近年網路攻擊的盛行使得傳統的入侵偵測方法與防火牆等技術已不足以防禦電腦的安全，而利用隱藏馬可夫模型與程式所使用的系統呼叫進行異常入侵偵測，在相關研究中已證明可達到良好的成效，但是應用隱藏馬可夫模型時，模型訓練成本過高卻造成了實際應用上的窒礙。因此，在本研究中使用異常入侵偵測的作法，針對微軟視窗作業系統，以漸進式隱藏馬可夫模型為理論基礎，實做一個具有模型調適性質之異常入侵偵測系統。我們利用漸進式隱藏馬可夫模型對正常程式行為塑模，並且以漸進式隱藏馬可夫模型中漸進式學習的特色結合訓練架構的改良來減少訓練所需的成本。此外，正常行為模型的更新與調適是異常入侵偵測系統所遭遇的一大問題，因此我們也利用從多個觀察序列學習隱藏馬可夫模型的方法，設計了一個模型調適方法，能夠幫助解決正常程式因程式更新而容易導致誤判狀況發生的問題。最後並且透過新墨西哥大學所提供之Sendmail系統呼叫資料集，以及自行蒐集之Windows系統呼叫資料，證明本研究所提出的方法確實能夠區分程式的執行有異常的入侵行為，程式更新時也能夠對於模型進行相對的調適，能夠降低誤判的情況，且經實驗顯示，進行訓練所需時間與所需記憶體空間亦將較原本節省約66%與93%。

Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective.

中文參考文獻：
[李冠儀 2006]李冠儀，以Windows Registry為基礎之使用者行為異常偵測方法，國立中央大學資訊管理學系碩士論文，6月，2006。
[李勁頤 2000]李勁頤，利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究，國立中央大學資訊管理學系碩士論文，6月，2000。
[官炳宏 2005]官炳宏，結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法，國立中央大學資訊管理學系碩士論文，6月，2005。
[林景仁 2003]林景仁，一種以系統呼叫異常為判斷基礎之入侵防禦系統，國立中央大學資訊管理學系碩士論文，6月，2003。
[邱銘彰 2004]邱銘彰，行為分析之惡意程式偵測，大同大學資訊工程研究所碩士論文，6月，2004。
[許明陽 2002]許明陽，利用攔截API偵測電腦病毒，逢甲大學資訊工程研究所碩士論文，6月，2006。
[陳威棋 2006]陳威棋，結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究，國立中央大學資訊管理學系碩士論文，6月，2006。
英文參考文獻：
[Andersson et al. 2005] Stig Andersson, Andrew Clark, George Mohay, Bradley Schatz, Jakub Zimmermann, “A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX”, In 21st Annual Computer Security Applications Conference, 2005.
[Allen et al. 2000] Julia Allen, Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, State of the Practice of Intrusion Detection Technologies, Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon, January 2000.
[BGM 2004] R. Battistoni, E. Gabrielli, and L. V. Mancini, “A host intrusion prevention system for windows operating systems”, In 9th European Symposium on Research in Computer Security, 2004.
[Bojanic 2005] Irena Bojanic. On-line Adaptive IDS Scheme for Detecting Unknown Network Attacks using HMM Models. Master thesis of Electrical and Computer Engineering Department, University of Maryland, 2005.
[CP 2003] S. B. Cho, H. J. Park, “Efficient anomaly detection by modeling privilege flows using hidden Markov model”, Computer & Security, Vol. 22, No. 1, pp 45-55, 2003.
[DL 2002] Richard I. A. Davis and Brian C. Lovell, “Improved Estimation of Hidden Markov Model Parameters from Multiple Observation Sequences”, In Proceedings International Conference on Pattern Recognition, August 11-14, 2002.
[FBH 2005] German Florez-Larrahondo, Susan Bridges and Eric A. Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure”, In Proceedings of the Twentieth National Conference on Artificial Intelligence, 2005.
[FBV 2005] German Florez-Larrahondo, Susan M. Bridges, and Rayford Vaughn, “Efficient Modeling of Discrete Events for Anomaly Detection Using Hidden Markov Models”, In 8th Information Security Conference, 2005.
[FHSL 1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, “A sense of self for unix processes”, In Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996.
[HFS 1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls”, Journal of Computer Security, Volume 6, pages 151-180, 1998.
[HH 2004] X.A Hoang, J. Hu, “An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls”, 12th IEEE International Conference on ICON, Nov. 2004
[HHB 2003] X.D. Hoang, J. Hu, P. Bertok, “A Multi-layer Model for Anomaly Intrusion Detection”, In Proceedings of the IEEE International Conference on Networks, 2003.
[LS 1998] W. Lee and S. J. Stolfo, “Data mining approaches for intrusion detection”, In Proceedings of the 7th USENIX Security Symposium, 1998.
[MSAR 2004] Srinivas Mukkamala, Andrew H. Sung, Ajith Abraham, Vitorino Ramos, “Intrusion Detection Systems Using Adaptive Regression Splines”, In 6th Internal Conference on Enterprise Information Systems, 2004.
[Nebbet 2000] Gary Nebbet. Windows NT/2000 native API reference. Sams, 2000.
[QXBG 2002] Y. Qiao, X. W. Xin, Y.Bin and S.Ge, “Anomaly intrusion detection method based on HMM”, In IEEE Electronic Letters Online No. 20020467, 2002.
[Rabiner 1989] Lawrence R. Rabiner, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989.
[RJ 1986] L. R. Rabiner and B. H. Juang, “An Introduction to Hidden Markov Models”, IEEE ASSP Magazine, January 1986.
[RJ 1993] L.R. Rabiner and B.H. Juang, Fundamentals of Speech Recognition. Prentice Hall, 1993.
[WFP 1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999.
[WGZ 2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection”, In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, 2004.
[WGZY 2006] Wei Wang, Xiaohong Guan, Xiangliang Zhang, Liwei Yang, “Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data”, Computer and Security, Volume 25, Issue 7, 2006.
[XCY 2004] M. Xu, C. Chen, J. Ying, “Anomaly detection based on system call classification”, Journal of Software, Vol. 15, No. 3, 2004.
[YD 2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models”, Pattern Recognition, Vol. 36, 2003.
相關網站：
[資策會] 資策會FIND網站：
http://www.find.org.tw/find/home.aspx
[GMSS] Global Market Share Statistics Website
http://marketshare.hitslink.com/report.aspx?qprid=2
[JAHM] Jahmm - An implementation of HMM in Java
http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/
[META] Metasploit Project Website
http://www.metasploit.com/
[RIES 2006] C. Ries, “ROOTKIT IN WINDOWS”, available at
http://www.issa.org/Pittsburgh/Archives/issa%20rootkit.pdf
[STRA] Strace for NT WebSite
http://www.bindview.com/Services/RAZOR/Utilities/Windows/ strace_readme.cfm
[SYMA 2007] Symantec Internet Security Threat Report
http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
[UNM] UNM system call datasets
http://www.cs.unm.edu/~immsec/systemcalls.htm