文档介绍：ISSN 1000-9825, CODEN RUXUEW E-mail: ******@iscas.
Journal of Software, , , January 2009, −151
doi: . Tel/Fax: +86-10-62562563
© by Institute of Software, the Chinese Academy of Sciences. All rights reserved.

∗
基于混杂模型的上下文相关主机入侵检测系统
李闻+, 戴英侠, 连一峰, 冯萍慧
(中国科学院研究生院信息安全国家重点实验室,北京 100049)
Context Sensitive Host-Based IDS Using Hybrid Automaton
LI Wen+, DAI Ying-Xia, LIAN Yi-Feng, FENG Ping-Hui
(The State Key Laboratory of Information Security, Graduate University, The Chinese Academy of Sciences, Beijing 100049, China)
+ Corresponding author: E-mail: ******@is.
Li W, Dai YX, Lian YF, Feng PH. Context sensitive host-based IDS using hybrid automaton. Journal of
Software, 2009,20(1):138−152. /1000-9825/
Abstract: A key function of a host-based intrusion detection system is to monitor program execution. Models
constructed based on static analysis have the advantage of not producing false alarms; still, they can not be put into
practice due to imprecision or inefficiency of the model. The prior work has shown a trade-off between efficiency
and precision. In particular, models based upon non-deterministic finite state automaton (DFA) are efficient but lack
precision. More accurate models based upon pushdown automaton (PDA) are very inefficient to operate due to
non-determinism in stack activity. DYCK model, VPStatic model and IMA use some subtle approaches to achieve
more determinism by extracting information about stack activity of the program or inserting code to expose program
state or just inline the local automaton but still can not solve the problem of indirect call/JMP. This paper presents a
new training-free model (hybrid finite automaton, HFA) to gain more determinism and resolves indirect call/JMP
through static-dynamic hybrid approach. The results show that in run-time, these models slowed the execution of
the test programs by 5% to 10%. This paper also pares HFA with some