System call behavior sequence dimension reduction method, system and device and storage medium

Abstract

The invention relates to the technical field of computer security, in particular to a word vector-based system call behavior sequence dimension reduction method, a system, electronic equipment and a storage medium. The method comprises the steps of capturing a system call behavior mode and obtaining parameters corresponding to the system call behavior mode; when a group of system call behavior sequences with the length of W is obtained, performing dimension reduction processing on the system call behavior sequences according to a word vector coding model to obtain system call behavior word vector sequences with the dimension of a preset dimension N; performing average operation on the N-dimensional system call behavior word vector sequence to obtain a system call behavior pattern feature word vector F. According to the word vector-based system call behavior sequence dimension reduction method, the system, the electronic equipment and the storage medium, representative sequence featurescan be automatically captured, the dimension of the system call behavior sequence is effectively reduced, and the accuracy and the calculation rate of subsequent machine learning can be improved.

Description

technical field [0001] The present invention relates to the technical field of computer security, in particular to a method, system, electronic device and storage medium for dimensionality reduction of system call behavior sequences based on word vectors. Background technique [0002] At present, most of the defense methods for abnormal system call intrusion detection products on the market can only detect network attack behaviors that have been clearly analyzed and understood by artificially defining rule bases, while some methods are transformed or targeted at existing Attacks with minor modifications often become one of the weaknesses of abnormal system call intrusion detection, let alone for unknown attacks, such detection methods are even more powerless. [0003] Another artificial intelligence-based abnormal system call intrusion detection product uses One Class SVM (abnormality detection) as the main body to automatically summarize the behavior patterns of normal user...

AI Technical Summary

Problems solved by technology

[0004] However, with the advent of the era of big data and artificial intelligence, One Class SVM can effectively summarize the behavior patterns of normal users or normal programs, in embedded systems or chips It will become more and more difficult to implement. The main reason is that the dimension of the system call behavior sequence will become larger and larger with the development of artificial intelligence-assisted attack methods and big data. For example: One Class SVM classification The method is an O(n2) algorithm, that is, the calculation time complexity will show a quadratic relationship with the dimension of the system call behavior sequence

In other words, an excessively large system call behavior sequence dimension is extremely unfavorable for real-time processing of embedded systems or chips with low computing power.

That is to say, an excessively large system call behavior sequence dimension is extremely unfavorable for real-time processing of embedded systems or chips with low computing power, but if the system call behavior sequence dimensionality reduction is performed by manual means, it may be too subjective and Incomplete, which further leads to a serious impact on the detection accuracy of the system

Images