/
    [MILW] Milworm Website http://www.milworm.com
    [META] Metasploit Project Website http://www.metasploit.com/
    [STRA] Strace for NT WebSite http://www.bindview.com/Services/RAZOR/Utilities/Windows/ strace_readme.cfm
    [SYMA2006] Symantec Website, 賽門鐵克網路安全威脅研究報告2006,
    http://www.symantec.com
    [UNM] UNM system call datasets http://www.cs.unm.edu/~immsec/systemcalls.htm

    QR CODE
    :::