期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一种新的基于Markov链模型的用户行为异常检测方法 被引量:7

A New Method for Anomaly Detection of User Behaviors Based on Markov Chain Models
下载PDF
导出
摘要 提出一种新的基于Markov链模型的用户行为异常检测方法。该方法利用一阶齐次Markov链对网络系统中合法用户的正常行为进行建模,将Markov链的状态同用户执行的shell命令序列联系在一起,并引入一个附加状态;在检测阶段,基于状态序列的出现概率对用户当前行为的异常程度进行分析,并根据Markov链状态的实际含义和用户行为的特点, 采用了较为特殊的判决准则。与Lane T提出的基于隐Markov模型的检测方法相比,该方法的计算复杂度较低,更适用于在线检测。而同基于实例学习的检测方法相比,该方法则在检测准确率方面具有较大优势。文中提出的方法已在实际入侵检测系统中得到应用,并表现出良好的检测性能。 This paper presents a new method for anomaly detection of user behaviors based on Markov chain models. The method constructs a one-order Markov chain model to represent the normal behavior profile of a network user, and associates shell command sequences with the states of the Markov chain. At the detection stage, the probabilities of the state sequences of the Markov chain is firstly computed, and a specific decision rule is adopted while the particularity of user behaviors is taken into account. The method is less computationally expensive than the method based on hidden Markov models introduced by Lane T, and is more applicable to on -line detection. Compared with the instance-based method, the method in the paper can provide higher detection accuracy. The application of the method in practical intrusion detection systems shows that it has high detection performance.
作者 邬书跃 田新广 高立志 张尔扬
机构地区 湖南科技大学信息与电气工程学院 国防科技大学电子科学与工程学院
出处 《信号处理》 CSCD 北大核心 2006年第3期440-444,共5页 Journal of Signal Processing
基金 国家863高技术研究发展基金资助项目(No.863-307-7-5)北京首信集团科研基金资助项目(No.011025)
关键词 入侵检测 MARKOV链 异常检测 SHELL命令 intrusion detection Markov chain anomaly detection shell command
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献8

  • 1Lane T. Machine learning techniques for the computer security domain of anomaly detection [D]. Purdue University,2000.
  • 2Lee W, Dong X. Information-Theoretic measures for anomaly detection[ C ]. Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, USA, 2001 : 130 - 134.
  • 3Lane T, Brodley C E. Temporal sequence learning and data reduction for anomaly detection [ J ]. ACM Transactions on Information and System Security, 1999 (2) :295 -331.
  • 4Warrender C, Forrest S, Pearlmutter B. Detecting Intrusions Using System Calls:Alternative Data Models [ C ].Proceedings the 1999 IEEE Symposium on Security and Privacy, Berkely, USA- IEEE Computer Society, 1999:133 - 145.
  • 5Lane T, Brodley C E. An application of machine learning to anomaly detection [ C]. Proceedings of the 20th National Information Systems Security Conference, Baltimore, USA,1997:366 - 377.
  • 6孙宏伟,田新广,李学春,张尔扬.一种改进的IDS异常检测模型[J].计算机学报,2003,26(11):1450-1455. 被引量:21
  • 7连一峰,戴英侠,王航.基于模式挖掘的用户行为异常检测[J].计算机学报,2002,25(3):325-330. 被引量:85
  • 8田新广,高立志,李学春,张尔扬.一种基于隐马尔可夫模型的IDS异常检测新方法[J].信号处理,2003,19(5):420-424. 被引量:6

二级参考文献17

  • 1[1]Lee Wenke, Stolfo S J. Data mining approaches for intrusion detection. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
  • 2[2]Lee Wenke, Stolfo S J, Mok K W. A data mining framework for building intrusion detection models. In: Proc the 1999 IEEE Symposium on Security and Privacy, Berkely, California, 1999. 120-132
  • 3[3]Lee Wenke. A data mining framework for constructing features and models for intrusion detection systems[Ph D dissertation]. Columbia University, 1999
  • 4[4]Paxson Vern. Bro: A system for detecting network intruders in real-time. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
  • 5[5]Agrawal Rakesh, Srikant Ramakrishnan. Fast algorithms for mining association rules. In: Proc the 20th International Conference on Very Large Databases, Santiago, Chile, 1994
  • 6[6]Agrawal Rakesh, Srikant Ramakrishnan. Mining sequential patterns. IBM Almaden Research Center, San Jose, California:Research Report RJ 9910, 1994
  • 7[7]Chen M, Han J, Yu P. Data mining: An overview from database perspective. IEEE Trans Knowledge and Data Engineeing, 1996,8(6):866-883
  • 8Lane T. Machine learning techniques for the computer security domain of anomaly detection [D].Purdue University, 2000.
  • 9Warrender C, Forrest S. Pearlmutter B. Detecting intru-sions using system calls: altematived.t, models[A].Proceedings of the 1999 IEEE Symposium on Security and Privacy[C]. Berkely, California, USA: IEEE Compu-ter Society, 1999:133-145.
  • 10Rabiner L R, Juang B H. An introduction to hidden Markov models[J]. IEEE ASSP Magazine, 1986(1): 4-16.

共引文献99

同被引文献41

引证文献7

二级引证文献16

信号处理
2006年 第3期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部