• 计算机网络与信息安全 •

### 基于Shell命令和DTMC模型的用户行为异常检测新方法

1. (中国科学院研究生院信息安全国家重点实验室 北京100049)(清华大学深圳研究生院 深圳518055)(中国科学院计算技术研究所网络科学与技术重点实验室 北京100190) (北京工商大学计算机与信息工程学院 北京100037)
• 出版日期:2018-12-01 发布日期:2018-12-01
• 基金资助:
本文受国家“863”高技术研究发展计划基金项目(2006AA01Z452) , 国家242信息安全计划基金项目(2005C39)资助。

### Novel Method for Anomaly Detection of User Behavior Based on Shell Commands and DTMC Models

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

• Online:2018-12-01 Published:2018-12-01

Abstract: This paper presented a novel method for anomaly detection of user behavior based on the discretctime Markov chain model,which is applicable to intrusion detection systems using shell commands as audit data. In the training period, the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered. This method takes the sequences of shell commands as the basic processing units. It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged resups. Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space. In the detection stage, considering the real-time performance and the accuracy requirement of the detection system, it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences, and then provides two schemes, based on the probability stream filtered with single window or multi windows, to classify the user's behavior. I}he results of our experiments show that this method can achieve higher detection performance and practicability than others.

 No related articles found!
Viewed
Full text

Abstract

Cited

Shared
Discussed