一种改进的IDS异常检测模型

基于机器学习的异常检测是目前IDS研究的一个重要方向．该文对一种基于机器学习的用户行为异常检测模型进行了描述，在此基础上提出一种改进的检测模型．该模型利用多种长度不同的shell命令序列表示用户行为模式，建立多个样本序列库来描述合法用户的行为轮廓，并在检测中采用了以shell命令为单位进行相似度赋值的方法．文中对两种模型的特点和性能做了对比分析，并介绍了利用UNIX用户shell命令数据进行的实验．实验结果表明，在虚警概率相同的情况下改进的模型具有更高的检测概率．

An Improved Anomaly Detection Model for IDS

The application of machine learning technique to anomaly detection acts as one of the important directions of research on IDS. This paper introduces an user behavior anomaly detection model based on machine learning originated mainly by Terran Lane. Then it presents an improved anomaly detection model. It uses shell command sequences of variable lengths to represent user behavior patterns and construct more than one libraries of command sequences to represent normal user behavior profiles. While performing detection, the model mines behavior patterns in the stream of shell command sequences generated by the current user, and evaluates the similarity for each shell command according to the length of the sequence, i.e. the behavior pattern which it belongs to. The similarities of the commands are then filtered and act as the measure to determine whether the behavior of the current user is noamal or not. The performance of the model is tested by computer simulation with UNIX users' shell command data. The results show it has higher detection accuracy than Terran Lane's model.