基于shell命令和多重行为模式挖掘的用户伪装攻击检测

伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为.近年来,伪装攻击检测在保障网络信息安全中发挥着越来越大的作用.文中提出一种新的用户伪装攻击检测方法.同现有的典型检测方法相比,该方法在训练阶段改进了对用户行为模式的表示方式,通过合理选择用户行为特征并基于阶梯式的序列模式支持度来建立合法用户的正常行为轮廓,提高了用户行为描述的准确性和对不同类型用户的适应性;在充分考虑shell命令审计数据时序特征的基础上,针对伪装攻击行为复杂多变的特点,提出基于多重行为模式并行挖掘和多门限联合判决的检测模型,并通过交叉验证和等量迭代逼近方法确定最佳门限参数,克服了单一序列模式检测模型在性能稳定性和容错能力方面的不足,在不明显增加计算成本的条件下大幅度提高了检测准确度.文中提出的方法已应用于实际检测系统,并表现出良好的检测性能.     

雾计算中基于DQL算法的伪装攻击检测方案

雾计算是一种在云数据中心和物联网（Internet of Things,IoT）设备之间提供分布式计算、存储等服务的技术,它能利用网络边缘进行认证并提供与云交互的方法。雾计算中以传统的安全技术实现用户与雾节点间安全性的方法不够完善,它仍然面对着窃听攻击、伪装攻击等安全威胁,这对检测技术提出了新的挑战。针对这一问题,提出了一种基于DQL（Double Q-learning）算法的雾计算伪装攻击检测方案。该方案借助物理层安全技术中的信道参数,首先在Q-learning算法的基础上处理Q值过度估计问题,获取最佳的伪装攻击测试阈值,然后通过阈值实现了用户与雾节点间的伪装攻击检测。实验结果表明,该算法检测伪装攻击的性能优于传统的Q-learning算法,具有在雾计算安全防护方面的优越性。     

移动雾计算中基于强化学习的伪装攻击检测算法

在移动雾计算中,雾节点与移动终端用户之间的通信容易受到伪装攻击,从而带来通信和数据传输的安全问题。基于移动雾环境下的物理层密钥生成策略,提出一种基于强化学习的伪装攻击检测算法。构建移动雾计算中的伪装攻击模型,在该模型下设计基于Q-学习算法的伪装攻击检测算法,实现在动态环境下对伪装攻击的检测,在此基础上,分析密钥生成策略在假设检验中的漏报率、误报率和平均错误率以检验算法性能。实验结果表明,该算法能够在动态环境中有效地防范伪装攻击,可使检测性能迅速收敛并达到稳定,且具有较低的平均检测错误率。     

Web浏览器缓冲区溢出攻击检测技术

通过Web浏览器访问网页已经成为人们最重要的访问互联网的方式,但是浏览器中存在的缓冲区安全漏洞给用户的系统安全带来很大的威胁。基于浏览器的缓冲区溢出攻击有自身的特点,传统的入侵检测系统无法检测到它的攻击数据。分析了基于Web浏览器的缓冲区溢出攻击的特点,提出了对其进行检测的算法,并实现了一个原型系统。     

一种基于HMM和遗传算法的伪装入侵检测方法

针对目前伪装入侵检测算法在确定序列的滑动窗口长度中存在的主要问题,以及使得检测阈值的计算更加容易、精确,本文提出了一个新的伪装入侵检测算法-MDAA,它使用HMM（Hidden Markov Model）模型表示正常用户行为,通过计算模型的条件熵确定滑动窗口长度.实现了滑动窗口长度随不同的用户模型而自动变化,达到自适应参数调整的目的.采用遗传算法计算子序列相对用户模型的最大和最小似然值,从而将滑动窗口分割到的子序列转换成便于决策的量.在一个真实的伪装检测数据集上进行了实验,结果表明该方法能得到较好的性能,并且更能适应不同用户的伪装检测.     

基于关联规则挖掘的数据库异常检测系统研究

提出一种基于关联规则挖掘的数据库异常检测模型DBADS.阐述了DBADS的结构及各部件的设计.利用关联规则FPMAX算法,对用户正常历史数据进行挖掘.通过训练学习生成异常检测模型,并利用此模型实现基于关联规则挖掘的异常检测.DBADS可以检测伪装攻击、合法用户的攻击两种类型的攻击,通过实验给出了系统检测相应攻击的检测率、虚警率.实验证明,本系统的建立不依赖于经验,具有较好的性能和灵活性.     

应用层DDOS攻击检测技术研究

随着检测底层DDoS攻击的技术不断成熟和完善,应用层DDoS攻击越来越多。由于应用层协议的复杂性,应用层DDoS攻击更具隐蔽性和破坏性,检测难度更大。通过研究正常用户访问的网络流量特征和应用层DDoS攻击的流量特征,采用固定时间窗口内的请求时间间隔以及页面作为特征。通过正常用户和僵尸程序访问表现出不同的特点,对会话进行聚类分析,从而检测出攻击,经过实验,表明本检测算法具有较好的检测性能。     

轻量级无线网络入侵检测系统

针对当前流行的无线拒绝服务DoS、伪装STA、伪装AP、WarDriving、暴力破解等无线网络攻击,采用误用检测和异常检测结合的方式,设计并实现了一个针对无线局域网的轻量级无线网络入侵检测系统。系统采用用户自定义攻击规则库、自定义授权AP/STA名单、自定义非法AP/STA名单等方式,能针对无线网络具体环境和用户的不同需要,合理调整入侵检测灵敏度和攻击检测阈值。仿真试验表明,与市场上同类系统相比较,本系统能有效提高无线网络入侵检测效率,大大降低误报率和漏报率。     

频繁情节挖掘方法在入侵检测中的应用

介绍了数据挖掘技术在入侵检测中的应用,提出了一种基于事件序列的频繁情节挖掘算法,并将该算法用于基于网络的入侵检测中。实验结果证明,与关联规则挖掘算法相比较,频繁情节挖掘算法可以有效地提高入侵检测系统的准确性,降低误报率。     

基于Web用户浏览行为的统计异常检测

提出一种基于Web用户访问行为的异常检测方案,用于检测应用层上的分布式拒绝服务攻击,并以具有非稳态流特性的大型活动网站为例,进行应用研究.根据Web页面的超文本链接特征和网络中各级Web代理对用户请求的响应作用,用隐半马尔可夫模型来描述服务器端观测到的正常Web用户的访问行为,并用与大多数正常用户访问行为特征的偏离作为一个流的异常程度的测量.给出了模型的参数化方法,推导了模型参数估计与异常检测算法,讨论了实际网络环境下异常检测系统的实现方法.最后用实际数据验证了模型和检测算法的有效性.仿真结果表明,该模型     

The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms

We introduce a new masquerade dataset, called Windows-Users and -Intruder simulations Logs (WUIL), which, unlike existing datasets, involves more faithful masquerade attempts. While building WUIL, we have worked under the hypothesis that the way in which a user navigates her file system structure can neatly separate a masquerade attack. Thus, departing from standard practice, we state that it is not a user action, but the object upon which the action is carried out what distinguishes user participation. We shall argue that this approach, based on file system navigation provides a richer means, and at a higher-level of abstraction, for building novel models for masquerade detection.We shall devote an important part of this paper to describe WUIL’s content: what information about user activity is stored and how it is represented; prominent characteristics of the participant users; the kinds of masquerade attacks to be timely detected; and the way they have been simulated. We shall argue that WUIL provides reliable data for experimenting on close to real-life instances of masquerade detection, as well as for conducting fair comparisons on rival detection mechanisms, hoping it will be of use to the research community.As a side contribution of this paper, we use WUIL to conduct a simple comparison of two masquerade detection methods: one based on SVM, and the other based on KNN. While this comparison experiment is not central to the paper, we expect it to motivate research exploring deeper the masquerade detection problem, and spreading the use of WUIL. In a similar vein, we provide directions for further research, hinting on how to use the features contained in WUIL, and hoping others would find them appealing.     

基于评分离散度的托攻击检测算法

检测托攻击的本质是对真实用户和虚假用户进行分类,现有的检测算法对于具有选择项的流行攻击、段攻击等攻击方式的检测鲁棒性较差.针对这一问题,通过分析真实用户和虚假用户的评分分布情况,结合ID3决策树提出基于用户评分离散度的托攻击检测Dispersion-C算法.算法通过用户评分极端评分比、去极端评分方差和用户评分标准差3个...     

Masquerade mimicry attack detection: A randomised approach

A masquerader is an (often external) attacker who, after succeeding in obtaining a legitimate user’s credentials, attempts to use the stolen identity to carry out malicious actions. Automatic detection of masquerading attacks is generally undertaken by approaching the problem from an anomaly detection perspective: a model of normal behaviour for each user is constructed and significant departures from it are identified as potential masquerading attempts. One potential vulnerability of these schemes lies in the fact that anomaly detection algorithms are generally susceptible to deception. In this work, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. For this, we introduce the concept of masquerade mimicry attacks, consisting of carefully constructed attacks that are not identified as anomalous. We then explore two different detection schemes to thwart such attacks. We first study the introduction of a blind randomisation strategy into a baseline anomaly detector. We then propose a more accurate algorithm, called Probabilistic Padding Identification (PPI) and based on the Kullback-Leibler divergence, which attempts to identify if a sufficiently anomalous attack is present within an apparently normal behavioural pattern. Our experimental results indicate that the PPI algorithm achieves considerably better detection quality than both blind randomised strategies and adversarial-unaware approaches.     

新的传感器网络假冒攻击源检测方案

针对传感器网络假冒攻击,提出了一种新的假冒攻击源检测方案。新方案利用基于身份的签名技术,结合节点报警规则,构造了基于邻居节点相互认证的单个试图假冒攻击源测定算法,以此为基础,扩充为针对局部区域内的多个试图假冒攻击源测定算法。新方案也提出了成功假冒攻击源测定算法,其中采用了汇聚节点监控排查恶意区域、普通节点认证转发报警消息机制。新方案适用于假冒攻击状况复杂、网络安全性要求较高的环境。仿真实验证实了新方案在成功检测方面的有效性。     

Sequence alignment for masquerade detection

The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms due to the trust imparted to user accounts once they have been authenticated. Many attempts have been made at detecting these attacks, yet achieving high levels of accuracy remains an open challenge. In this paper, we discuss the use of a specially tuned sequence alignment algorithm, typically used in bioinformatics, to detect instances of masquerading in sequences of computer audit data. By using the alignment algorithm to align sequences of monitored audit data with sequences known to have been produced by the user, the alignment algorithm can discover areas of similarity and derive a metric that indicates the presence or absence of masquerade attacks. Additionally, we present several scoring systems, methods for accommodating variations in user behavior, and heuristics for decreasing the computational requirements of the algorithm. Our technique is evaluated against the standard masquerade detection dataset provided by Schonlau et al. [Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y., 2001. Computer intrusion: Detecting masquerades. Statistical Science 16 (1), 58-74], and the results show that the use of the sequence alignment technique provides, to our knowledge, the best results of all masquerade detection techniques to date.     

一种基于粒子群的入侵检测研究

当今攻击网络的手段是多种多样的,为保护网络的用户不受来自网络的攻击,网络在使用中需要安全设备和安全技术。入侵检测技术是一种安全检测技术,该技术能够来阻止网络攻击行为。但要阻止网络的攻击行为,必须检测到该行为。本文在简述了入侵检测技术,粒子群知识后,然后提出了粒子群在入侵检测技术上的应用。该技术在入侵检测上的应用将使得检测方法具有一定的智能性,将粒子群技术应用到入侵检测中属于是首次。本文提出的具有一定智能性检测算法可分为两个步骤：①首先通过函数y=f（x）判断链路中的数据流是否在正常范围内,还是属于异常。②然后如果某种数据流属于异常的流,则使用粒子群算法来对未知属性数据流的属性进行定性判断。本文提出的算法具有一定的智能性,能够作为现有的入侵检测算法的补充。     

Cluster validation in clustering‐based one‐class classification

Reconstruction‐based one‐class classification has shown to be very effective in a number of domains. This approach works by attempting to capture the underlying structure of the normal class, typically, by means of clusters of objects. It has the main disadvantage, however, that one has to indicate the number of clusters in advance, for this yields an efficient way of computing a clustering. In this paper, we introduce a new algorithm, OCKRA++, which achieves a better performance, by enhancing a clustering‐based one‐class ensemble classifier (OCKRA) with a cluster validity index that is used to set the best number of clusters during the classifier's training process. We have thoroughly tested OCKRA++ in a particular domain, namely masquerade detection. For this purpose, we have used the Windows‐Users and ‐Intruder simulation Logs data set repository, which contains 70 different masquerade data sets. We have found that OCKRA++ is currently the algorithm that achieves the best area under the curve, with a significant difference, in masquerade detection using the file system navigation approach.     

基于Linux 系统的DoS 攻击检测和审计系统

在分析传统入侵检测系统不足的基础上,提出了基于Linux操作系统的DoS攻击检测和审计系统。网络安全检测模块通过统计的方法检测内网发起的DoS攻击行为,网络行为规范模块过滤用户对非法网站的访问,网络行为审计模块则记录内网用户的非法行为。实验证明,相比传统的入侵检测系统,该系统能够有效地检测出DoS攻击,并能规范网络用户行为和有效审计非法网络行为。     

面向Unix和Linux平台的网络用户伪装入侵检测

基于主机的入侵检测是目前网络安全领域研究的热点内容。提出了一种基于数据挖掘和变长序列匹配的用户伪装入侵检测方法,主要用于Unix或Linux平台上以shell命令为审计数据的主机型入侵检测系统。该方法针对用户行为复杂多变的特点以及审计数据的短时相关性,利用多种长度不同的shell命令短序列来描述用户行为模式,并基于数据挖掘技术中的序列支持度在用户界面层对网络合法用户的正常行为进行建模;在检测阶段,采用了基于变长序列匹配和判决值加权的检测方案,通过单调递增相似度函数赋值和加窗平滑滤噪对被监测用户当前行为的异常程度进行精确分析,能够有效降低误报率,增强了检测性能的稳定性。实验表明,同目前典型的伪装入侵检测方法相比,该方法在检测准确度和计算成本方面均具有较大优势,特别适用于在线检测。