Abstract: This paper presented a novel method for anomaly detection of user behavior based on the discretctime Markov chain model,which is applicable to intrusion detection systems using shell commands as audit data. In the training period, the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered. This method takes the sequences of shell commands as the basic processing units. It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged resups. Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space. In the detection stage, considering the real-time performance and the accuracy requirement of the detection system, it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences, and then provides two schemes, based on the probability stream filtered with single window or multi windows, to classify the user's behavior. I}he results of our experiments show that this method can achieve higher detection performance and practicability than others.

Key words: Network security, Intrusion detection, Shell command, Anomaly detection, Discretctime Markov chain