Title page for 944203020


[Back to Results | New Search]

Student Number 944203020
Author Wen-Fu Shih(施文富)
Author's Email Address No Public.
Statistics This thesis had been viewed 1802 times. Download 497 times.
Department Information Management
Year 2006
Semester 2
Degree Master
Type of Document Master's Thesis
Language zh-TW.Big5 Chinese
Title An Adaptive Anomaly Detection Method Based on Incremental Hidden Markov Model and Windows Native API
Date of Defense 2007-06-25
Page Count 61
Keyword
  • Incremental Hidden Markov Model
  • Intrusion Detection
  • Program behavior
  • Windows Native API
  • Abstract Vulnerabilities are typically discovered months before the worm outbreak, but more and more worms and various malicious programs are released in few days after the vulnerabilities were announced. More and more automated penetration testing tools helps attacker to develop attack programs easily and create zero-day worms for vulnerabilities that unknown to network defenses which based on signatures. Therefore, host-based intrusion detection systems play an important role to detect such newly attacks. Our research mainly takes use of Windows Native Application Interface (API) sequences and Incremental Hidden Markov Model to propose a host intrusion detection method. Hidden Markov Model has proved to be good at expressing dynamic sequence data. In this research, it could help to describe probability relation the of Windows Native API sequences. But the training cost of Hidden Markov Model was so high that it’s almost impossible to design on-line learning and detecting mechanisms for intrusion detection. So we take use of Incremental Hidden Markov Model algorithm and propose an effective training scheme that could help to save the time and memory usage. In additions, we proposed an adaptive detection scheme that could be used for model adaption. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness the intrusion detection method and could save 66% time usage and 93% memory usage. And we also proved that the model adaption method is effective.
    Table of Content 論文摘要I
    AbstractII
    目錄IV
    圖目錄VI
    表目錄VIII
    第一章緒論1
    1.1 研究背景1
    1.2 研究動機與目的5
    1.3 研究範圍6
    1.4 研究貢獻7
    1.5 章節架構7
    第二章相關研究9
    2.1 基於系統呼叫之異常入侵偵測9
    2.2 基於隱藏式馬可夫模型的異常偵測系統12
    2.2.1 隱藏式馬可夫模型12
    2.2.2 基於隱藏式馬可夫模型的異常偵測13
    2.3 Windows作業系統之入侵偵測應用17
    2.4 具模型調適之入侵偵測方法19
    第三章應用漸進式隱藏馬可夫模型與Windows系統呼叫23
    3.1漸進式隱藏馬可夫模型23
    3.2 應用漸進式隱藏馬可夫模型於異常入侵偵測28
    3.3 應用漸進式隱藏馬可夫模型進行序列評估30
    3.4 Windows異常入侵偵測實作議題探討31
    第四章系統設計與實作36
    4.1 訓練階段37
    4.2偵測階段41
    第五章實驗分析44
    5.1 訓練成本比較實驗44
    5.2 Sendmail異常偵測實驗47
    5.3 Internet Explorer異常偵測實驗49
    5.4 正常行為模型調適實驗51
    第六章結論55
    6.1 研究貢獻55
    6.2 未來研究56
    參考文獻57
    Reference 中文參考文獻:
    [李冠儀 2006]李冠儀,以Windows Registry為基礎之使用者行為異常偵測方法,國立中央大學資訊管理學系碩士論文,6月,2006。
    [李勁頤 2000]李勁頤,利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究,國立中央大學資訊管理學系碩士論文,6月,2000。
    [官炳宏 2005]官炳宏,結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊之方法,國立中央大學資訊管理學系碩士論文,6月,2005。
    [林景仁 2003]林景仁,一種以系統呼叫異常為判斷基礎之入侵防禦系統,國立中央大學資訊管理學系碩士論文,6月,2003。
    [邱銘彰 2004]邱銘彰,行為分析之惡意程式偵測,大同大學資訊工程研究所碩士論文,6月,2004。
    [許明陽 2002]許明陽,利用攔截API偵測電腦病毒,逢甲大學資訊工程研究所碩士論文,6月,2006。
    [陳威棋 2006]陳威棋,結合隱藏式馬可夫模型與支援向量機於異常偵測系統之研究,國立中央大學資訊管理學系碩士論文,6月,2006。
    英文參考文獻:
    [Andersson et al. 2005] Stig Andersson, Andrew Clark, George Mohay, Bradley Schatz, Jakub Zimmermann, “A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX”, In 21st Annual Computer Security Applications Conference, 2005.
    [Allen et al. 2000] Julia Allen, Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, State of the Practice of Intrusion Detection Technologies, Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon, January 2000.
    [BGM 2004] R. Battistoni, E. Gabrielli, and L. V. Mancini, “A host intrusion prevention system for windows operating systems”, In 9th European Symposium on Research in Computer Security, 2004.
    [Bojanic 2005] Irena Bojanic. On-line Adaptive IDS Scheme for Detecting Unknown Network Attacks using HMM Models. Master thesis of Electrical and Computer Engineering Department, University of Maryland, 2005.
    [CP 2003] S. B. Cho, H. J. Park, “Efficient anomaly detection by modeling privilege flows using hidden Markov model”, Computer & Security, Vol. 22, No. 1, pp 45-55, 2003.
    [DL 2002] Richard I. A. Davis and Brian C. Lovell, “Improved Estimation of Hidden Markov Model Parameters from Multiple Observation Sequences”, In Proceedings International Conference on Pattern Recognition, August 11-14, 2002.
    [FBH 2005] German Florez-Larrahondo, Susan Bridges and Eric A. Hansen, “Incremental Estimation of Discrete Hidden Markov Models Based on a New Backward Procedure”, In Proceedings of the Twentieth National Conference on Artificial Intelligence, 2005.
    [FBV 2005] German Florez-Larrahondo, Susan M. Bridges, and Rayford Vaughn, “Efficient Modeling of Discrete Events for Anomaly Detection Using Hidden Markov Models”, In 8th Information Security Conference, 2005.
    [FHSL 1996] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, “A sense of self for unix processes”, In Proceedings of the 1996 IEEE Symposium on Security and Privacy, May 1996.
    [HFS 1998] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls”, Journal of Computer Security, Volume 6, pages 151-180, 1998.
    [HH 2004] X.A Hoang, J. Hu, “An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls”, 12th IEEE International Conference on ICON, Nov. 2004
    [HHB 2003] X.D. Hoang, J. Hu, P. Bertok, “A Multi-layer Model for Anomaly Intrusion Detection”, In Proceedings of the IEEE International Conference on Networks, 2003.
    [LS 1998] W. Lee and S. J. Stolfo, “Data mining approaches for intrusion detection”, In Proceedings of the 7th USENIX Security Symposium, 1998.
    [MSAR 2004] Srinivas Mukkamala, Andrew H. Sung, Ajith Abraham, Vitorino Ramos, “Intrusion Detection Systems Using Adaptive Regression Splines”, In 6th Internal Conference on Enterprise Information Systems, 2004.
    [Nebbet 2000] Gary Nebbet. Windows NT/2000 native API reference. Sams, 2000.
    [QXBG 2002] Y. Qiao, X. W. Xin, Y.Bin and S.Ge, “Anomaly intrusion detection method based on HMM”, In IEEE Electronic Letters Online No. 20020467, 2002.
    [Rabiner 1989] Lawrence R. Rabiner, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989.
    [RJ 1986] L. R. Rabiner and B. H. Juang, “An Introduction to Hidden Markov Models”, IEEE ASSP Magazine, January 1986.
    [RJ 1993] L.R. Rabiner and B.H. Juang, Fundamentals of Speech Recognition. Prentice Hall, 1993.
    [WFP 1999] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999.
    [WGZ 2004] W. Wang, X.H. Guan, X.L. Zhang, “Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection”, In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, 2004.
    [WGZY 2006] Wei Wang, Xiaohong Guan, Xiangliang Zhang, Liwei Yang, “Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data”, Computer and Security, Volume 25, Issue 7, 2006.
    [XCY 2004] M. Xu, C. Chen, J. Ying, “Anomaly detection based on system call classification”, Journal of Software, Vol. 15, No. 3, 2004.
    [YD 2003] D.Y. Yeung, Y. Ding, “Host-based Intrusion Detection using Dynamic and Static Behavioral Models”, Pattern Recognition, Vol. 36, 2003.
    相關網站:
    [資策會] 資策會FIND網站:
    http://www.find.org.tw/find/home.aspx
    [GMSS] Global Market Share Statistics Website
    http://marketshare.hitslink.com/report.aspx?qprid=2
    [JAHM] Jahmm - An implementation of HMM in Java
    http:// www.run.montefiore.ulg.ac.be/ ~francois/software/jahmm/
    [META] Metasploit Project Website
    http://www.metasploit.com/
    [RIES 2006] C. Ries, “ROOTKIT IN WINDOWS”, available at
    http://www.issa.org/Pittsburgh/Archives/issa%20rootkit.pdf
    [STRA] Strace for NT WebSite
    http://www.bindview.com/Services/RAZOR/Utilities/Windows/ strace_readme.cfm
    [SYMA 2007] Symantec Internet Security Threat Report
    http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
    [UNM] UNM system call datasets
    http://www.cs.unm.edu/~immsec/systemcalls.htm
    Advisor
  • Yi-Ming Chen(陳奕明)
  • Files
  • 944203020.pdf
  • approve immediately
    Date of Submission 2007-07-12

    [Back to Results | New Search]


    Browse | Search All Available ETDs

    If you have dissertation-related questions, please contact with the NCU library extension service section.
    Our service phone is (03)422-7151 Ext. 57407,E-mail is also welcomed.