摘要
提出一种基于隐马尔可夫模型的用户行为异常检测方法,主要用于以shell命令为审计数据的主机型入侵检测系统。与Lane T提出的检测方法相比,所提出的方法改进了对用户行为模式和行为轮廓的表示方式,在HMM的训练中采用了运算量较小的序列匹配方法,并基于状态序列出现概率对被监测用户的行为进行判决。实验表明,此方法具有很高的检测准确度和较强的可操作性。
A method for anomaly detection of user behaviors was presented for host-based intrusion detection systems with shell commands as audit data. The method constructs specific hidden Markov models(HMMs) to represent the behavior profiles of users. The HMMs were trained by a sequence matching algorithm which was much simpler than the classical Baum-Welch algorithm. A decision rule based on the probabilities of short state sequences was adopted while the particularity of the states was taken into account. The results of computer simulation show the method presented can achieve high detection accuracy and practicability.
出处
《通信学报》
EI
CSCD
北大核心
2007年第4期38-43,共6页
Journal on Communications
基金
国家高技术研究发展计划("863"计划)基金资助项目(863-307-7-5)~~
关键词
入侵检测
异常检测
行为模式
隐马尔可夫模型
intrusion detection
anomaly detection
behavior pattern
hidden Markov model