基于用户与网络行为分析的主机异常检测方法被引量：7

Analyzing user and network behaviors for host-based anomaly detection

下载PDF

导出

摘要当前针对主机的攻击手段越来越复杂,各种新型攻击出现得越来越频繁,使得针对主机的异常检测变得非常重要.异常检测可以检测未知攻击,并且可以检测内部威胁,成为了网络与系统安全研究的热点之一.已有的异常检测研究中,基于网络流量等单一的信息源进行异常检测的方法容易被攻击者所规避且检测率低.本文提出通过多种信息源建模并进行异常检测,分别对网络行为与用户行为进行分析,使用K最近邻(K-NN)分类算法得出每种行为的异常值,通过加权处理得出总体异常值并将其作为异常检测的判断标准.选取了17名用户进行实验,实验结果表明:在误报率为2.9%的情况下,利用多信息源检测模型能够检测出单一信息源检测模型未能检测出的异常,检测率达到100%. Host borne attacks have become more and more complicated. As novel attacks appear more and more frequently, host based anomaly detection becomes very important. Anomaly detection is able to detect unknown attacks as well as internal threats. It thus has become a widely studied topic in the field of network and system security. Most existing anomaly detection studies are based on a sin by attacker, resu gle source of information such as network traffic, which can be easily bypassed lting in a low detection rate. This paper proposes to establish a multi source model to carry out anomaly detection. We analyze user and network behavior individually, and obtain their anomaly scores with K-Nearest Neighbor （K-NN）algorithm. The overall anomaly scores used for anomaly detection are finally formed with weights of these two behaviors. The experiments selected 17 users for testing and the results show that, in the case of false positive rate of 2.9%, the multi source model can detect anomaly that single source model cannot, and the detection rate reaches 100%.

作者郭志民彭豪辉牛霜霞邵坤吕卓王伟 GUO Zhimin;PENG Haohui;NIU Shuangxia;SHAO Kun;LYU Zhuo;WANG Wei(State Grid Henan Electric Power Research Institute,Zhengzhou 450052,China;Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing Jiaotong University Beijing 100044,China;No 32082 People＇s Liberation Army of China Troops,Beijing 100120,China)

机构地区国家电网河南省电力公司电力科学研究院北京交通大学智能交通数据安全与隐私保护技术北京市重点实验室中国人民解放军

出处《北京交通大学学报》 CAS CSCD 北大核心 2018年第5期40-46,共7页 JOURNAL OF BEIJING JIAOTONG UNIVERSITY

基金国家重点研发计划(2017YFB0802805) 国家自然科学基金(U1736114,61672092) 中兴通讯产学研合作项目(K17L00190) 电子信息控制重点实验室基金(K16GY00040) 中央高校基本科研业务费专项资金(K17JB00020,K17JB00060)

关键词网络安全异常检测系统安全网络行为用户行为 cyber security anomaly detection system security network behaviors user behaviors

分类号 TP393.2 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献2

1张剑,童言,徐明迪,秦涛.轻量级主机数据采集与实时异常事件检测方法研究[J].西安交通大学学报,2017,51(4):97-102. 被引量：6
2赵刚,宋健豪.基于系统调用时间特征的异常行为智能检测系统[J].计算机应用与软件,2015,32(4):309-313. 被引量：4

二级参考文献14

1李涵,包立辉.基于聚类算法的异常入侵检测模型的研究与实现[J].计算机应用与软件,2006,23(10):126-127. 被引量：8
2Denning D E. An Intrusion-detection Model [ J ]. IEEE Transactions on Software Engineefi.ng, 1987,13 ( 2 ) :222 - 23.2.
3Forrest S, Hofmeyr S A, Somayaji A, et al. A Sense of Self for UnixPro- cesses[ C]//Proceedings of the 1996 IEEE Symposium on Research in Securityand Privacy, Los Alamitos, CA : IEEE Computer Society Press, 1QQ. IN -- 19R.
4Hall M, Frank E, Holmes G, et al. The WekaData Mining Software : An Update [ J ]. SIGKDD Explorations,2009,11 ( 1 ) : 10 - 18.
5倪桂强,李佳桢,潘志松,缪志敏.基于支持向量数据描述的击键生物特征认证[J].模式识别与人工智能,2008,21(5):704-708. 被引量：4
6陶敬,马小博,赵娟,郑庆华.基于资源可用性的主机异常检测[J].电子科技大学学报,2007,36(S3):1449-1452. 被引量：3
7吴瀛,江建慧,张蕊.基于系统调用的入侵检测研究进展[J].计算机科学,2011,38(1):20-25. 被引量：9
8李华,刘智,覃征,张小松.基于行为分析和特征码的恶意代码检测技术[J].计算机应用研究,2011,28(3):1127-1129. 被引量：10
9程叶霞,薛质.基于击键特征匹配的单点登录系统[J].通信技术,2012,45(1):99-101. 被引量：4
10贺喜,蒋建春,丁丽萍,王永吉,廖晓峰.基于LDA模型的主机异常检测方法[J].计算机应用与软件,2012,29(8):1-4. 被引量：5