中文摘要：

针对隐马尔可夫模型计算开销过高的问题，提出了一种新的基于隐马尔可夫模型（Hidden Markov model，HMM）的异常检测方法，利用系统调用执行迹具有的局部规律性，用改进的HMM（Improved HMM，IHMM）学习算法来构建程序正常行为模型。在检测时，首先对待测系统调用数据用滑动窗口划分，并通过正常行为模型来判定异常，根据异常短序列占所有短序列的百分比来判断该进程是否行为异常。实验结果显示该方法训练耗时仅为传统方法的1％。当阈值在一个较大范围内变化时，模型的检测性能始终保持稳定。表明本文方法通过避免对大量相同短序列的重复计算，显著减少了训练时间和计算开销，在实际应用中具有良好的可操作性。

英文摘要：

A highly efficient HMM-based anomaly intrusion detection scheme is given. Firstly, distinct short sequences are extracted from normal traces of system calls and a normal program behavior model is established with the improved HMM （IHMM） training algorithm. At the stage of anomaly detection, a slide window is used by the test sequence and the generated short sequences through the normal model. The short sequence is considered mismatch if the output probability is lower than a preset threshold. The identification of abnormal behavior lies on the ratio between the numbers of the matched short sequences and that of all short sequences in the test trace. Experimental results show that the training time of the method is 1% of the traditional method compared with the conventinal training. The HMM-based model has stable performance with threshold fluctuating, thus it is more feasible in practice.