English

应用科学学报

• 论文 • 上一篇    下一篇

采用shell命令和隐Markov模型进行网络用户行为异常检测

田新广1,2, 段洣毅1,2, 孙春来1, 李文法2
  

  1. 1.北京交通大学 计算技术研究所, 北京 100029
    2.中国科学院 计算技术研究所, 北京 100080
  • 收稿日期:2007-07-20 修回日期:2007-12-03 出版日期:2008-03-31 发布日期:2008-03-31

Detection of Anomalous User Behavior Based on Shell Commands and Hidden Markov Models

TIAN Xing-uang1, 2, DUAN Mi-yi1, 2, SUN Chun-lai1, LI Wen-fa 2
  

  1. 1.Institute of Computing Technology, Beijing Jiaotong University, Beijing 100029)
    2.Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100080)
  • Received:2007-07-20 Revised:2007-12-03 Online:2008-03-31 Published:2008-03-31

被引次数

5

摘要: 异常检测是目前网络入侵检测领域研究的热点内容。提出一种基于shell命令和隐Markov模型(HMM)的网络用户行为异常检测方法,该方法利用shell会话中用户执行的shell命令作为原始审计数据,采用特殊的HMM在用户界面层建立网络合法用户的正常行为轮廓。HMM的训练中采用了运算量较小的序列匹配方法,与传统的Baum-Welch训练算法相比,训练时间有较大幅度的降低。在检测阶段,基于状态序列出现概率对被监测用户当前行为的异常程度进行分析,并考虑到审计数据和用户行为的特点,采用了较为特殊的判决准则。同现有的基于HMM和基于实例学习的检测方法相比,文中提出的方法兼顾了计算成本和检测准确度,特别适用于在线检测。该方法已应用于实际入侵检测系统,并表现出良好的检测性能。

关键词: 入侵检测, 隐Markov模型, 异常检测, shell命令

Abstract: Anomaly detection is an active research topic in network intrusion detection. This paper presents a novel method for detecting anomalous user behavior based on shell commands and hidden Markov models (HMM). The method constructs a specific HMM to represent the normal behavior profile of a network user, and associates classes of user behavior patterns with states of the HMM. The HMM parameters are calculated with a sequence matching algorithm which is much simpler than the classical Baum-Welch algorithm. This reduces computational complexity to a great extent. At the detection stage, a decision rule based on probabilities of short state sequences is adopted, and more than one threshold are used to classify the user behavior. Performance of the method is tested in computer simulation, showing high detection accuracy and efficiency.

Key words: intrusion detection, hidden Markov model, anomaly detection, shell command