基于Shell命令和共生矩阵的用户行为异常检测方法
Anomaly Detection of User Behavior Based on Shell Commands and Co-Occurrence Matrix
-
摘要: 用户行为异常检测是当前网络安全领域研究的热点内容.提出一种新的基于共生矩阵的用户行为异常检测方法,主要用于Unix或Linux平台上以shell命令为审计数据的入侵检测系统.该方法在训练阶段充分考虑了用户行为复杂多变的特点和审计数据的时序相关属性,依据shell命令的出现频率并利用阶梯式的数据归并方法来确定事件,然后构建模型矩阵来刻画用户的正常行为.在检测阶段,首先为每一个当前事件序列构建一个部分正则化共生矩阵,然后根据矩阵2范数计算这些矩阵与模型矩阵的距离,得到距离流,最后通过平滑滤噪处理距离流来判决用户行为.在Purdue大学实验数据和SEA实验数据上的两组实验结果表明,该方法具有很高的检测性能,其可操作性也优于同类方法.Abstract: Anomaly detection of user behavior is now one of the major concerns of system security research. Anomaly detection systems establish the normal behavior profile of a subject (e.g. user), and compare the observed behavior of the subject with the profile and signal intrusions when the subject’s observed behavior differs significantly from the profile. One problem with anomaly detection is that it is likely to raise many false alarms. Unusual but legitimate use may sometimes be considered anomalous. This paper proposes a novel method for anomaly detection of user behavior, which is applicable to host-based intrusion detection systems using shell commands as audit data. Considering the property and the uncertainty of user behavior, the method obtains an event sequence with less variety of events after hierarchically merging shell command tokens into sets and then profiles the user’s normal behavior with a partly normalized co-occurrence matrix. In the detection stage, for event current sequence, a normalized co-occurrence matrix is constructed. Then the distances between these matrixes and the profile matrix are calculated according to the second matrix norm. Finally they are filtered with sliding windows and used to determine whether the monitored user’s behavior is normal or anomalous. The experiment results on datasets of Purdue University and SEA show that the proposed method can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods.