In recent years, Forrest et al. Proposed that the system call short sequence of a certain length of the process is generated in normal operation, the process of patterning the process is normal. [1]. Lee et al. FORREST work, apply the Ripper package [2], from the system Call the normal and exception mode in the sequence, describe the system's operating state in the form of rules, establish a more concise and effective system normal model [3]. Wespi et al. On the basis of FORREST's fixed length short sequence idea, proposing Long sequences to portray the process of the process, and use experiments to prove that this model has a better detection effect [4]. Asaka et al. Proposed a DISCRIMINANTMETHOD intrusion detection method, by calling the pre-calibrated normal and exception system Sequence sample learning, determine a optimal classification, based on this classification, determining the system call sequence is normal or abnormal [5]. Document: [1] Forrest S, HofmeyR Sa et al. A Sense of Self for UNIX Processes. [2] Cohen W W. Fast Effective Rule Induction. [3] Lee W, Stolfo S, Chan P. Learning Patterns from UNIX Process Execution Traces for Intrusion Detection. [4] WESPI A, DACIER M et al Intrusion Detection Using Variable-Length Audit Trail Patterns. [5] Asaka M, Qnabuta T, INOUE T, Okazawa S, Gotos. A New Intrusion Detection Method Based on Discriminant Analysis.
