|
|||||
|
|
| 一种新的基于Markov链模型的用户行为异常检测方法 | |
| 引用本文: | 邬书跃,田新广,高立志,张尔扬.一种新的基于Markov链模型的用户行为异常检测方法[J].信号处理,2006,22(3):440-444. |
| 作者姓名: | 邬书跃 田新广 高立志 张尔扬 |
| 作者单位: | 1. 湖南科技大学信息与电气工程学院,湘潭,411201 2. 国防科技大学电子科学与工程学院,长沙,410073 3. 国防科技大学电子科学与工程学院,长沙,410073;清华大学电子工程系,北京,100084 |
| 基金项目: | 国家高技术研究发展计划(863计划);北京首信集团资助项目 |
| 摘 要: | 提出一种新的基于Markov链模型的用户行为异常检测方法。该方法利用一阶齐次Markov链对网络系统中合法用户的正常行为进行建模,将Markov链的状态同用户执行的shell命令序列联系在一起,并引入一个附加状态;在检测阶段,基于状态序列的出现概率对用户当前行为的异常程度进行分析,并根据Markov链状态的实际含义和用户行为的特点, 采用了较为特殊的判决准则。与Lane T提出的基于隐Markov模型的检测方法相比,该方法的计算复杂度较低,更适用于在线检测。而同基于实例学习的检测方法相比,该方法则在检测准确率方面具有较大优势。文中提出的方法已在实际入侵检测系统中得到应用,并表现出良好的检测性能。 |
| 关 键 词: | 入侵检测 Markov链 异常检测 shell命令 |
| 修稿时间: | 2005年3月10日 |
A New Method for Anomaly Detection of User Behaviors Based on Markov Chain Models |
|
| Wu Shuyue,Tian Xinguang,Gao Lizhi,Zhang Eryang.A New Method for Anomaly Detection of User Behaviors Based on Markov Chain Models[J].Signal Processing,2006,22(3):440-444. | |
| Authors: | Wu Shuyue Tian Xinguang Gao Lizhi Zhang Eryang |
| Abstract: | This paper presents a new method for anomaly detection of user behaviors based on Markov chain models. The method constructs a one-order Markov chain model to represent the normal behavior profile of a network user, and associates shell command sequences with the states of the Markov chain. At the detection stage, the probabilities of the state sequences of the Markov chain is firstly computed, and a specific decision rule is adopted while the particularity of user behaviors is taken into account. The method is less computationally expensive than the method based on hidden Markov models introduced by Lane T, and is more applicable to on - line detection. Compared with the instance-based method, the method in the paper can provide higher detection accuracy. The application of the method in practical intrusion detection systems shows that it has high detection performance. |
| Keywords: | intrusion detection Markov chain anomaly detection shell command |
| 本文献已被 CNKI 万方数据 等数据库收录! | |