An intrusion detection method based on system call sequence for train-mounted host devices

WANG Xue; WANG Lide; WANG Biao; XU Shuxian; WANG Chong

doi:10.13890/j.issn.1000-128X.2023.06.013

您当前的位置：

首页 >

文章列表页 >

An intrusion detection method based on system call sequence for train-mounted host devices

Electric Traction and Control | 更新时间：2024-08-02

- An intrusion detection method based on system call sequence for train-mounted host devices
- Electric Drive for Locomotives Issue 6, Pages: 106-113(2023)
- 作者机构：
  
  北京交通大学电气工程学院，北京 100044
- 作者简介：
- 基金信息：
- DOI：10.13890/j.issn.1000-128X.2023.06.013
  CLC： TP393;U270.38⁺2
- Published：10 November 2023，
  
  Received：26 June 2023，
  
  Revised：01 August 2023，
- 稿件说明：
扫描看全文
王雪, 王立德, 王彪, 等. 基于系统调用序列的车载主机设备入侵检测方法研究[J]. 机车电传动, 2023(6): 106-113.

WANG Xue, WANG Lide, WANG Biao, et al. An intrusion detection method based on system call sequence for train-mounted host devices[J]. Electric drive for locomotives,2023(6): 106-113.
王雪, 王立德, 王彪, 等. 基于系统调用序列的车载主机设备入侵检测方法研究[J]. 机车电传动, 2023(6): 106-113. DOI： 10.13890/j.issn.1000-128X.2023.06.013.

WANG Xue, WANG Lide, WANG Biao, et al. An intrusion detection method based on system call sequence for train-mounted host devices[J]. Electric drive for locomotives,2023(6): 106-113. DOI： 10.13890/j.issn.1000-128X.2023.06.013.

摘要

列车内部的主机设备搭载Linux嵌入式操作系统，外部应用需要执行系统调用来访问系统内核。随着列车通信网络的兼容性和开放性不断提升，车载主机设备存在遭受网络攻击的风险。当网络攻击发生时，恶意程序同样会通过系统调用与内核产生交互并留下相应痕迹，因此可基于系统调用序列实现车载主机设备的入侵检测。文章分析了Linux系统结构和系统调用序列的原理，设计了包含特征提取、特征词袋处理、特征逆频率处理和特征降维的原始数据特征处理方法，构建了基于网格搜索‒K近邻（Grid Search-K-Nearest Neighbor

GS-KNN）的入侵检测模型。试验证明，文章提出的方法准确率达到了96.62 %，相较于其他轻量级算法存在优势，能够实现网络入侵的有效检测。

Abstract

Linux embedded operating system is installed on the host devices on the train. All the external applications need to access the kernel via system calls. With the increasing compatibility and openness of the train communication network

there is a risk of cyberattacks on the train-mounted host devices. In case of a cyberattack

the malware will interact with the kernel via the system call and leave a trace. Therefore

the train-mounted host device intrusion can be detected based on system call sequence. In this paper

the structure of Linux system and the principle of system call sequence were analyzed

the original data feature processing methods including feature extraction

bag-of-words

inverse-frequency processing and dimension reduction were designed

and an intrusion detection model based on Grid Search-K-Nearest Neighbor (GS-KNN) was created. The experimental results show that the accuracy of the method designed in this paper is 96.62%

and the method has certain advantages compared with other lightweight algorithms and can detect the network intrusion effectively.

关键词

系统调用入侵检测K-近邻算法车载主机设备

Keywords

system callintrusion detectionKNNtrain-mounted host devices

references

岳川. 基于机器学习的列车通信以太网入侵检测方法研究[D]. 北京: 北京交通大学, 2022.

YUE Chuan. Machine learning-based intrusion detection method for ethernet-based train communication network[D]. Beijing: Beijing Jiaotong University, 2022.

XIE Miao, HU Jiankun, YU Xinghuo, et al. Evaluating host-based anomaly detection systems: application of the frequency-based algorithms to ADFA-LD[C]//Springer. Network and System Security. Cham: Springer, 2014: 542-549.

KIM G, YI H, LEE J, et al. LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems[DB/OL]. (2016-11-06) [2023-02-18]. https://arxiv.org/abs/1611.01726https://arxiv.org/abs/1611.01726.

陈仲磊, 伊鹏, 陈祥, 等. 基于系统调用的入侵检测技术研究[J]. 网络安全技术与应用, 2022(3): 1-6.

CHEN Zhonglei, YI Peng, CHEN Xiang, et al. Research on intrusion detection technology based on system call[J]. Network security technology & application, 2022(3): 1-6.

李橙, 罗森林. 基于系统调用行为相似性聚类的主机入侵检测方法研究[J]. 信息安全研究, 2021, 7(9): 828-835.

LI Cheng, LUO Senlin. Research on host intrusion fetection method based on system call behavior similarity clustering[J]. Journal of information security research, 2021, 7(9): 828-835.

史蒂文斯, 拉戈. UNIX环境高级编程[M]. 北京: 人民邮电出版社, 2019.

STEVENS W R, RAGO S A. Advanced programming in the UNIX environment[M]. Beijing: Post & Telecom Press, 2019.

郑海祥. 系统调用在主机入侵检测中的研究与应用[D]. 广州: 广东工业大学, 2011.

ZHENG Haixiang. Research and application of system call in host intrusion detection[D]. Guangzhou: Guangdong University of Technology, 2011.

马媛丽. 主机系统调用序列分类入侵检测研究[D]. 太原: 太原理工大学, 2007.

MA Yuanli. Intrusion detection research of host system call sequence based on classification[D]. Taiyuan: Taiyuan University of Technology, 2007.

刘健男. 融合主机和网络的车联网入侵检测系统设计与实现[D]. 成都: 电子科技大学, 2021.

LIU Jiannan. Design and implementation of intrusion detection system for connected cars integrating host-level and network-level detection[D]. Chengdu: University of Electronic Science and Technology of China, 2021.

TRIPATHY A, AGRAWAL A, RATH S K. Classification of sentiment reviews using n-gram machine learning approach[J]. Expert systems with applications, 2016, 57: 117-126.

QAISER S, ALI R. Text mining: use of TF-IDF to examine the relevance of words to documents[J]. International journal of computer applications, 2018, 181(1): 25-29.

JOLLIFFE I T, CADIMA J. Principal component analysis: a review and recent developments[J]. Philosophical transactions of the royal society A: mathematical, physical and engineering sciences, 2016, 374(2065): 20150202.

LIAO Yihua, VEMURI V R. Use of k-nearest neighbor classifier for intrusion detection[J]. Computers & security, 2002, 21(5): 439-448.

杜聪, 邵建华, 杨薇, 等. 网格搜索法优化的支持向量机室内可见光定位[J]. 激光杂志, 2021, 42(3): 104-109.

DU Cong, SHAO Jianhua, YANG Wei, et al. Support vector machine indoor visible light positioning optimized by grid search method[J]. Laser journal, 2021, 42(3): 104-109.

CREECH G, HU Jiankun. Generation of a new IDS test dataset: time to retire the KDD collection[C]//IEEE. 2013 IEEE Wireless Communications and Networking Conference(WCNC). Shanghai: IEEE, 2013: 4487-4492.

Views

下载量

CSCD

CNKI被引量

Alert me when the article has been cited

提交

Tools

Publicity Resources

No data

Related Author

No data

Related Institution

No data

⁰