计算机科学 ›› 2011, Vol. 38 ›› Issue (11): 54-58.

• 计算机网络与信息安全 • 上一篇    下一篇

基于Shell命令和DTMC模型的用户行为异常检测新方法

肖喜,翟起滨,田新广,陈小娟   

  1. (中国科学院研究生院信息安全国家重点实验室 北京100049)(清华大学深圳研究生院 深圳518055)(中国科学院计算技术研究所网络科学与技术重点实验室 北京100190) (北京工商大学计算机与信息工程学院 北京100037)
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受国家“863”高技术研究发展计划基金项目(2006AA01Z452) , 国家242信息安全计划基金项目(2005C39)资助。

Novel Method for Anomaly Detection of User Behavior Based on Shell Commands and DTMC Models

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan   

  • Online:2018-12-01 Published:2018-12-01

摘要: 提出一种新的基于离散时间Markov链模型的用户行为异常检测方法,主要用于以shell命令为审计数据的入侵检测系统。该方法在训练阶段充分考虑了用户行为复杂多变的特点和审计数据的短时相关性,将shell命令序列作为基本数据处理单元,依据其出现频率利用阶梯式的数据归并方法来确定Markov链的状态,同现有方法相比提高了用户行为轮廓描述的准确性和对用户行为变化的适应性,并且大幅度减少了状态个数,节约了存储成本。在检测阶段,针对检测实时性和准确度需求,通过计算状态序列的出现概率分析用户行为异常程度,并提供了基于固定窗长度和可变窗长度的两种均值滤噪处理及行为判决方案。实验表明,该方法具有很高的检测性能,其可操作性也优于同类方法。

关键词: 网络安全,入侵检测,shell命令,异常检测,离散时间Markov链

Abstract: This paper presented a novel method for anomaly detection of user behavior based on the discretctime Markov chain model,which is applicable to intrusion detection systems using shell commands as audit data. In the training period, the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered. This method takes the sequences of shell commands as the basic processing units. It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged resups. Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space. In the detection stage, considering the real-time performance and the accuracy requirement of the detection system, it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences, and then provides two schemes, based on the probability stream filtered with single window or multi windows, to classify the user's behavior. I}he results of our experiments show that this method can achieve higher detection performance and practicability than others.

Key words: Network security, Intrusion detection, Shell command, Anomaly detection, Discretctime Markov chain

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!