| 基于Shell命令和多阶Markov链模型的用户伪装攻击检测 |
| |
| 引用本文: | 肖喜,翟起滨,田新广,陈小娟,叶润国.基于Shell命令和多阶Markov链模型的用户伪装攻击检测[J].电子学报,2011,39(5):1199-1204. |
| |
| 作者姓名: | 肖喜 翟起滨 田新广 陈小娟 叶润国 |
| |
| 作者单位: | 肖喜,翟起滨,XIAO Xi,ZHAI Qi-bin(中国科学院研究生院信息安全国家重点实验室,北京,100049);田新广,TIAN Xin-guang(中国科学院计算技术研究所网络科学与技术重点实验室,北京,100190);陈小娟,CHEN Xiao-juan(北京工商大学计算机与信息工程学院,北京,100037);叶润国,YE Run-guo(北京启明星辰信息安全技术有限公司,北京,100193) |
| |
| 基金项目: | 国家863高技术研究发展计划,国家242信息安全计划 |
| |
| 摘 要: | 伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为.提出一种新的用户伪装攻击检测方法.该方法针对伪装攻击用户行为的多变性和审计数据shell命令的相关性,利用特殊的多阶齐次narkov链模型对合法用户的正常行为进行建模,并通过双重阶梯式归并shell命令来确定状态,提高了用户行为轮廓描述的...
|
| 关 键 词: | 网络安全 伪装攻击 人侵检测 shell命令 异常检测 多阶Markov链 |
| 收稿时间: | 2010-07-08 |
Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models |
| |
| XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo.Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models[J].Acta Electronica Sinica,2011,39(5):1199-1204. |
| |
| Authors: | XIAO Xi ZHAI Qi-bin TIAN Xin-guang CHEN Xiao-juan YE Run-guo |
| |
| Affiliation: | XIAO Xi1,ZHAI Qi-bin1,TIAN Xin-guang2,CHEN Xiao-juan3,YE Run-guo4(1.State Key Laboratory of Information Security,Graduate University of Chinese Academy of Sciences,Beijing 100049,China,2.Key Laboratory of Network Science and Technology,Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190,3.College of Computer and Information Engineering,Beijing Technology and Business University,Beijing 100037,4.Beijing Venustech Company Ltd,Beijing 100193,China) |
| |
| Abstract: | Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user's behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific high-order homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user's behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods'.The proposed method is especially suitable for on-line detection. |
| |
| Keywords: | network security masquerade attack intrusion detection shell command anomaly detection high-order Markov chain |
| 本文献已被 CNKI 万方数据 等数据库收录! |
| 点击此处可从《电子学报》浏览原始摘要信息 |
|
点击此处可从《电子学报》下载全文 |
|
