基于模式挖掘的用户行为异常检测

行为模式通常反映了用户的身份和习惯，该文阐述了针对Telnet会话中用户执行的shell命令，利用数据挖掘中的关联分析和序列挖掘技术对用户行为进行模式挖掘的方法，分析了传统的相关函数法在应用于序列模式比较时的不足，提出了基于递归式相关函数的模式比较算法，根据用户历史行为模式和当前行模式的比较相似度来检测用户行为中的异常，最后给出了相应的实验结果。

Anomaly Detection of User Behaviors Based on Profile Mining

Anomaly detection acts as the major direction of research in intrusion detection. Detecting anomalies in system/user behavior profiles can help us to discover unknown attacks. The critical problem of Anomaly Detection lies in how to construct the normal usage profiles and how to perform profile comparison. Fortunately, researchers of Columbia University pointed out a feasible solution for us: data mining. They also presented some inspiring results of experiments. As a kind of application specific approach for data processing, data mining has the ability to discover hidden knowledge from large volumes of security audit data. Data mining techniques, including association analysis, sequence mining and data classification, can greatly improve the ability of mining user behavior profiles which usually reflect identities and habits of users. We use Bro, a stand alone system for detecting network intruders in real time, to extract siell commands presented by users during telnet sessions. Commands are formatted and organized into audit records. After that, the apriori algorithm and the sliding window division algorithm are introduced to mine behavior profiles which are composed of association rules and sequence patterns from these audit records. After demonstrating the defect of traditional comparison algorithm which makes use of correlation functions to compare similarities between history profiles and present ones, we present our algorithm named recursive correlations to complete the comparison task and calculate similarities for detecting anomalous behaviors. In order to verify the validity of our approach, we simulate some kinds of anomalous behaviors based on telnet sessions and compare the mined profiles with those from normal behaviors. Results of experiments show distinct differences between them. With the help of such kinds of data mining techniques and profile comparison algorithms, we are provided with the capability of detecting anomalies which often indicate malicious attacks.