基于模式挖掘的用户行为异常检测算法  被引量：15

作　　者：宋海涛[1] 韦大伟[1] 汤光明[1] 孙怡峰[1] 

机构地区：[1]信息工程大学,郑州450001

出　　处：《小型微型计算机系统》2016年第2期221-226,共6页Journal of Chinese Computer Systems

基　　金：河南省科技攻关计划项目(122102210047)资助

摘　　要：为了解决恶意终端用户行为的安全管控问题,针对用户行为的规律性、偶然性、多重复性的特点,提出一种基于模式挖掘的用户行为异常检测算法.该算法针对单个用户行为序列,包括序列模式挖掘和模式比较两个过程.序列模式挖掘应用滑动时间窗口界定事务策略和首项固定策略,挖掘出用户的行为模式;通过模式比较计算的相关度,综合了当前行为模式与正常行为模式相比较的连接度、匹配度两个因素,当模式比较结果处于可评判区间,便可以给出异常检测的确定性结果.实验结果表明,由本文序列模式挖掘过程获得的用户行为模式更贴合用户的实际操作情况;模式比较得到的相关度能够区分正常行为与异常行为,有效地实现用户行为的异常检测.Anomaly detection of single user behaviors based on pattern mining acts as the major approach to control the security of in- tranet. Because normal user behaviors have three features ： regularity, contingency and multi-repeatability, we cannot distinct normal us- er behaviors from abnormal user behaviors easily. It＇s difficult to manage malicious internal user behaviors. Thus, constructing normal usage patterns is a real trouble. Let alone the pattern comparison. Aiming at solving this problem, this paper proposes an anomaly de- tection algorithm of single user behaviors. The algorithm aims at a certain host user. And it comprises of two steps： sequential pattern mining and pattern comparison. Sequential pattern mining adopts the sliding time-fixed window strategy and the first-term-fixed strate- gy to discover hidden regular patterns from large amount of normal history behavior audit data;in pattern comparison, we define corre- lation degree to quantify the anomaly detection result. Correlation degree which mixes connection degree and matching degree can give the certain conclusion when its value is interpretable. In order to verify the effectiveness and rationality of the anomaly detection algo- rithm, we collect large amount of normal behaviors audit data, and simulate some anomalous behaviors. Experimental results show that the algorithm can mine the normal behaviors patterns efficiently and the normal behaviors patterns are more acceptable;correlation de- gree calculated by pattern comparison can distinguish normal behaviors and anomalous behaviors.

关 键 词：序列模式 数据挖掘 单用户行为 异常检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]