摘要
提出了一种基于机器学习的用户行为异常检测方法,主要用于UNIX平台上以shell命令为审计数据的入侵检测系统。该方法在LaneT等人提出的检测方法的基础上,改进了对用户行为模式和行为轮廓的表示方式,在检测中以行为模式所对应的命令序列为单位进行相似度赋值;在对相似度流进行平滑时,引入了“可变窗长度”的概念,并联合采用多个判决门限对被监测用户的行为进行判决。实验表明,该方法在检测准确度和实时性上均优于LaneT等人提出的方法。
A new intrusion detection method was presented based on machine learning for intrusion detection systems using shell commands as audit data. In the method, multiple dictionaries of shell command sequences of different lengths were constructed to represent the normal behavior profile of a network user. During the detection stage, the similarities between the command sequences generated by the monitored user and the sequence dictionaries were calculated. These similarities were then smoothed with sliding windows, and the smoothed similarities were used to determine whether the monitored user's behaviors were normal or anomalous. The results of the experience show the method can achieve higher detection accuracy and shorter detection time than the instance-based method presented by Lane T.
出处
《通信学报》
EI
CSCD
北大核心
2006年第6期108-114,共7页
Journal on Communications
基金
北京首信集团科研基金资助项目(011025)~~
关键词
信息处理技术
入侵检测
机器学习
行为模式
information processing technique: intrusion detection: machine learning, behavioral pattern
