期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于Markov模型的异常用户检测 被引量:3

Abnormal User Detection Based on Markov Models
下载PDF
导出
摘要 在入侵检测的研究中,异常检测已逐步成为了入侵检测研究的主要方向。为提高检测效率,提出一种基于Markov模型的行为模式-聚类(BMC)的用户行为异常检测方法,采用一阶Markov模型对多用户计算机系统中用户的正常行为进行建模,学习Markov模型参数时采用命令匹配方法。在检测阶段,通过计算状态序列出现的概率得到概率序列,并对其进行加窗和处理得到判决值序列。BMC采用KNN方法对判决值序列进行聚类,以聚类结果来对用户行为进行异常检测与分析,发现系统中潜在的入侵用户及入侵用户群组。实验结果表明BMC不仅能够判别单用户的异常入侵行为,更能够有效识别多用户计算机系统中的异常用户行为。 Abnormal detection is the main direction of intrusion detection research field. A novel behavior model based on Markov - clustering ( BMC for short) was proposed in this paper. The BMC can be used to effectively detect masquerade user behavior. The BMC method utilized homogeneous first order Markov chains to model normal behavior pattern of the user in multi - user computer systems. During the process of learning parameters of Markov model, the BMC adopted the command matching method, in which the states of Markov model was constructed by the fre- quencies of the shell commands. In the test process, the BMC obtained the probability sequence by calculating the probability of state sequences, and the decision measure was computed by smoothing windows of state time sequences. Finally, the BMC took a KNN clustering method to cluster decision measure time series for abnormal user detection, and the clustering result was used to analyze the abnormal users. The experimental result shows that the BMC can effectively detect abnormal users by single user Markov model. Furthermore, the BMC can effectively detect abnormal users in multi - user computer system.
作者 韩忠明 张晨 李斌
机构地区 北京工商大学计算机与信息工程学院
出处 《计算机仿真》 CSCD 北大核心 2014年第6期316-320,共5页 Computer Simulation
基金 国家自然科学基金(61170112) 北京市属高等学校科学技术与研究生教育创新工程建设项目(PXM2012_014213_000037)
关键词 入侵检测 马尔科夫模型 聚类 命令 Intrusion detection Markov model Clustering Command
分类号 TP391.9 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献16

二级参考文献71

  • 1田新广,高立志,张尔扬.新的基于机器学习的入侵检测方法[J].通信学报,2006,27(6):108-114. 被引量:15
  • 2SMAHA S E. Haystack: an intrusion detection system[A]. The Fourth IEEE Aerospace Computer Security Applications Conference[C]. Orlando, Florida, 1988. 被引量:1
  • 3WU H C, HUANG S H S. Masquerade detection using command prediction and association rules mining[A]. 2009 International Conference on Advanced Information Networking and Applications[C]. Aina,2009. 552-559. 被引量:1
  • 4SHIM C Y, K1M J Y, GANTENBEIN R E. Practical user identification for masquerade detection[A]. Advances in Electrical and Electronics Engineering-IAENG Special Edition of the World Congress on Engineering and Computer Science 2008[C]. San Francisco, California, USA, 2008.47-51. 被引量:1
  • 5DASH S K, REDDY K S, PUJARI A K. Adaptive naive Bayes method for masquerade detection[J]. Security and Communication Networks, 2010, DOI: 10.1002/sec.168. 被引量:1
  • 6COULL S E, BRANCH J W, SZYMANSKI B K, et al. Sequence alignment for masquerade detection[J]. Computational Statistics & Data Analysis, 2008, 52(8): 4116-4131. 被引量:1
  • 7LI M. An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition[J]. Computers & Security, 2004, 23(7): 549-558. 被引量:1
  • 8LI M. Change trend of averaged Hurst parameter of traffic underDDOS flood attacks[J]. Computers & Security, 2006, 25(3): 213-220. 被引量:1
  • 9LI M, WANG S, ZHAO W. A real-time and reliable approach to detecting traffic variations at abnormally high and low rates[J]. Lecture Notes in Computer Science, 2006, 4158: 541-550. 被引量:1
  • 10MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines[A]. Proceedings of the International Conference on Dependable Systems and Networks[C]. Washington, DC, USA, 2002.219-228. 被引量:1

共引文献77

同被引文献39

引证文献3

二级引证文献10

计算机仿真
2014年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部