针对传统的基于系统调用序列的异常入侵检测方法中离线学习过程对训练数据量过于依赖的问题,引入频繁子图挖掘理论,利用系统调用序列转换为有向图结构后所特有的衍生能力,能够以较小的训练数据规模获取数量可观且行之有效的衍生特征模式.实验结果表明,经扩充的特征模式集能够有效提高对未知程序行为的鉴别能力.同时,将系统调用序列的局部特性与全局特性相结合,为变长特征模式的提取提供了一个较为合理的参考.%To overcome the limitation that off-line learning process was overly dependent upon the amount of training data in traditional anomaly intrusion detection methods, introduced frequent subgraph mining theory, combining with the unique derivative ability of the directed graph transformed from the system call sequence, could obtain large quantities of derivative patterns via a relatively small scale of training data.Experimental results indicate that the extended pattern set can effectively increase the detecting ability for the unknown behavior.Meanwhile, with the integrated consideration of local and global characteristic in system call sequence, proposed a reasonable method for constructing the variable-length patterns.
展开▼
