摘要
This paper presents a new anomaly detection method based on machine learning. Applicable to host-based intrusion detection .systems, this method uses shell commands as audit data. The method employs shell command sequences of different lengths to characterize behavioral patterns of a network user, and constructs multiple sequence libraries to represent the user's normal behavior profile. In the detection stage, the behavioral patterns in the audit data are mined by a sequence-matching algorithm, and the similarities between the mined patterns and the historical profile are evaluated. These similarities are then smoothed with sliding windows, and the smoothed similarities are used to determine whether the monitored user's behaviors are normal or anomalous. The results of our experience show the method can achieve higher detection accuracy and .shorter detection time than the instance-based method presented by Lane T. The method has been successfully applied in practical host-based intrusion detection systems.
This paper presents a new anomaly detection method based on machine learning. Applicable to host-based intrusion detection .systems, this method uses shell commands as audit data. The method employs shell command sequences of different lengths to characterize behavioral patterns of a network user, and constructs multiple sequence libraries to represent the user's normal behavior profile. In the detection stage, the behavioral patterns in the audit data are mined by a sequence-matching algorithm, and the similarities between the mined patterns and the historical profile are evaluated. These similarities are then smoothed with sliding windows, and the smoothed similarities are used to determine whether the monitored user's behaviors are normal or anomalous. The results of our experience show the method can achieve higher detection accuracy and .shorter detection time than the instance-based method presented by Lane T. The method has been successfully applied in practical host-based intrusion detection systems.
基金
ThisworkissupportedbyNational"863"HighTechnologyProjectsofChina(86330775)andResearchFoundationofBeijingCapitelGroupCorporation(011025).
作者简介
Biographies: TIAN Xin-guang, male, Ph. D. of National University of Defense Technology, interested in the research on intrusion detection, network security, and digital signal processing.GAO Li-zhi, male, Ph. D. of Tsinghua University, associate professor, interested in the research on intrusion detection, network security, and firewall technology.SUN Chun-lai, female, senior engineer of Beijing Jiaotong University, interested in the research on computer network, information security.DUAN Mi-yi, male, professor of Beijing Jiaotong University, interested in the research on information processing, computer network.ZHANG Er-yang, male, professor, tutor of doctor students, National University of Defense Technology, interested in the research on information security, computer network, and signal processing.
