P.O.Box 8718, Beijing 100080, China Journal of Software  June 2003,14(6):1120-1126
E-mail: jos@iscas.ac.cn ISSN 1000-9825,  CODEN RUXUEW,  CN 11-2560/TP
http://www.jos.org.cn  Copyright © 2003 by The Editorial Department of Journal of Software

A Host-Based Anomaly Intrusion Detection Model Based on Genetic Programming

SU Pu-Rui, LI De-Quan, FENG Deng-Guo

 Full-Text PDF    Submission   Back


SU Pu-Rui, LI De-Quan, FENG Deng-Guo   (State Key Laboratory of Information Security, Institute of Software, The Chinese Academy of Sciences, Beijing 100080, China)
Authors information: SU Pu-Rui was born in 1976. He is a Ph.D. candidate at the Institute of Software, the Chinese Academy of Sciences. His research interest is network security. LI De-Quan was born in 1969. He is a Ph.D. candidate at the Institute of Software, the Chinese Academy of Sciences. His research interest is network security. FENG Deng-Guo was born in 1965. He is a professor and doctoral supervisor at the Institute of Software, the Chinese Academy of Sciences. His research area is information security.
Corresponding author: SU Pu-Rui, Phn: 86-10-62528254 ext 801, Fax 86-10-62520469, E-mail: supurui@263.net
Received 2002-04-22; Accepted 2002-09-17

Abstract
Anomaly Detection techniques assume all intrusive activities deviate from the norm. In this paper a new anomaly detection model is found to improve the veracity and efficiency. The proposed model inestablishes a normal activity profile of the systemcall sequences by using Genetic Programming. One instance of the model monitors one process. If the model finds the real systemcall sequences profile of the process deviating from the normal activity profile, it will flag the process as intrusive and take some actions to respond to it. And a new method of calculating the fitness and two operators to generate the next offspring are provided. According to the comparison with some of current models, the model is more veracious and more efficient.

Su PR, Li DQ, Feng DG. A host-based anomaly intrusion detection model based on genetic programming. Journal of Software, 2003,14(6):1120~1126.
http://www.jos.org.cn/1000-9825/14/1120.htm


摘要
异常检测技术假设所有的入侵行为都会偏离正常行为模式.尝试寻找一种新的异常入侵检测模型改善准确性和效率.模型利用应用程序的系统调用序列,通过基因规划建立了正常行为模式.模型的一个例程管理一个进程.当它发现进程的实际系统调用序列模式偏离正常的行为模式时,会将进程设标记为入侵,并采取应急措施.还给出了基因规划的适应度计算方法以及两个生成下一代的基本算子.通过与现有一些模型的比较,该模型具有更好的准确性和更高的效率.

基金项目:Supported by the National Grand Fundamental Research 973 Program of China under Grant No.G1999035802 (国家重点基础研究发展规划(973)); the National Foundation of China for Palmary Youth under Grant No.60025205 (国家杰出青年基金)


References: 

[1] ISS Documents. Network- vs. Host-based Intrusion Detection. 1998. http://documents.iss.net/whitepapers/nvh_ids.pdf.

[2] IATF Release 3.0, Host-Based Detect & Respond Capabilities Within Computing Environments. 2000.

[3] Yun QX, Huang GQ, Wang ZQ. Genetic Algorithm and Genetic Programming. Beijing: Publishing House of Metallurgy Industry, 1997 (in Chinese).

[4] Martin R. Snort-Lightweight intrusion detection for networks. 1999. http://www.snort.org/docs/lisapaper.txt.

[5] Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for Unix process. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1996.

[6] Hofmeyr SA, Forrest S. Architecture for an artificial immune system. Evolutionary Computation Journal, 2000,8(4):443~473.

[7] Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy. 1999.

[8] Lee W, Stolfo SJ. Data mining approaches for intrusion detection. In: Proceedings of the 7th USENIX Security Symposium. 1998.

[9] Lee W, Stolfo SJ, Mok KW. A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy. Oakland, CA, May 1999.

附中文参考文献:
[3] 云庆夏,黄光球,王战权.遗传算法和遗传规划.北京:冶金工业出版社,1997.