| 面向Unix和Linux平台的网络用户伪装入侵检测 |
| |
| 引用本文: | 田新广,程学旗,陈小娟,段洣毅,许洪波.面向Unix和Linux平台的网络用户伪装入侵检测[J].计算机科学与探索,2010,4(6):500-510. |
| |
| 作者姓名: | 田新广 程学旗 陈小娟 段洣毅 许洪波 |
| |
| 作者单位: | 1. 中国科学院,计算技术研究所,网络科学与技术重点实验室,北京,100190
2. 北京工商大学,计算机与信息工程学院,北京,100037 |
| |
| 基金项目: | 国家高技术研究发展计划(863),国家242信息安全计划 |
| |
| 摘 要: | 基于主机的入侵检测是目前网络安全领域研究的热点内容。提出了一种基于数据挖掘和变长序列匹配的用户伪装入侵检测方法,主要用于Unix或Linux平台上以shell命令为审计数据的主机型入侵检测系统。该方法针对用户行为复杂多变的特点以及审计数据的短时相关性,利用多种长度不同的shell命令短序列来描述用户行为模式,并基于数据挖掘技术中的序列支持度在用户界面层对网络合法用户的正常行为进行建模;在检测阶段,采用了基于变长序列匹配和判决值加权的检测方案,通过单调递增相似度函数赋值和加窗平滑滤噪对被监测用户当前行为的异常程度进行精确分析,能够有效降低误报率,增强了检测性能的稳定性。实验表明,同目前典型的伪装入侵检测方法相比,该方法在检测准确度和计算成本方面均具有较大优势,特别适用于在线检测。
|
| 关 键 词: | 伪装攻击 入侵检测 shell命令 数据挖掘 异常检测 |
| 修稿时间: | |
Masquerade Detection towards Network Users on Unix and Linux Platforms |
| |
| TIAN Xinguang,CHENG Xueqi,CHEN Xiaojuan,DUAN Miyi,XU Hongbo.Masquerade Detection towards Network Users on Unix and Linux Platforms[J].Journal of Frontier of Computer Science and Technology,2010,4(6):500-510. |
| |
| Authors: | TIAN Xinguang CHENG Xueqi CHEN Xiaojuan DUAN Miyi XU Hongbo |
| |
| Affiliation: | 1. Key Lab of Network Science and Technology, Institute of Computing Technology, CAS, Beijing 100190, China 2. College of Comp. and Info. Engineering, Beijing Technology and Business University, Beijing 100037, China |
| |
| Abstract: | Host-based intrusion detection acts as one of the major directions of research in network security. This paper presents a novel method for masquerade detection based on data mining and variable-length shell command sequence matching, which is applicable to intrusion detection systems using shell commands as audit data on Unix and Linux platforms. The method employs multiple command sequences to represent user behavior pattern, and utilizes sequence supports defined in data mining technique to characterize the normal behavior profiles of legitimate users. In the detection stage, a model based on variable-length shell command sequence matching and decision value weighing is used to distinguish between legitimate users and masqueraders, while the particularity of audit data and user behavior is taken into account. The performance of the method is tested by computer simulation, and the results show it can achieve higher detection accuracy and efficiency than existing alternative methods. |
| |
| Keywords: | masquerade attack intrusion detection shell command data mining anomaly detection |
| 本文献已被 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机科学与探索》浏览原始摘要信息 |
|
点击此处可从《计算机科学与探索》下载全文 |
|
