基于Shell命令和DTMC模型的用户行为异常检测新方法  被引量:2

Novel Method for Anomaly Detection of User Behavior Based on Shell Commands and DTMC Models

在线阅读下载全文

作  者:肖喜[1,2] 翟起滨[1] 田新广[3] 陈小娟[4] 

机构地区:[1]中国科学院研究生院信息安全国家重点实验室,北京100049 [2]清华大学深圳研究生院,深圳518055 [3]中国科学院计算技术研究所网络科学与技术重点实验室,北京100190 [4]北京工商大学计算机与信息工程学院,北京100037

出  处:《计算机科学》2011年第11期54-58,82,共6页Computer Science

基  金:国家"863"高技术研究发展计划基金项目(2006AA01Z452);国家242信息安全计划基金项目(2005C39)资助

摘  要:提出一种新的基于离散时间Markov链模型的用户行为异常检测方法,主要用于以shell命令为审计数据的入侵检测系统。该方法在训练阶段充分考虑了用户行为复杂多变的特点和审计数据的短时相关性,将shell命令序列作为基本数据处理单元,依据其出现频率利用阶梯式的数据归并方法来确定Markov链的状态,同现有方法相比提高了用户行为轮廓描述的准确性和对用户行为变化的适应性,并且大幅度减少了状态个数,节约了存储成本。在检测阶段,针对检测实时性和准确度需求,通过计算状态序列的出现概率分析用户行为异常程度,并提供了基于固定窗长度和可变窗长度的两种均值滤噪处理及行为判决方案。实验表明,该方法具有很高的检测性能,其可操作性也优于同类方法。This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

关 键 词:网络安全 入侵检测 SHELL命令 异常检测 离散时间Markov链 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象