关键词: 正常程序行为模型库 事件 满十六叉有序树 异常检测

Abstract:

Program behavior modeling and searching is the key issue of anomaly detection. A method is presented, in which the segment ID and the offset of the program counter （PC）, when system calls are invoked,are used as events. The event sequence set is produced by sliding the window in orderly events, and  a normal behavior model set is built by using full 16-ary ordered trees. A full 16-ary ordered tree is designed for improving the efficiency of storing and searching rule sets. The storage byte sequence in the full 16-ary ordered tree implies the relationship information between nodes. The time complex  ity of searching the rule set for a rule only relates to the depth of the tree, and if the depth of the tree is fixed, the time complexity is OCD. The d  efinition of a full 16-ary ordered tree, its features, its creating and searching algorithms are presented.

Key words: normal program behavior model, event, full 16-ary ordered tree, anomaly detection