作　　者： ; ; ; ; (吕美远）;

机构地区： 燕山大学信息科学与工程学院

出　　处： 《小型微型计算机系统》 2014年第1期34-39,共6页

摘　　要： 软件行为是在一定上下文环境中,由一系列的动作组成的.因此可以通过检测动作序列推测行为是否有害.为了能够准确推测和判断软件行为的安全性和可靠性,提出一种基于动作相关度的行为检测方法.从消息和系统调用角度提取行为特征,根据动作的参数及其执行的上下文环境计算动作参数相关度和上下文相关度,最终计算出动作相关度.动作相关度能够衡量动作之间关联程度,利用动作相关度查找与其相关联的其它动作,把相关联的动作序列组成同一行为与规则库中规则进行对比判定.实验结果表明:利用该方法能够准确描述动作流程,区分出不同的行为,提高了检测的准确性,具有良好的检测性能. Software behavior is consisted of a set of actions in a certain context. Therefore, whether the software behavior is harmful can be conjectured by detecting action sequence. To accurately conjecture and judge software behavior＇s safety and reliability, an action relevance based behavior detection method is proposed in this paper. Behavior features are extracted from the message and system call perspective and action parameter relevance and context relevance are calculated according to the action parameter and its context environment. Finally, action relevance is calculated from the above results. Action relevance can be used to measure the correlation degree between actions. By utilizing action relevance to search correlative actions, the correlative action sequence can be integrated into the same behavior to compare and to judge with the rules in the rule base. Extensive experiment results show that, the proposed method not only can accurately describe action process and distinguish different behaviors, but also has excellent detection performance.

关 键 词： 行为检测 动作相关度 系统调用 入侵检测 软件行为

领　　域： [自动化与计算机技术] [自动化与计算机技术]