Anomaly detection method and device

An anomaly detection and anomaly technology, applied in the field of communication, which can solve the problem of few identifiable patterns and so on

Inactive Publication Date: 2017-09-12
ZTE CORP
View PDF0 Cites 9 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The present invention provides an anomaly detection method and device to at least solve the problem of less identifiable patterns

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Anomaly detection method and device
  • Anomaly detection method and device
  • Anomaly detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0038] In this embodiment, an anomaly detection method is provided, figure 1 is a flow chart of anomaly detection according to an embodiment of the present invention, such as figure 1 As shown, the process includes the following steps:

[0039] Step S102, obtaining the fuzzy feature pattern of the system call sequence, and adding the fuzzy feature pattern to the feature pattern library;

[0040] It should be noted that the aforementioned fuzzy feature mode is a feature mode including a definite mode and a fuzzy mode. Wherein, the definite pattern refers to a feature pattern formed in a definite order through multiple system calls. For example, if the system call sequence l∈C, and l is composed of a group of system calls in a definite order, then l is a definite pattern, and C is a characteristic pattern library, which is a set composed of characteristic patterns; the fuzzy pattern represents a class of system The characteristic pattern of the call sequence, for example, if ...

Embodiment 2

[0105] In this embodiment, an abnormality detection device is also provided, which is used to implement the above embodiments and preferred implementation modes, and what has been described will not be repeated. As used below, the term "module" may be a combination of software and / or hardware that realizes a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.

[0106] Figure 4 is a structural block diagram of an abnormality detection device according to an embodiment of the present invention, such as Figure 4 As shown, the device includes:

[0107] 1) The first processing module 42 is used to obtain the fuzzy feature pattern of the system call sequence, and add the fuzzy feature pattern to the feature pattern library, wherein the fuzzy feature pattern is a feature pattern including a definite patt...

Embodiment 3

[0151] The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the above-mentioned storage medium may be configured to store program codes for performing the following steps:

[0152] S1. Obtain the fuzzy feature pattern of the system call sequence, and add the fuzzy feature pattern to the feature pattern library, where the fuzzy feature pattern is a feature pattern including a definite pattern and a fuzzy pattern, and the definite pattern represents that a plurality of system calls A feature pattern formed in a definite order, the fuzzy pattern representing a feature pattern of a type of system call sequence;

[0153] S2, matching the system call sequence of the training set with the feature patterns included in the feature pattern library, and obtaining the state sequence corresponding to the system call sequence of the training set according to the rules corresponding to the matching result;

[0154] S3, using the state sequence to t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an anomaly detection method and device. The anomaly detection method comprises the steps that fuzzy characteristic modes of a system call sequence are obtained and are added to a characteristic mode library, wherein the fuzzy characteristic modes include characteristic modes of a determination mode and a fuzzy mode, the determination mode represents the characteristic mode formed through multiple system calls according to a determination sequence, and the fuzzy mode represents the characteristic mode of a system call sequence; matching is conducted on system call sequences of a training set and the characteristic modes included in the characteristic mode library, and state sequences corresponding to the system call sequences of the training set are obtained according to rules corresponding to matching results; the state sequences are used for training a Markov model, and the trained Markov model is obtained; the anomaly of the system call sequences to be detected is detected by using the trained Markov model. By adopting the anomaly detection method and device, the problem that the number of recognizable mode types is small due to anomaly detection performed in determined characteristic modes in the related art is solved.

Description

technical field [0001] The present invention relates to the communication field, in particular, to an abnormality detection method and device. Background technique [0002] In related technologies, many local and remote attacks and intrusions through the Internet utilize key programs with vulnerabilities. Attacks against these critical programs are the main means of intrusion into the system. Intrusion detection technology is to detect the intrusion to the system by analyzing the system information retained in the computer and the information generated by the user behavior in the system. Intrusion detection technology is divided into misuse detection (Misuse Detection) and anomaly detection (Anomaly Detection). Misuse detection is based on analyzing knowledge about intrusions or attacks to detect intrusions. The disadvantage of misuse detection is that it is difficult to detect new intrusion methods or variations of some intrusion methods. Also, its performance is relate...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F11/07
CPCG06F11/07G06F11/0751
Inventor 左焘
Owner ZTE CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap