高级检索

    基于应用层协议关键词序列的应用层异常检测方法

    Application Layer Anomaly Detection Based on Application Layer Protocols’ Keyword Sequences

    • 摘要: 提出一种基于应用层协议关键词序列的应用层异常检测方法.它用应用层协议关键词和关键词之间的时间间隔构成观测序列,用隐半马尔可夫模型来刻画正常用户在使用每种应用层协议时的行为.该方法可分为模型训练和异常检测两个阶段:在模型训练阶段,利用前后向算法训练得到正常用户在使用每种应用层协议时其行为的隐半马尔可夫模型;在异常检测阶段,在线统计每个观测序列相对于模型的平均对数或然概率,当发现某个用户在使用某种应用层协议的过程中其行为出现异常时,采取调整该用户数据流的优先级或者带宽的方式来对该用户的异常行为进行控制,从而可以自动纠正用户的异常行为.使用包括DARPA测试数据集在内的一些数据对该方法进行了验证.实验结果表明该方法能很好地描述正常用户在使用应用层协议时的行为,并且在检测用户异常行为时具有很高的检测率和很低的误报率.

       

      Abstract: This paper presents an application layer anomaly detection method based on keyword sequences of application layer protocols. In this method, a hidden semi-Markov model is used to describe the behavior of a normal user who is using an application layer protocol, and the keywords as well as their inter-arrival times generated in using the protocol are used as the observation sequence on the user’s behavior. This method is divided into a training phase and a detection phase. In the training phase, the parameters of the hidden semi-Markov model are determined, through the forward-backward algorithm for the hidden semi-Markov model. In the detection phase, the average log likelihood of every observation sequence is calculated in real time. If a user’s behavior is abnormal while using some application layer protocol, the priority or the bandwidth of the packets belonging to the application will be reduced. In this way the user’s anomalous behavior will be restricted automatically. An experiment is conducted to validate this method, which is based on some data sets,including the DARPA dataset. The experimental results show that the model is effective in measuring the behavior of the normal users who are using some application layer protocol, and this method has high detection accuracy and low false positive ratio.

       

    /

    返回文章
    返回