A Method for Anomaly Detection of User Behaviors Based on Machine Learning  被引量：4

作　　者：TIAN Xin-guang GAO Li-zhi SUN Chun-lai DUAN Mi-yi ZHANG Er-yang 

机构地区：[1]School of Electronic Science and Engineering, National University of Defense Technology, Changsha 410073, P.R. China [2]Department of Electronic Engineering, Tsinghua University, Beijing 100084, P.R. China [3]Research Institute of Beijing Capitel Group Corporation, Beijing 100016, P.R. China [4]Institute of Computing Technology, Beijing Jiaotong University, Beijing 100029, P.R. China

出　　处：《The Journal of China Universities of Posts and Telecommunications》2006年第2期61-65,78,共6页中国邮电高校学报（英文版）

基　　金：ThisworkissupportedbyNational"863"HighTechnologyProjectsofChina(86330775)andResearchFoundationofBeijingCapitelGroupCorporation(011025).

摘　　要：This paper presents a new anomaly detection method based on machine learning. Applicable to host-based intrusion detection .systems, this method uses shell commands as audit data. The method employs shell command sequences of different lengths to characterize behavioral patterns of a network user, and constructs multiple sequence libraries to represent the user＇s normal behavior profile. In the detection stage, the behavioral patterns in the audit data are mined by a sequence-matching algorithm, and the similarities between the mined patterns and the historical profile are evaluated. These similarities are then smoothed with sliding windows, and the smoothed similarities are used to determine whether the monitored user＇s behaviors are normal or anomalous. The results of our experience show the method can achieve higher detection accuracy and .shorter detection time than the instance-based method presented by Lane T. The method has been successfully applied in practical host-based intrusion detection systems.This paper presents a new anomaly detection method based on machine learning. Applicable to host-based intrusion detection .systems, this method uses shell commands as audit data. The method employs shell command sequences of different lengths to characterize behavioral patterns of a network user, and constructs multiple sequence libraries to represent the user＇s normal behavior profile. In the detection stage, the behavioral patterns in the audit data are mined by a sequence-matching algorithm, and the similarities between the mined patterns and the historical profile are evaluated. These similarities are then smoothed with sliding windows, and the smoothed similarities are used to determine whether the monitored user＇s behaviors are normal or anomalous. The results of our experience show the method can achieve higher detection accuracy and .shorter detection time than the instance-based method presented by Lane T. The method has been successfully applied in practical host-based intrusion detection systems.

关 键 词：intrusion detection machine learning anomaly detection shell command 

分 类 号：TP393.01[自动化与计算机技术—计算机应用技术]